Edit tour

Windows Analysis Report
hesaphareketi-01.pdf.exe

Overview

General Information

Sample name:	hesaphareketi-01.pdf.exe
Analysis ID:	1576523
MD5:	f8b8beccdf66e3ef9ca54ac632ceb47b
SHA1:	24a275521156c3d36a452a09b69b7fc9a1981f7e
SHA256:	2cdfbaeb99da97fe3ed7bc8370f3af2a9c1a27e2812119a666f457264f6ca801
Tags:	exegeonjratRATTURuser-abuse_ch
Infos:

Detection

AsyncRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension File Execution

Yara detected AntiVM3

Yara detected AsyncRAT

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected Generic Downloader

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

hesaphareketi-01.pdf.exe (PID: 6464 cmdline: "C:\Users\user\Desktop\hesaphareketi-01.pdf.exe" MD5: F8B8BECCDF66E3EF9CA54AC632CEB47B)

RegSvcs.exe (PID: 6004 cmdline: "C:\Users\user\Desktop\hesaphareketi-01.pdf.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "oshaduck123.duckdns.org", "Port": "6606,7707,8808", "Version": "0.5.8", "MutexName": "ZWwiD1mukwdK", "Autorun": "false", "Group": "null"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.3297697329.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000002.00000002.3297697329.0000000000402000.00000040.80000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x97b5:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000000.00000002.2064888141.0000000003660000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000002.2064888141.0000000003660000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.2064888141.0000000003660000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x9923:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x66ff:$a3: get_ActivatePong 0x9b3b:$a4: vmware 0x99b3:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x745a:$a6: get_SslClient
00000000.00000002.2064888141.0000000003660000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x99b5:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: hesaphareketi-01.pdf.exe PID: 6464	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: hesaphareketi-01.pdf.exe PID: 6464	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 6004	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 6004	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x37102:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x9923:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x66ff:$a3: get_ActivatePong 0x9b3b:$a4: vmware 0x99b3:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x745a:$a6: get_SslClient
2.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x99b5:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.hesaphareketi-01.pdf.exe.3660000.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.hesaphareketi-01.pdf.exe.3660000.1.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x7b23:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x8e38:$a2: Stub.exe 0x8ec8:$a2: Stub.exe 0x48ff:$a3: get_ActivatePong 0x7d3b:$a4: vmware 0x7bb3:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x565a:$a6: get_SslClient
0.2.hesaphareketi-01.pdf.exe.3660000.1.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x7bb5:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.hesaphareketi-01.pdf.exe.3660000.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.hesaphareketi-01.pdf.exe.3660000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.hesaphareketi-01.pdf.exe.3660000.1.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x9923:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x66ff:$a3: get_ActivatePong 0x9b3b:$a4: vmware 0x99b3:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x745a:$a6: get_SslClient
0.2.hesaphareketi-01.pdf.exe.3660000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x99b5:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Click to see the 6 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\hesaphareketi-01.pdf.exe", CommandLine: "C:\Users\user\Desktop\hesaphareketi-01.pdf.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe, NewProcessName: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe, OriginalFileName: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Users\user\Desktop\hesaphareketi-01.pdf.exe", ProcessId: 6464, ProcessName: hesaphareketi-01.pdf.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000002.00000002.3298655604.00000000032B1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: AsyncRAT {"Server": "oshaduck123.duckdns.org", "Port": "6606,7707,8808", "Version": "0.5.8", "MutexName": "ZWwiD1mukwdK", "Autorun": "false", "Group": "null"}

Multi AV Scanner detection for domain / URL

Source: oshaduck123.duckdns.org	Virustotal: Detection: 6%			Perma Link
Source: oshaduck123.duckdns.org	Virustotal: Detection: 6%			Perma Link

Multi AV Scanner detection for submitted file

Source: hesaphareketi-01.pdf.exe	Virustotal: Detection: 57%			Perma Link
Source: hesaphareketi-01.pdf.exe	ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: hesaphareketi-01.pdf.exe

Joe Sandbox ML: detected

Source: hesaphareketi-01.pdf.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: hesaphareketi-01.pdf.exe, 00000000.00000003.2062895935.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, hesaphareketi-01.pdf.exe, 00000000.00000003.2060763805.0000000003A20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: hesaphareketi-01.pdf.exe, 00000000.00000003.2062895935.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, hesaphareketi-01.pdf.exe, 00000000.00000003.2060763805.0000000003A20000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E7445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00E7445A
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E7C6D1 FindFirstFileW,FindClose,	0_2_00E7C6D1
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E7C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00E7C75C
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E7EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00E7EF95
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E7F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00E7F0F2
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E7F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00E7F3F3
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E737EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00E737EF
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E73B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00E73B12
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E7BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00E7BCBC

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: oshaduck123.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: oshaduck123.duckdns.org

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.pdf.exe.3660000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2064888141.0000000003660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: Joe Sandbox View	IP Address: 192.169.69.26 192.169.69.26
Source: Joe Sandbox View	IP Address: 192.169.69.26 192.169.69.26

Source: Joe Sandbox View

ASN Name: WOWUS WOWUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Code function: 0_2_00E822EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00E822EE

Source: global traffic

DNS traffic detected: DNS query: oshaduck123.duckdns.org

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.pdf.exe.3660000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.pdf.exe.3660000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3297697329.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2064888141.0000000003660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hesaphareketi-01.pdf.exe PID: 6464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6004, type: MEMORYSTR

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Code function: 0_2_00E84164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00E84164

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Code function: 0_2_00E84164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00E84164

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Code function: 0_2_00E83F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00E83F66

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Code function: 0_2_00E7001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00E7001C

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Code function: 0_2_00E9CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00E9CABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.hesaphareketi-01.pdf.exe.3660000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.2.hesaphareketi-01.pdf.exe.3660000.1.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.hesaphareketi-01.pdf.exe.3660000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.2.hesaphareketi-01.pdf.exe.3660000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000002.00000002.3297697329.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000002.2064888141.0000000003660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000000.00000002.2064888141.0000000003660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 6004, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00E13B3A
Source: hesaphareketi-01.pdf.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: hesaphareketi-01.pdf.exe, 00000000.00000000.2050982429.0000000000EC4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_dc905a3a-c
Source: hesaphareketi-01.pdf.exe, 00000000.00000000.2050982429.0000000000EC4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_eafd65f2-d
Source: hesaphareketi-01.pdf.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f66714ef-6
Source: hesaphareketi-01.pdf.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_b1035546-3

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: hesaphareketi-01.pdf.exe

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Code function: 0_2_00E7A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00E7A1EF

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Code function: 0_2_00E68310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00E68310

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Code function: 0_2_00E751BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00E751BD

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E1E6A0	0_2_00E1E6A0
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E3D975	0_2_00E3D975
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E1FCE0	0_2_00E1FCE0
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E321C5	0_2_00E321C5
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E462D2	0_2_00E462D2
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E903DA	0_2_00E903DA
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E4242E	0_2_00E4242E
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E325FA	0_2_00E325FA
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E266E1	0_2_00E266E1
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E6E616	0_2_00E6E616
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E4878F	0_2_00E4878F
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E78889	0_2_00E78889
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E46844	0_2_00E46844
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E90857	0_2_00E90857
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E28808	0_2_00E28808
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E3CB21	0_2_00E3CB21
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E46DB6	0_2_00E46DB6
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E26F9E	0_2_00E26F9E
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E23030	0_2_00E23030
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E3F1D9	0_2_00E3F1D9
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E33187	0_2_00E33187
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E11287	0_2_00E11287
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E31484	0_2_00E31484
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E25520	0_2_00E25520
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E37696	0_2_00E37696
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E25760	0_2_00E25760
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E31978	0_2_00E31978
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E49AB5	0_2_00E49AB5
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E97DDB	0_2_00E97DDB
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E3BDA6	0_2_00E3BDA6
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E31D90	0_2_00E31D90
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E23FE0	0_2_00E23FE0
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E1DF00	0_2_00E1DF00
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_011854A8	0_2_011854A8

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: String function: 00E17DE1 appears 36 times
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: String function: 00E38900 appears 42 times
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: String function: 00E30AE3 appears 70 times

Source: hesaphareketi-01.pdf.exe, 00000000.00000003.2060923460.0000000003CED000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs hesaphareketi-01.pdf.exe
Source: hesaphareketi-01.pdf.exe, 00000000.00000003.2059869802.0000000003B43000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs hesaphareketi-01.pdf.exe
Source: hesaphareketi-01.pdf.exe, 00000000.00000002.2064888141.0000000003660000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs hesaphareketi-01.pdf.exe

Source: hesaphareketi-01.pdf.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.hesaphareketi-01.pdf.exe.3660000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.2.hesaphareketi-01.pdf.exe.3660000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.hesaphareketi-01.pdf.exe.3660000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.2.hesaphareketi-01.pdf.exe.3660000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000002.00000002.3297697329.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000002.2064888141.0000000003660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000000.00000002.2064888141.0000000003660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: RegSvcs.exe PID: 6004, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys

Source: 0.2.hesaphareketi-01.pdf.exe.3660000.1.raw.unpack, Settings.cs

Base64 encoded string: 'YNgyYAq4QNgLJletPDX2vX6o1U7y/+PLSpZXuoWI5bk4xjzpfvlccu+O2HtbrBxX9O/1YqF/osLIJY9WRvBECg==', '+Jlf4jFWw9sLiZKKLTzoID5b7tqnzO2zktlGuLxQxAioQIulWS60dE3uwzMNzeVO7BpT4KBMCBoOaM+V4kEZ1pV9gUzvZ9GIhO+xBFXFElM=', 'nV9r0buqY2QHGTeuF+x+rNjEKeL9xuKyiS3r9b+AorN7jDlQsDzWiJb5/SgGDTk0NXwSRHUxkVc5s5Mlq/5Kcg==', 'kS1wFLYiFuObKAQh+k2fghorlr25JCdJxXcqCEjHH1A130GYGiEflRU/oCBYGbGsj3e1G/69kg/oRFFspFUjc6odM4oN8v63g0SMV9neFdBGRiaOZthxP9DqfPCpYsDNw/tciUcpdX+ZvHxnacJxV1s8rWLsIS6BZP2xb0ctQaBmYgLHZRa878R9Chav20RB9UkmkhH9hsG7JR0FiwssV8VRjIj7PWZFQj9YKMD4RFY/SEaEgsZqaSQfohZcLU6M9J4fM6OcgBAeoXKr1XNp6OSyYZi+vCn4S4sK7g/RDkOygVuRGyIyfEtZYG5a1PY9rlY8DCDemEt8D41LFsKqBtnb6yi18dyaEx4INZ0CwyC2nE1SIzi+a3AokxagFf+1JU0ISZYX+56Jcu9shokeXaainGYgubF+4sYm8wFwn0y779HULjPp4LzqBbTS4VdGZv0+Ayg5RKnTK6jsAlyUKLv2ItUYWB4kb53MOHTYwlvEB4VyhAFlxqSNbLNFRZ7EemFpB6lXlz3bWgTEB59Ay0L9O4iSAutqGqZLGARR8Wcz3R1b08hPrGFKfr6uNnGNUsMQeYo9AhHlxCtK3daOW3B82KISlB5KcyrSjoBLmtfxpA8iXzROCtwBcFSh5E578mz7Z9WL8m5TdvEDKeyCXEASh2a7q5oOFZoXI/D5XAbW6MOWNx94bFHYp+8AlprXIvN654wZf3AgmCl3/tL5/Xinxe2dU1Kd3cMyaOx0Mdm2cNVZFeeLCEmADeJ1BC8oqn0REQ6KTZAslOJqW0YB4DIE/Dt/BNQzZ7t7BaYY7qRIr1c1DqdYQf0+rKM5EsKe292cUcYYRpv9zPNpu4EXb+BdjB452X+0n1WiRRnEfGPSZ8Xd3ZHoy+Fi9Oh9YwjOazmAh8yeXRouKjDqi2u43ETLUmq30sUDVC32sqvWqrH6YHNQWeX7Vr4gGAxH61z2c9tNKJdVUcZrlIYURIiFmEQbK/ABIKHZxwwA1PjqQ/6WbwnNWygFtBK+0rwwxt4XMbhjE/J0heZBGKWkYZKvWK/JhvrC40Spn7Lr3Lsb5qjoFeWhaf6Lqi4HpHWTln1afl1Fl1gyQFjHTAHvGq3i/HAyiXIgh/fG0pqzRAD8YpTlMQn8yHhQAwWOgQpEmyTr8lSGtIM+f4Be5Veq/+2XK9ar7DChW/+keKb6wZ9YvgHiT5OqKmYMg/ormsxSXi3qvLxqYKjIPlsAiPBnkp97p3iQuqoBG6mbmKF+OAUHIQ+K7sXJSHMxLJb7mZYqNMgS72HxfmlbxWWt8gztKJ79pJ7UCpnvoWunwnffrTo1N6x5kSOyjqlQAYfaeK2iOH3mw1CfBpurIqm/aeg985PhM7J+8KQMmyFCG9qpu6U0E+B+deisfGjA7przGBRtSP7nfifIEQ3/zzUPLM2JfKRoLXrZWxcGNUFMbyE7y8XvI/gBrp+XZQnuTXg+UmJXpVf7hWKIC5ht+HztKwR+iIjDyChcNbGHKgzN30PGqneGYB4ZDDk8UFEtc+1gNrTLlp9sDIXAsDoiWQ9+5lPSYGixYxzjcYOAe38WKi6TiAzodgxVo5UJbb5Q2B3klNNYwx8VEscGSaFJ6ht3H0GlJpjOluqmHslF1D4W9FeyenfoMGkrtkjbbnFjfr5OMJuYzf41nmWETMGf0m9Fi8XqyvtLMVBjpiX2vMjiaYKpL5YG1VmIysRwXbG3oMa40L8MM70mkLXsUiSX+Q+HXEHRT1wuRUA5ojdHB7FGPORuejdNG+quvVXX7QCQpBYDyvyWRKq0oeOIsft/btYAEa8vah7/4vhrk2SVp/lUq+s0lk74f4w8KOwW7zjv8D+MonfqzfIr6fV+RbCwRzEkA8cRa9KmXeEv3ivxoljrIM2Q47kP+4ma4ravHDb7Rm0Emyt9ziWH//jLcVS7jd/fWLfE9DDv2WROGKDAuXirJz4F88ZefhwB1F2zLHdkWE+ucAuO2jgavUyaEC23OKuIjvwL4T1p0GQf6mXGnoVbFO9JYNwgbGaPuAQXyun2/Wu7vxLnHjFytjt9jnbAFSixg83GOxQ9eCYGumngY1n12EqLS+1FrRA6jO2mWWLA/MuypnUhcXTGLsHGfcmEFuZTXlR513wlkItqt396XE9cI/L9JLTgq6LzbkjtoQM6ejjk9yFtBu0TrOiBt/ERm5KhEgKkYn+mNNOqNmDOkZKL9U8Qs/6noJZvdHzswDa7TbTRY8OPPycR9mWdqs8lDK6l2OrApTypYRTzI9ZxeAX/xFSnoGBoSg2lJv9ZRXEsobRsHefvz1fEnDmZIAJ0lY5JHIROAxnoKULXV6RVgUJfhwwzNSQ9x84=', 'xYXm2TtNzNkwRHAor9clEVI2++f8TREMlW2vILUwWt3R8I8yBzm5IWMEnucat5MpWxRCxi3SbTJV5v7PqceBfSMWSUDdttUi+k4BYh3mnhWIpetiQ1MjddvAFjsdAB994HcPSIZLwDmfS1a+3qcB80i4cofS+CiKoy+BN0OHcQOwqmdJixN/BQyudN+eT9Ei8WZlBniXyw/MzFjU1xJXYGtPUi3AVNeuCDrG4TyjmOMFt+wr2udGMrjM0cGHzmG24p1iZuhNKqt9T7Z/8ZdiMmq+8OQ8bmBKk/T6aUwzH/VpjKFTyh7kihQSezKzNIiJTp2D7lyyx8o2XGlWXwoUhmWt5rw/vVn

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/2@2/1

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Code function: 0_2_00E7A06A GetLastError,FormatMessageW,

0_2_00E7A06A

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E681CB AdjustTokenPrivileges,CloseHandle,		0_2_00E681CB
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E687E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00E687E1

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Code function: 0_2_00E7B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00E7B3FB

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Code function: 0_2_00E8EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00E8EE0D

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Code function: 0_2_00E883BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00E883BB

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Code function: 0_2_00E14E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00E14E89

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\ZWwiD1mukwdK

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

File created: C:\Users\user\AppData\Local\Temp\autAC23.tmp

Jump to behavior

Source: hesaphareketi-01.pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: hesaphareketi-01.pdf.exe	Virustotal: Detection: 57%
Source: hesaphareketi-01.pdf.exe	ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe "C:\Users\user\Desktop\hesaphareketi-01.pdf.exe"
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\hesaphareketi-01.pdf.exe"
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\hesaphareketi-01.pdf.exe"	Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Section loaded: wldp.dll	Jump to behavior

Source: hesaphareketi-01.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: hesaphareketi-01.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: hesaphareketi-01.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: hesaphareketi-01.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: hesaphareketi-01.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: hesaphareketi-01.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: hesaphareketi-01.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: hesaphareketi-01.pdf.exe, 00000000.00000003.2062895935.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, hesaphareketi-01.pdf.exe, 00000000.00000003.2060763805.0000000003A20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: hesaphareketi-01.pdf.exe, 00000000.00000003.2062895935.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, hesaphareketi-01.pdf.exe, 00000000.00000003.2060763805.0000000003A20000.00000004.00001000.00020000.00000000.sdmp

Source: hesaphareketi-01.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: hesaphareketi-01.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: hesaphareketi-01.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: hesaphareketi-01.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: hesaphareketi-01.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Code function: 0_2_00E14B37 LoadLibraryA,GetProcAddress,

0_2_00E14B37

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Code function: 0_2_00E38945 push ecx; ret

0_2_00E38958

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.pdf.exe.3660000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.pdf.exe.3660000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3297697329.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2064888141.0000000003660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hesaphareketi-01.pdf.exe PID: 6464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6004, type: MEMORYSTR

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: hesaphareketi-01.pdf.exe

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E148D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00E148D7
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E95376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00E95376

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Code function: 0_2_00E33187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00E33187

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: hesaphareketi-01.pdf.exe PID: 6464, type: MEMORYSTR

Yara detected AsyncRAT

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.pdf.exe.3660000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.pdf.exe.3660000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3297697329.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2064888141.0000000003660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hesaphareketi-01.pdf.exe PID: 6464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6004, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

API/Special instruction interceptor: Address: 11850CC

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: hesaphareketi-01.pdf.exe, 00000000.00000002.2064888141.0000000003660000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3297697329.0000000000402000.00000040.80000000.00040000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-105610

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

API coverage: 4.4 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E7445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00E7445A
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E7C6D1 FindFirstFileW,FindClose,	0_2_00E7C6D1
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E7C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00E7C75C
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E7EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00E7EF95
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E7F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00E7F0F2
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E7F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00E7F3F3
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E737EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00E737EF
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E73B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00E73B12
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E7BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00E7BCBC

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Code function: 0_2_00E149A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E149A0

Source: RegSvcs.exe, 00000002.00000002.3297697329.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: vmware
Source: RegSvcs.exe, 00000002.00000002.3299948857.0000000005846000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

API call chain: ExitProcess graph end node

graph_0-104173

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Code function: 0_2_00E83F09 BlockInput,

0_2_00E83F09

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Code function: 0_2_00E13B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00E13B3A

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Code function: 0_2_00E45A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00E45A7C

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Code function: 0_2_00E14B37 LoadLibraryA,GetProcAddress,

0_2_00E14B37

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_01185338 mov eax, dword ptr fs:[00000030h]	0_2_01185338
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_01185398 mov eax, dword ptr fs:[00000030h]	0_2_01185398
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_01183D28 mov eax, dword ptr fs:[00000030h]	0_2_01183D28

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Code function: 0_2_00E680A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_00E680A9

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E3A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00E3A155
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E3A124 SetUnhandledExceptionFilter,		0_2_00E3A124

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1064008

Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Code function: 0_2_00E687B1 LogonUserW,

0_2_00E687B1

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Code function: 0_2_00E13B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00E13B3A

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Code function: 0_2_00E148D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00E148D7

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Code function: 0_2_00E74C7F mouse_event,

0_2_00E74C7F

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\hesaphareketi-01.pdf.exe"

Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Code function: 0_2_00E67CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00E67CAF

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Code function: 0_2_00E6874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00E6874B

Source: hesaphareketi-01.pdf.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: hesaphareketi-01.pdf.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Code function: 0_2_00E3862B cpuid

0_2_00E3862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Code function: 0_2_00E44E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00E44E87

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Code function: 0_2_00E51E06 GetUserNameW,

0_2_00E51E06

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Code function: 0_2_00E43F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00E43F3A

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe

Code function: 0_2_00E149A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E149A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.pdf.exe.3660000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.pdf.exe.3660000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3297697329.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2064888141.0000000003660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hesaphareketi-01.pdf.exe PID: 6464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6004, type: MEMORYSTR

Source: hesaphareketi-01.pdf.exe	Binary or memory string: WIN_81
Source: hesaphareketi-01.pdf.exe	Binary or memory string: WIN_XP
Source: hesaphareketi-01.pdf.exe	Binary or memory string: WIN_XPe
Source: hesaphareketi-01.pdf.exe	Binary or memory string: WIN_VISTA
Source: hesaphareketi-01.pdf.exe	Binary or memory string: WIN_7
Source: hesaphareketi-01.pdf.exe	Binary or memory string: WIN_8
Source: hesaphareketi-01.pdf.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E86283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00E86283
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe	Code function: 0_2_00E86747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00E86747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Scheduled Task/Job	2 Valid Accounts	221 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	127 System Information Discovery	Distributed Component Object Model	Input Capture	21 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Masquerading	LSA Secrets	231 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Scheduled Task/Job	2 Valid Accounts	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
hesaphareketi-01.pdf.exe	58%	Virustotal		Browse
hesaphareketi-01.pdf.exe	55%	ReversingLabs	Win32.Trojan.AutoitInject
hesaphareketi-01.pdf.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
oshaduck123.duckdns.org	6%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
oshaduck123.duckdns.org	0%	Avira URL Cloud	safe
oshaduck123.duckdns.org	6%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
oshaduck123.duckdns.org	192.169.69.26	true	true	6%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
oshaduck123.duckdns.org	true	6%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.169.69.26	oshaduck123.duckdns.org	United States		23033	WOWUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1576523
Start date and time:	2024-12-17 08:26:38 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	hesaphareketi-01.pdf.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/2@2/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 54 Number of non-executed functions: 271
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.109.210.53
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 6004 because it is empty
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtReadVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
192.169.69.26	f5ATZ1i5CU.exe	Get hash	malicious	RedLine, XWorm	Browse	duclog23.duckdns.org:37552/
	SX8OLQP63C.exe	Get hash	malicious	VjW0rm, AsyncRAT, RATDispenser	Browse	yuya0415.duckdns.org:1928/Vre
	confirmaci#U00f3n y correcci#U00f3n de la direcci#U00f3n de entrega.vbs	Get hash	malicious	Unknown	Browse	servidorarquivos.duckdns.org/e/e
	oKtkBYZMWl.exe	Get hash	malicious	Unknown	Browse	csacsadhe.duckdns.org/byfronbypass.html/css/mss/Arzgohi.mp3
	oKtkBYZMWl.exe	Get hash	malicious	Unknown	Browse	csacsadhe.duckdns.org/byfronbypass.html/css/mss/Arzgohi.mp3
	http://yvtplhuqem.duckdns.org/ja/	Get hash	malicious	Unknown	Browse	yvtplhuqem.duckdns.org/ja/
	http://fqqqffcydg.duckdns.org/en/	Get hash	malicious	Unknown	Browse	fqqqffcydg.duckdns.org/en/
	http://yugdzvsqnf.duckdns.org/en/	Get hash	malicious	Unknown	Browse	yugdzvsqnf.duckdns.org/en/
	&nuevo_pedido#..vbs	Get hash	malicious	Unknown	Browse	servidorarquivos.duckdns.org/e/e
	transferencia_Hsbc.xlsx	Get hash	malicious	Unknown	Browse	servidorarquivos.duckdns.org/e/e

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WOWUS	seethebestmethodwithgreatnessgoodnewsgreatdaygivenme.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	192.169.69.26
	sweetnesswithgreatnessiwthbestthingswithmebackickmegreatthings.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	192.169.69.26
	1734388385543fca13ccf5614dc71c1922a5cd8cddeb80fc9e4bce55f618d2232c3744cd06117.dat-decoded.exe	Get hash	malicious	Remcos	Browse	192.169.69.26
	x295IO8kqM.exe	Get hash	malicious	Remcos	Browse	192.169.69.26
	zvXPSu3dK5.exe	Get hash	malicious	AsyncRAT	Browse	192.169.69.26
	173398584769f9c5bcf28a71f77fba1335e77fe6b4cc4f05afc05fdd9f5830429be0bc9fb5758.dat-decoded.exe	Get hash	malicious	Remcos	Browse	192.169.69.26
	nicegirlforyou.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	192.169.69.26
	1733858044e64c59622ab494dda2ff98fce76991f7e15e513d6a3620e7f58ad7cc67d3889c571.dat-decoded.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	192.169.69.26
	f5ATZ1i5CU.exe	Get hash	malicious	RedLine, XWorm	Browse	192.169.69.26
	P0J8k3LhVV.exe	Get hash	malicious	Nanocore	Browse	192.169.69.26

Process:	C:\Users\user\Desktop\hesaphareketi-01.pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	46080
Entropy (8bit):	6.6332797419083604
Encrypted:	false
SSDEEP:	768:Dti9RiTDEo8qM+nMwvSFHJshgnMOn+G6cSuGBfXyUHkI2n1jBCi:D4rzaYw6FpOg1ndGB/kTjBCi
MD5:	9FAF89012ABB60E26F4517B9CA1BABEA
SHA1:	394D8B33520A7A8FD5A99349D2FED58E54B0AEEF
SHA-256:	19C96263C6A5A0D49BC3CFCC4E80C5BF8F7BBE5C7524B77D079A658D46833A11
SHA-512:	D330EB01A1DE4B1FE2C8E069ADB8923743AFB369B91105152D90EFA4A5B1A2E6E453824A45E65B01F5D2F8DD8C77CCFF1DC777212BBB66DF4769DF6A87083DF0
Malicious:	false
Reputation:	low
Preview:	.k.G2DFLL391..FW.G21VG1D.LH391ZTFW4G21VG1DFLH391ZTFW4G21VG1D.LH37..ZF.=...W..e.$!@.A(;!%U.R7)_+2lV.C/:f>Zgv~.g\+")f>4;~TFW4G21..1D.MK3.w1FW4G21VG.DDMC211Z.FW4M21VG1DH.H39.ZTF.4G21.G1dFLH191^TFW4G21RG1DFLH39.[TFU4G21VG3D..H3)1ZDFW4G"1VW1DFLH3)1ZTFW4G21VG..FL.391Z.FW.@21VG1DFLH391ZTFW4G21WG=DFLH391ZTFW4G21VG1DFLH391ZTFW4G21VG1DFLH391ZTFW4G21Vg1DNLH391ZTFW4G:.VGyDFLH391ZTFW.3WI"G1DR.H39.ZTF.4G23VG1DFLH391ZTFW.G2Qx5B6%LH3.6ZTF.4G29VG1.FLH391ZTFW4G21.G1.h>-_VRZTJW4G21WG1FFLH.91ZTFW4G21VG1D.LHq91ZTFW4G21VG1DFL..91ZTFW\|G21TG4D..H3.]ZTEW4G31VA1DFLH391ZTFW4G21VG1DFLH391ZTFW4G21VG1DFLH391ZTFW..,g.....UJ...".Fjb../4......ptTiWhG21HE.\FLB.#OITFS.Y0.EG1@lV6'91^~XU.S21Rm+:SLH7./X.SW4C.+(Q1DBfV1.'ZTB}.9%1VC.ZD._395pN8O4G6.HE.\FLL.#OCTFS.Y0.OG1@lV6)91^~\)/G25\|Y3.]LH7.+$HFW0m,3.[1DBfRM$1ZPlI6./1VC.nDdv39;L.E}.991VC2+yLH9..)LFW>.(1VC..neH3?.rTFW.m21P}/DFL`.91\nRW4G..VG7~LLH3..ZT@n2G21BoGDFFbe..ZTL$.G2;vg3DF#.39;p:8I4G6.FG1D8RH3=^.TF] .,1VC.:8CH3=.MTF].H21Vo.DFJq691Z\|.W4A.g$..D62X395r;FW>..1VC..5.H3

C:\Users\user\AppData\Local\Temp\autAC23.tmp

Download File

Process:	C:\Users\user\Desktop\hesaphareketi-01.pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	38768
Entropy (8bit):	7.83381330262453
Encrypted:	false
SSDEEP:	768:K+zKkNw7ISEJ6UjIYuDGxvu9j1yfu57E9Ph9ZBckbr:KSpCIbwAualw50uFuh9v1br
MD5:	2BE1110DA80040726979D90FBFA52EAE
SHA1:	2DB0612AAB386CD90CFBFFCF3150FD82777CB60B
SHA-256:	71E7ADE7ACA899914CD5930D7C7EA1145D80AA7669FDCC56F97678D7E49EC3A7
SHA-512:	48417A2AEC8287059897C9CDFF8CA2B4E9F5F9EBDA3A123B2108F0201F7044A5241A54A3A092DEE6D823C2BFD846A99FDE8F90164A1977227E89C21CD339805C
Malicious:	false
Reputation:	low
Preview:	EA06........y...L.L.3....W.Q.S...cD.S)..Ej.F.....F...8..D.].Q.s.TO.W..,.)$.....'r.-VU..M.5.\...Fhr..}Z...[=rW"...I...#0h......}...b......M..3....H..6b...~" ......Q.6@..c9...3R...F.T.U@.13.A.4...cZ...2).Z..I.H.7q.52....(.~]........0...g..)..].Dj.{..'cS:.&D.lT.`......0...)G.To.Z..J.$q............8.Z'...Z.Z.R.-31....../..P..Z\|{..../..ER.4.l.....Z.Q@....A..~..x.d...i..J./..H..kU.....?.]..W..@..J...h.6).X.r.L.Fdt.MR.S.Vf..-.c@.U..p.B.X..`:..W:..).x......8.QQ..(Vj..s'.U(W.t.K1.P.u.'2.3..n...>iG.F..]...L.Z(`.Y..-bR...%2.<.k\|.......W$.Q...l.g..-5*l.cZ.[)3n<..i.Q,.i..wL.Qo.i...H.J.4.D.'...(.y..P.H..ZD.....~..l.cP...C..bs1.[.@$.j-V.......#..U(....B...j5.......&..2...:%.G..l....$...Q.U..J.3...J5vA..63....H..@..m ...h.jU.l.._ .y..1g.Fb.I....\.`.LD...M{..DRQF...h..C.X)....cZ.J{.J<.3v..hVm%.g9.....v....,3J..gI.Ij.j...........A...RIL....ys.%.G...f.+...2..(Y.<...Q..%Z.N.Q..).bcD.Y ...h.@..# 1.:.O......$....y.IS.o....V............6i...8..$Vk.6..<Q'.8D..u..4 1.F

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.830496282635197
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	hesaphareketi-01.pdf.exe
File size:	1'028'608 bytes
MD5:	f8b8beccdf66e3ef9ca54ac632ceb47b
SHA1:	24a275521156c3d36a452a09b69b7fc9a1981f7e
SHA256:	2cdfbaeb99da97fe3ed7bc8370f3af2a9c1a27e2812119a666f457264f6ca801
SHA512:	59ebd8f4e418b1b30a069d9721a7bb72684b3675ca2422ab179abf266cfe3701643b60b2093407224c11f311f667076b41898a3d018831ea55bd59781ef6e4c1
SSDEEP:	24576:qu6J33O0c+JY5UZ+XC0kGso6Fax8PEgNVWY:cu0c++OCvkGs9FaxpXY
TLSH:	CD258E12B3CDC2A5DE275273BE6EA7106E7B3C590170F50F2E843D3999B2261117EA63
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	82a88c96a29a8e53

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67601AA0 [Mon Dec 16 12:18:40 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FE17D36A05Ah
jmp 00007FE17D35CE24h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FE17D35CFAAh
cmp edi, eax
jc 00007FE17D35D30Eh
bt dword ptr [004C31FCh], 01h
jnc 00007FE17D35CFA9h
rep movsb
jmp 00007FE17D35D2BCh
cmp ecx, 00000080h
jc 00007FE17D35D174h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FE17D35CFB0h
bt dword ptr [004BE324h], 01h
jc 00007FE17D35D480h
bt dword ptr [004C31FCh], 00000000h
jnc 00007FE17D35D14Dh
test edi, 00000003h
jne 00007FE17D35D15Eh
test esi, 00000003h
jne 00007FE17D35D13Dh
bt edi, 02h
jnc 00007FE17D35CFAFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FE17D35CFB3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FE17D35D005h
bt esi, 03h
jnc 00007FE17D35D058h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x32944	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xfa000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x32944	0x32a00	989a49cd5c239d9867b69c28abcd0911	False	0.5606336805555555	data	7.0896065911760475	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xfa000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc7518	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc7640	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc7768	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7890	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	Great Britain	0.6781914893617021
RT_ICON	0xc7cf8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	Great Britain	0.4383208255159475
RT_ICON	0xc8da0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	Great Britain	0.33070539419087136
RT_ICON	0xcb348	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	English	Great Britain	0.2756849315068493
RT_ICON	0xcf570	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	Great Britain	0.09768721164083757
RT_MENU	0xdfd98	0x50	data	English	Great Britain	0.9
RT_STRING	0xdfde8	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xe037c	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xe0a08	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xe0e98	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xe1494	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xe1af0	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xe1f58	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xe20b0	0x1733d	data			1.0003787998358533
RT_GROUP_ICON	0xf93f0	0x4c	data	English	Great Britain	0.8157894736842105
RT_GROUP_ICON	0xf943c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xf9450	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xf9464	0x14	data	English	Great Britain	1.25
RT_VERSION	0xf9478	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xf9554	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 08:27:37.349430084 CET	49704	6606	192.168.2.5	192.169.69.26
Dec 17, 2024 08:27:37.469343901 CET	6606	49704	192.169.69.26	192.168.2.5
Dec 17, 2024 08:27:37.469435930 CET	49704	6606	192.168.2.5	192.169.69.26
Dec 17, 2024 08:27:37.480535984 CET	49704	6606	192.168.2.5	192.169.69.26
Dec 17, 2024 08:27:37.600291967 CET	6606	49704	192.169.69.26	192.168.2.5
Dec 17, 2024 08:27:47.876641035 CET	6606	49704	192.169.69.26	192.168.2.5
Dec 17, 2024 08:27:47.876796961 CET	49704	6606	192.168.2.5	192.169.69.26
Dec 17, 2024 08:27:52.944813967 CET	49704	6606	192.168.2.5	192.169.69.26
Dec 17, 2024 08:27:52.946013927 CET	49715	6606	192.168.2.5	192.169.69.26
Dec 17, 2024 08:27:53.068136930 CET	6606	49704	192.169.69.26	192.168.2.5
Dec 17, 2024 08:27:53.068716049 CET	6606	49715	192.169.69.26	192.168.2.5
Dec 17, 2024 08:27:53.071490049 CET	49715	6606	192.168.2.5	192.169.69.26
Dec 17, 2024 08:27:53.071858883 CET	49715	6606	192.168.2.5	192.169.69.26
Dec 17, 2024 08:27:53.192501068 CET	6606	49715	192.169.69.26	192.168.2.5
Dec 17, 2024 08:28:03.547633886 CET	6606	49715	192.169.69.26	192.168.2.5
Dec 17, 2024 08:28:03.547720909 CET	49715	6606	192.168.2.5	192.169.69.26
Dec 17, 2024 08:28:08.553878069 CET	49715	6606	192.168.2.5	192.169.69.26
Dec 17, 2024 08:28:08.554929972 CET	49756	8808	192.168.2.5	192.169.69.26
Dec 17, 2024 08:28:08.673563957 CET	6606	49715	192.169.69.26	192.168.2.5
Dec 17, 2024 08:28:08.674627066 CET	8808	49756	192.169.69.26	192.168.2.5
Dec 17, 2024 08:28:08.674746037 CET	49756	8808	192.168.2.5	192.169.69.26
Dec 17, 2024 08:28:08.675319910 CET	49756	8808	192.168.2.5	192.169.69.26
Dec 17, 2024 08:28:08.794998884 CET	8808	49756	192.169.69.26	192.168.2.5
Dec 17, 2024 08:28:19.022075891 CET	8808	49756	192.169.69.26	192.168.2.5
Dec 17, 2024 08:28:19.022203922 CET	49756	8808	192.168.2.5	192.169.69.26
Dec 17, 2024 08:28:24.036843061 CET	49756	8808	192.168.2.5	192.169.69.26
Dec 17, 2024 08:28:24.037626028 CET	49792	7707	192.168.2.5	192.169.69.26
Dec 17, 2024 08:28:24.156589985 CET	8808	49756	192.169.69.26	192.168.2.5
Dec 17, 2024 08:28:24.157305002 CET	7707	49792	192.169.69.26	192.168.2.5
Dec 17, 2024 08:28:24.157404900 CET	49792	7707	192.168.2.5	192.169.69.26
Dec 17, 2024 08:28:24.157761097 CET	49792	7707	192.168.2.5	192.169.69.26
Dec 17, 2024 08:28:24.277497053 CET	7707	49792	192.169.69.26	192.168.2.5
Dec 17, 2024 08:28:34.631633043 CET	7707	49792	192.169.69.26	192.168.2.5
Dec 17, 2024 08:28:34.631745100 CET	49792	7707	192.168.2.5	192.169.69.26
Dec 17, 2024 08:28:39.646296024 CET	49792	7707	192.168.2.5	192.169.69.26
Dec 17, 2024 08:28:39.766011953 CET	7707	49792	192.169.69.26	192.168.2.5
Dec 17, 2024 08:28:39.954440117 CET	49829	6606	192.168.2.5	192.169.69.26
Dec 17, 2024 08:28:40.074157000 CET	6606	49829	192.169.69.26	192.168.2.5
Dec 17, 2024 08:28:40.074297905 CET	49829	6606	192.168.2.5	192.169.69.26
Dec 17, 2024 08:28:40.074677944 CET	49829	6606	192.168.2.5	192.169.69.26
Dec 17, 2024 08:28:40.194303989 CET	6606	49829	192.169.69.26	192.168.2.5
Dec 17, 2024 08:28:50.568139076 CET	6606	49829	192.169.69.26	192.168.2.5
Dec 17, 2024 08:28:50.568355083 CET	49829	6606	192.168.2.5	192.169.69.26
Dec 17, 2024 08:28:55.584336996 CET	49829	6606	192.168.2.5	192.169.69.26
Dec 17, 2024 08:28:55.584768057 CET	49859	6606	192.168.2.5	192.169.69.26
Dec 17, 2024 08:28:55.704452038 CET	6606	49829	192.169.69.26	192.168.2.5
Dec 17, 2024 08:28:55.704942942 CET	6606	49859	192.169.69.26	192.168.2.5
Dec 17, 2024 08:28:55.705333948 CET	49859	6606	192.168.2.5	192.169.69.26
Dec 17, 2024 08:28:55.705859900 CET	49859	6606	192.168.2.5	192.169.69.26
Dec 17, 2024 08:28:55.825614929 CET	6606	49859	192.169.69.26	192.168.2.5
Dec 17, 2024 08:29:06.051091909 CET	6606	49859	192.169.69.26	192.168.2.5
Dec 17, 2024 08:29:06.051166058 CET	49859	6606	192.168.2.5	192.169.69.26
Dec 17, 2024 08:29:11.053317070 CET	49895	7707	192.168.2.5	192.169.69.26
Dec 17, 2024 08:29:11.053751945 CET	49859	6606	192.168.2.5	192.169.69.26
Dec 17, 2024 08:29:11.173242092 CET	7707	49895	192.169.69.26	192.168.2.5
Dec 17, 2024 08:29:11.173429012 CET	6606	49859	192.169.69.26	192.168.2.5
Dec 17, 2024 08:29:11.173465967 CET	49895	7707	192.168.2.5	192.169.69.26
Dec 17, 2024 08:29:11.173947096 CET	49895	7707	192.168.2.5	192.169.69.26
Dec 17, 2024 08:29:11.293651104 CET	7707	49895	192.169.69.26	192.168.2.5
Dec 17, 2024 08:29:21.661859035 CET	7707	49895	192.169.69.26	192.168.2.5
Dec 17, 2024 08:29:21.661948919 CET	49895	7707	192.168.2.5	192.169.69.26
Dec 17, 2024 08:29:26.677458048 CET	49895	7707	192.168.2.5	192.169.69.26
Dec 17, 2024 08:29:26.678327084 CET	49932	7707	192.168.2.5	192.169.69.26
Dec 17, 2024 08:29:26.797255993 CET	7707	49895	192.169.69.26	192.168.2.5
Dec 17, 2024 08:29:26.798048019 CET	7707	49932	192.169.69.26	192.168.2.5
Dec 17, 2024 08:29:26.798158884 CET	49932	7707	192.168.2.5	192.169.69.26
Dec 17, 2024 08:29:26.798537016 CET	49932	7707	192.168.2.5	192.169.69.26
Dec 17, 2024 08:29:26.918256044 CET	7707	49932	192.169.69.26	192.168.2.5
Dec 17, 2024 08:29:37.247916937 CET	7707	49932	192.169.69.26	192.168.2.5
Dec 17, 2024 08:29:37.248097897 CET	49932	7707	192.168.2.5	192.169.69.26

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 08:27:37.026494980 CET	56463	53	192.168.2.5	1.1.1.1
Dec 17, 2024 08:27:37.346256018 CET	53	56463	1.1.1.1	192.168.2.5
Dec 17, 2024 08:28:39.646915913 CET	65333	53	192.168.2.5	1.1.1.1
Dec 17, 2024 08:28:39.953397036 CET	53	65333	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 17, 2024 08:27:37.026494980 CET	192.168.2.5	1.1.1.1	0xbd6	Standard query (0)	oshaduck123.duckdns.org	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:28:39.646915913 CET	192.168.2.5	1.1.1.1	0xf57d	Standard query (0)	oshaduck123.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 17, 2024 08:27:37.346256018 CET	1.1.1.1	192.168.2.5	0xbd6	No error (0)	oshaduck123.duckdns.org		192.169.69.26	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:28:39.953397036 CET	1.1.1.1	192.168.2.5	0xf57d	No error (0)	oshaduck123.duckdns.org		192.169.69.26	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	02:27:30
Start date:	17/12/2024
Path:	C:\Users\user\Desktop\hesaphareketi-01.pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\hesaphareketi-01.pdf.exe"
Imagebase:	0xe10000
File size:	1'028'608 bytes
MD5 hash:	F8B8BECCDF66E3EF9CA54AC632CEB47B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.2064888141.0000000003660000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.2064888141.0000000003660000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000000.00000002.2064888141.0000000003660000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.2064888141.0000000003660000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:27:31
Start date:	17/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\hesaphareketi-01.pdf.exe"
Imagebase:	0xfe0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000002.00000002.3297697329.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000002.00000002.3297697329.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	1.3%
Signature Coverage:	8.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	57

Executed Functions

Function 00E13B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E13B68
IsDebuggerPresent.KERNEL32 ref: 00E13B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,00ED52F8,00ED52E0,?,?), ref: 00E13BEB

Part of subcall function 00E17BCC: _memmove.LIBCMT ref: 00E17C06

Part of subcall function 00E2092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00E13C14,00ED52F8,?,?,?), ref: 00E2096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00E13C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00EC7770,00000010), ref: 00E4D281
SetCurrentDirectoryW.KERNEL32(?,00ED52F8,?,?,?), ref: 00E4D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00EC4260,00ED52F8,?,?,?), ref: 00E4D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 00E4D346

Part of subcall function 00E13A46: GetSysColorBrush.USER32(0000000F), ref: 00E13A50
Part of subcall function 00E13A46: LoadCursorW.USER32(00000000,00007F00), ref: 00E13A5F
Part of subcall function 00E13A46: LoadIconW.USER32(00000063), ref: 00E13A76
Part of subcall function 00E13A46: LoadIconW.USER32(000000A4), ref: 00E13A88
Part of subcall function 00E13A46: LoadIconW.USER32(000000A2), ref: 00E13A9A
Part of subcall function 00E13A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E13AC0
Part of subcall function 00E13A46: RegisterClassExW.USER32(?), ref: 00E13B16

Part of subcall function 00E139D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E13A03
Part of subcall function 00E139D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E13A24
Part of subcall function 00E139D5: ShowWindow.USER32(00000000,?,?), ref: 00E13A38
Part of subcall function 00E139D5: ShowWindow.USER32(00000000,?,?), ref: 00E13A41

Part of subcall function 00E1434A: _memset.LIBCMT ref: 00E14370
Part of subcall function 00E1434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E14415

Strings

runas, xrefs: 00E4D33A
This is a third-party compiled AutoIt script., xrefs: 00E4D279
%, xrefs: 00E13C44

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%
API String ID: 529118366-3343222573
Opcode ID: 8b2fea4e2a1466beff377ffa13f2fb2b4497d9dbfafa0e85490c52a30662cc1e
Instruction ID: 416438bb00fe7b179448d54071e8eff6735a45a4cd0a030bf7e6ad794d5c118f
Opcode Fuzzy Hash: 8b2fea4e2a1466beff377ffa13f2fb2b4497d9dbfafa0e85490c52a30662cc1e
Instruction Fuzzy Hash: 51510B71D08248AECF11EBB5EC06EEDBBB4EF45710F106067F451B22B1DA70568ACB61

Function 00E149A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00E149CD

Part of subcall function 00E17BCC: _memmove.LIBCMT ref: 00E17C06

GetCurrentProcess.KERNEL32(?,00E9FAEC,00000000,00000000,?), ref: 00E14A9A
IsWow64Process.KERNEL32(00000000), ref: 00E14AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00E14AE7
FreeLibrary.KERNEL32(00000000), ref: 00E14AF2
GetSystemInfo.KERNEL32(00000000), ref: 00E14B23
GetSystemInfo.KERNEL32(00000000), ref: 00E14B2F

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: ce27c0d6c520b4cca7b695493ef74fa5cbf1211afad69fbdf3858a4d06c5586a
Instruction ID: 223c61d405d847862e524333682327c011c9bf81292282170f64e0260fed8e12
Opcode Fuzzy Hash: ce27c0d6c520b4cca7b695493ef74fa5cbf1211afad69fbdf3858a4d06c5586a
Instruction Fuzzy Hash: 5991C57198D7C0DEC731CB6894505EAFFF5AF2A304B4469AED0C7A3B41D220A588C759

Function 00E14E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00E14D8E,?,?,00000000,00000000), ref: 00E14E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00E14D8E,?,?,00000000,00000000), ref: 00E14EB0
LoadResource.KERNEL32(?,00000000,?,?,00E14D8E,?,?,00000000,00000000,?,?,?,?,?,?,00E14E2F), ref: 00E4D937
SizeofResource.KERNEL32(?,00000000,?,?,00E14D8E,?,?,00000000,00000000,?,?,?,?,?,?,00E14E2F), ref: 00E4D94C
LockResource.KERNEL32(00E14D8E,?,?,00E14D8E,?,?,00000000,00000000,?,?,?,?,?,?,00E14E2F,00000000), ref: 00E4D95F

Strings

SCRIPT, xrefs: 00E14EA6

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 831bc04123cef85518588195e6fcad88ce72779b1fbc7943cf386eb980c522f7
Instruction ID: 01f28efd2d3e61adac9afc500bfd8ac125773988e37da3aba602a54b79eb24a1
Opcode Fuzzy Hash: 831bc04123cef85518588195e6fcad88ce72779b1fbc7943cf386eb980c522f7
Instruction Fuzzy Hash: 171173B5240700BFD7218B65EC48F677BB9FBC5B11F10426DF405EA2A0DB71EC448660

Function 00E1FCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON

Download Yara Rule

Strings

pb, xrefs: 00E549B9
%, xrefs: 00E1FCF3

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: BuffCharUpper
String ID: pb$%
API String ID: 3964851224-1798441486
Opcode ID: 342354fca0087467f4b92d80ee2e10a2c55890f0b04b6a331d11e5309423a974
Instruction ID: 7328d0c0b950ec2a672a866a1dd3e13d808924cf674c5769a271c676251a6d28
Opcode Fuzzy Hash: 342354fca0087467f4b92d80ee2e10a2c55890f0b04b6a331d11e5309423a974
Instruction Fuzzy Hash: D59270706083518FD724DF14D480B6AB7E1FF85308F14996DE89AAB3A2D771EC85CB92

Function 00E1E6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Dd, xrefs: 00E53B2E
Variable must be of type 'Object'., xrefs: 00E53E62
Dd, xrefs: 00E53AF5
Dd, xrefs: 00E1EAC1
Dd, xrefs: 00E1EABA

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID: Dd$Dd$Dd$Dd$Variable must be of type 'Object'.
API String ID: 0-2781164977
Opcode ID: 0bffe0bebae6743e30004ca7583b78bb7468724e007ef7bc99095cab456f47df
Instruction ID: 76c03df2acc3c8d2a0ce943ac2ecbeb70c3373f625a53de8b1ace3748be4a647
Opcode Fuzzy Hash: 0bffe0bebae6743e30004ca7583b78bb7468724e007ef7bc99095cab456f47df
Instruction Fuzzy Hash: 90A24875A00205CFCB24CF54C480AEAB7B2FF59318F68946AEC16BB351D775AD86CB90

Function 00E7445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00E4E398), ref: 00E7446A
FindFirstFileW.KERNELBASE(?,?), ref: 00E7447B
FindClose.KERNEL32(00000000), ref: 00E7448B

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: ad2ecd34260a03a2c47039c122b1195cc4fbc20dc3798d54fe4b867fc2edece3
Instruction ID: be0120a10bbb5d9688ab6efa7d35d24e18d532793f2d607c9dbd39281257b9d0
Opcode Fuzzy Hash: ad2ecd34260a03a2c47039c122b1195cc4fbc20dc3798d54fe4b867fc2edece3
Instruction Fuzzy Hash: A8E020B34105006F4210AB38EC0D5E9775C9F05335F244717F839E10E0F7745D04A5D5

Function 00E209D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E20A5B
timeGetTime.WINMM ref: 00E20D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E20E53
Sleep.KERNEL32(0000000A), ref: 00E20E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00E20EFA
DestroyWindow.USER32 ref: 00E20F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E20F20
Sleep.KERNEL32(0000000A,?,?), ref: 00E54E83
TranslateMessage.USER32(?), ref: 00E55C60
DispatchMessageW.USER32(?), ref: 00E55C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E55C82

Strings

@GUI_WINHANDLE, xrefs: 00E54F8F
@TRAY_ID, xrefs: 00E5578F
pb, xrefs: 00E54FAE
@GUI_CTRLID, xrefs: 00E54F3A
@COM_EVENTOBJ, xrefs: 00E554F0
pb, xrefs: 00E54F59
@GUI_CTRLHANDLE, xrefs: 00E54FE4
pb, xrefs: 00E55003
pb, xrefs: 00E557B4

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pb$pb$pb$pb
API String ID: 4212290369-1420604165
Opcode ID: 3bdbee215e091a4f6319b6ab8beb2336b97dc5d98a2017e381cfc1efc5244b78
Instruction ID: dbb357d33654f763c9faf26300c3a35db1544c0f673221efceb1ab1ca65f3ff1
Opcode Fuzzy Hash: 3bdbee215e091a4f6319b6ab8beb2336b97dc5d98a2017e381cfc1efc5244b78
Instruction Fuzzy Hash: B8B2F571604741DFD724DF24D895BAAB7E4FF84308F14591EE859B72A2CB70E888CB82

Function 00E79155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E78F5F: __time64.LIBCMT ref: 00E78F69

Part of subcall function 00E14EE5: _fseek.LIBCMT ref: 00E14EFD

__wsplitpath.LIBCMT ref: 00E79234

Part of subcall function 00E340FB: __wsplitpath_helper.LIBCMT ref: 00E3413B

_wcscpy.LIBCMT ref: 00E79247
_wcscat.LIBCMT ref: 00E7925A
__wsplitpath.LIBCMT ref: 00E7927F
_wcscat.LIBCMT ref: 00E79295
_wcscat.LIBCMT ref: 00E792A8

Part of subcall function 00E78FA5: _memmove.LIBCMT ref: 00E78FDE
Part of subcall function 00E78FA5: _memmove.LIBCMT ref: 00E78FED

_wcscmp.LIBCMT ref: 00E791EF

Part of subcall function 00E79734: _wcscmp.LIBCMT ref: 00E79824
Part of subcall function 00E79734: _wcscmp.LIBCMT ref: 00E79837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00E79452
_wcsncpy.LIBCMT ref: 00E794C5
DeleteFileW.KERNEL32(?,?), ref: 00E794FB
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00E79511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00E79522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00E79534

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 6d64ce939343758058749c032a08224ab99744fcb6cb003c9fa5e06e5c346cf4
Instruction ID: 21c792866ab435b7ffc1850787171a99dfd0a9b3b77ba0c521d79833a112b286
Opcode Fuzzy Hash: 6d64ce939343758058749c032a08224ab99744fcb6cb003c9fa5e06e5c346cf4
Instruction Fuzzy Hash: C4C12DB1E00119AADF11DF95CC85ADEBBB9EF45310F0090AAF609F7251DB309A85CF65

Function 00E1301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E13074
RegisterClassExW.USER32(00000030), ref: 00E1309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E130AF
InitCommonControlsEx.COMCTL32(?), ref: 00E130CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E130DC
LoadIconW.USER32(000000A9), ref: 00E130F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E13101

Strings

AutoIt v3 GUI, xrefs: 00E13090
0, xrefs: 00E13056
TaskbarCreated, xrefs: 00E130A4
+, xrefs: 00E1305D

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 080764e877e6221824b5fe9d3e9bca332b4a83cac5dc49c5fef842a2bc429296
Instruction ID: 8a2b7a3881d093f644128bfefb604ce16eea1701c6014fc7f08c07aa1cc8ccda
Opcode Fuzzy Hash: 080764e877e6221824b5fe9d3e9bca332b4a83cac5dc49c5fef842a2bc429296
Instruction Fuzzy Hash: 7C3114B6941309AFDB508FA5E889AD9BBF4FB09310F20412BE580F62A0D3B54599CF90

Function 00E13041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E13074
RegisterClassExW.USER32(00000030), ref: 00E1309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E130AF
InitCommonControlsEx.COMCTL32(?), ref: 00E130CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E130DC
LoadIconW.USER32(000000A9), ref: 00E130F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E13101

Strings

AutoIt v3 GUI, xrefs: 00E13090
0, xrefs: 00E13056
TaskbarCreated, xrefs: 00E130A4
+, xrefs: 00E1305D

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 837b160d8ec089db11fbe228341f69d3e2736147f64d49f04c137d0fe478a473
Instruction ID: 91ba1962c7f02ec04eb397e74db32ccdc90e3ad93923ffe698ca855efd66f2c8
Opcode Fuzzy Hash: 837b160d8ec089db11fbe228341f69d3e2736147f64d49f04c137d0fe478a473
Instruction Fuzzy Hash: FC21A0B6911618AFDB00DFA6E889ADDBBF8FB08701F10412BE910F62A0D7B145589F91

Function 00E1708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E14706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00ED52F8,?,00E137AE,?), ref: 00E14724

Part of subcall function 00E3050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00E17165), ref: 00E3052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00E171A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00E4E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00E4E909
RegCloseKey.ADVAPI32(?), ref: 00E4E947
_wcscat.LIBCMT ref: 00E4E9A0

Strings

\Include\, xrefs: 00E17165
\, xrefs: 00E4E9C3
Software\AutoIt v3\AutoIt, xrefs: 00E1719E
Include, xrefs: 00E4E8BF, 00E4E900

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 5c4402506a2b5491aaea8bf862357ea37a706d1369add62c574510950f9e1bae
Instruction ID: 18e1574ab1d34667a470093a917b6261b83b9285bd4c7bccae7b7c3f02f48d8b
Opcode Fuzzy Hash: 5c4402506a2b5491aaea8bf862357ea37a706d1369add62c574510950f9e1bae
Instruction Fuzzy Hash: 3F713A715093019EC704EF66E8419ABBBF8FF89310B40292EF585B72B1EB719948CB52

Function 00E13633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00E136D2
KillTimer.USER32(?,00000001), ref: 00E136FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E1371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E1372A
CreatePopupMenu.USER32 ref: 00E1373E
PostQuitMessage.USER32(00000000), ref: 00E1374D

Strings

TaskbarCreated, xrefs: 00E13725
%, xrefs: 00E4D081, 00E4D0CF

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%
API String ID: 129472671-3835587964
Opcode ID: ae62d3ca4f9c3a5b6d5dd44d5cc5b80782fe3e79f3a7a48657fc454eaa5a5e47
Instruction ID: 05c8e2d40b1f7b937f3c990d43b21bdd8d5ee1d6a1c6d2f552d5d07f3f319b64
Opcode Fuzzy Hash: ae62d3ca4f9c3a5b6d5dd44d5cc5b80782fe3e79f3a7a48657fc454eaa5a5e47
Instruction Fuzzy Hash: 1E4125B2204505FFDB149FB4FC09BFA37A5EB04305F542127F502F62E2CA609E899661

Function 00E13A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E13A50
LoadCursorW.USER32(00000000,00007F00), ref: 00E13A5F
LoadIconW.USER32(00000063), ref: 00E13A76
LoadIconW.USER32(000000A4), ref: 00E13A88
LoadIconW.USER32(000000A2), ref: 00E13A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E13AC0
RegisterClassExW.USER32(?), ref: 00E13B16

Part of subcall function 00E13041: GetSysColorBrush.USER32(0000000F), ref: 00E13074
Part of subcall function 00E13041: RegisterClassExW.USER32(00000030), ref: 00E1309E
Part of subcall function 00E13041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E130AF
Part of subcall function 00E13041: InitCommonControlsEx.COMCTL32(?), ref: 00E130CC
Part of subcall function 00E13041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E130DC
Part of subcall function 00E13041: LoadIconW.USER32(000000A9), ref: 00E130F2
Part of subcall function 00E13041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E13101

Strings

0, xrefs: 00E13AF4
AutoIt v3, xrefs: 00E13B05
#, xrefs: 00E13AFB

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 8db8bd8972e02654b560a304c5588acf372af6665f7d1177bb5b925d4a543fdb
Instruction ID: f0838aad1e07a1bb018d1245c28a601cda61bb0ae0556bb516b5a860045bd053
Opcode Fuzzy Hash: 8db8bd8972e02654b560a304c5588acf372af6665f7d1177bb5b925d4a543fdb
Instruction Fuzzy Hash: 6C210872912304AFEB10DFA6FC49BAD7BB5EB08712F10012BF504B62B1D7B656588F94

Function 00E13766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMDLINERAW, xrefs: 00E137FB
/AutoIt3ExecuteScript, xrefs: 00E138BC
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00E137AE
/ErrorStdOut, xrefs: 00E1387D
/AutoIt3OutputDebug, xrefs: 00E13892
/AutoIt3ExecuteLine, xrefs: 00E138A7
CMDLINE, xrefs: 00E13822
R, xrefs: 00E4D213

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$R
API String ID: 1825951767-347772802
Opcode ID: fa257dea3d1f44352ba36ddf5da9bfba7e85f22eb5664987d28c1a7371935d46
Instruction ID: 354177f36978eb19de16806ca0329fbf8727d22e4103ce5ba74eedc4dae7051f
Opcode Fuzzy Hash: fa257dea3d1f44352ba36ddf5da9bfba7e85f22eb5664987d28c1a7371935d46
Instruction Fuzzy Hash: D7A1607291021D9ACF05EBA0DC95EEEBBB8FF55310F40242AF415B7191EF745A89CB60

Function 00E1F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E30162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E30193
Part of subcall function 00E30162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00E3019B
Part of subcall function 00E30162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E301A6
Part of subcall function 00E30162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E301B1
Part of subcall function 00E30162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00E301B9
Part of subcall function 00E30162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00E301C1

Part of subcall function 00E260F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00E1F930), ref: 00E26154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00E1F9CD
OleInitialize.OLE32(00000000), ref: 00E1FA4A
CloseHandle.KERNEL32(00000000), ref: 00E545C8

Strings

\T, xrefs: 00E1F7F7
S, xrefs: 00E1F7EB
<W, xrefs: 00E1F930
%, xrefs: 00E1F796, 00E1F7A8, 00E1F96E, 00E1FA51

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <W$\T$%$S
API String ID: 1986988660-191198415
Opcode ID: ca6b4d47623b931867476429514e643f42aa692c3f6b4e7b3c48c727d486029e
Instruction ID: bd887673301c7c59bd2279f4682fdb3fade08406fe547a79379b45c2249195e0
Opcode Fuzzy Hash: ca6b4d47623b931867476429514e643f42aa692c3f6b4e7b3c48c727d486029e
Instruction Fuzzy Hash: C981ACB2906A40CFC384DF3BB9456597BE5EB89306760A12FD02AFB371E77044898F12

Function 01184488 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01184559
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0118477F

Memory Dump Source

Source File: 00000000.00000002.2064673390.0000000001181000.00000040.00000020.00020000.00000000.sdmp, Offset: 01181000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1181000_hesaphareketi-01.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction ID: 896a45701febd4df3c8653accdfd4059ff4493433bb80f2295bd5c5e7112997d
Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction Fuzzy Hash: C9A13C74E00209EBDB18DFA4C894BEEBBB5FF48308F208159E615BB680DB759A41CF55

Function 00E139D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E13A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E13A24
ShowWindow.USER32(00000000,?,?), ref: 00E13A38
ShowWindow.USER32(00000000,?,?), ref: 00E13A41

Strings

edit, xrefs: 00E13A1E
AutoIt v3, xrefs: 00E139FB, 00E13A00, 00E13A01

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 82b5e406e00147158f9128ae52e4fafae53b24bca02bdb2b13a7f72f9fbb8f1e
Instruction ID: 31ac4706c521900b137681f4aa48bf797dbfa197a56e4314414d8fca5fec4555
Opcode Fuzzy Hash: 82b5e406e00147158f9128ae52e4fafae53b24bca02bdb2b13a7f72f9fbb8f1e
Instruction Fuzzy Hash: E3F0D472642690BEEA315B67BC49E6B2F7DE7C6F50B00412FF904F21B0C6A11859DAB0

Function 01184268 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01184158: Sleep.KERNELBASE(000001F4), ref: 01184169

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01184376

Strings

21VG1DFLH391ZTFW4G, xrefs: 011843D9, 011843DC

Memory Dump Source

Source File: 00000000.00000002.2064673390.0000000001181000.00000040.00000020.00020000.00000000.sdmp, Offset: 01181000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1181000_hesaphareketi-01.jbxd

Similarity

API ID: CreateFileSleep
String ID: 21VG1DFLH391ZTFW4G
API String ID: 2694422964-3346150779
Opcode ID: 496a93e7c9ebdf37a9c467a269e03db1a711221d4230f65c43ab27b4bc24d662
Instruction ID: 7b009094cda0452ddf5c0c42393b88e9a006a5ea0efb3aa650266666cfe3f35c
Opcode Fuzzy Hash: 496a93e7c9ebdf37a9c467a269e03db1a711221d4230f65c43ab27b4bc24d662
Instruction Fuzzy Hash: DC51D630D04259DBEF15DBE4C804BEEBB78AF15304F048599E648BB2C0DBB91B49CB66

Function 00E1407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00E4D3D7

Part of subcall function 00E17BCC: _memmove.LIBCMT ref: 00E17C06

_memset.LIBCMT ref: 00E140FC
_wcscpy.LIBCMT ref: 00E14150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E14160

Strings

Line: , xrefs: 00E4D400

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 60d2c704b54e8bd8e7ed5de2510f1776c43a75495545cc244e35155a91576757
Instruction ID: 5bb2d60543e9fe8c7cda3ccd8051fc83c33696d7ed5213acff47e9a2b12116e6
Opcode Fuzzy Hash: 60d2c704b54e8bd8e7ed5de2510f1776c43a75495545cc244e35155a91576757
Instruction Fuzzy Hash: BD31AC72009304AED320EB61EC46FDA77E8AB48704F10691BF585B21A1EB70A68DC782

Function 00E3541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E3547B
_memcpy_s.LIBCMT ref: 00E354ED
__read_nolock.LIBCMT ref: 00E3554B
__filbuf.LIBCMT ref: 00E3556E
_memset.LIBCMT ref: 00E355B2

Part of subcall function 00E38B28: __getptd_noexit.LIBCMT ref: 00E38B28

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: 828261b88c608a69b01f5c8770c28cab8316d3d2c3975002fb0b5fde0f013f95
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: 1A519972A00B05EBDB288F65D8485AE7FB6AF41325F149729F835B63D0D771AD50CB40

Function 00E1686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00E14DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00ED52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E14E0F

_free.LIBCMT ref: 00E4E263
_free.LIBCMT ref: 00E4E2AA

Part of subcall function 00E16A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00E16BAD

Strings

Bad directive syntax error, xrefs: 00E4E292
>>>AUTOIT SCRIPT<<<, xrefs: 00E4E039

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 6ebce19203dfd6cf3248ddf3ba28c7fd611c507d96e06b93a7edf0d01951f906
Instruction ID: d80986d91a1bf17ca143e67bef48f7c5ade8ee6166fc5c5b7084cf4e7a95c783
Opcode Fuzzy Hash: 6ebce19203dfd6cf3248ddf3ba28c7fd611c507d96e06b93a7edf0d01951f906
Instruction Fuzzy Hash: 58915C71900219AFCF08EFA4E8919EEB7B8FF05314F14642AF815BB3A1DB70A955CB50

Function 00E135B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00E135A1,SwapMouseButtons,00000004,?), ref: 00E135D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00E135A1,SwapMouseButtons,00000004,?,?,?,?,00E12754), ref: 00E135F5
RegCloseKey.KERNELBASE(00000000,?,?,00E135A1,SwapMouseButtons,00000004,?,?,?,?,00E12754), ref: 00E13617

Strings

Control Panel\Mouse, xrefs: 00E135D2

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: c3b90da975ca0343859c78c3f072ec25aaf822fdeedc551bab2ec7f672134c92
Instruction ID: 5f39cf6ddb6dcb03a0f98959a8832c634147200073f6f31ca932256b1699b9d4
Opcode Fuzzy Hash: c3b90da975ca0343859c78c3f072ec25aaf822fdeedc551bab2ec7f672134c92
Instruction Fuzzy Hash: C6114871610208BFDB20CF65DC809EEB7BCEF44744F0054AAE805E7210D2719E949760

Function 01183158 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01183985
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 011839A9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 011839CB

Memory Dump Source

Source File: 00000000.00000002.2064673390.0000000001181000.00000040.00000020.00020000.00000000.sdmp, Offset: 01181000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1181000_hesaphareketi-01.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
Instruction ID: 4681a1ccb5ea97d1e65c94dbeba56ef8c3e4f38475d8fd02025a28eaf7f65f4f
Opcode Fuzzy Hash: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
Instruction Fuzzy Hash: 62620930A146189BEB28DFA4C840BDEB772FF58700F1491A9D11DEB290E7769E81CF59

Function 00E7955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00E14EE5: _fseek.LIBCMT ref: 00E14EFD

Part of subcall function 00E79734: _wcscmp.LIBCMT ref: 00E79824
Part of subcall function 00E79734: _wcscmp.LIBCMT ref: 00E79837

_free.LIBCMT ref: 00E796A2
_free.LIBCMT ref: 00E796A9
_free.LIBCMT ref: 00E79714

Part of subcall function 00E32D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00E39A24), ref: 00E32D69
Part of subcall function 00E32D55: GetLastError.KERNEL32(00000000,?,00E39A24), ref: 00E32D7B

_free.LIBCMT ref: 00E7971C

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 50af52b8f22919c11c7515362fb071ee60fc7e1c9e9e4129b0e36dbf2dd802cb
Instruction ID: f967d50c21e14e7d562efd526d1b1137cf003c427961ad87e0d9c932656e4a36
Opcode Fuzzy Hash: 50af52b8f22919c11c7515362fb071ee60fc7e1c9e9e4129b0e36dbf2dd802cb
Instruction Fuzzy Hash: FC514CB1A04258ABDF259F64DC85A9EBBB9EF48300F10549EF20DB7381DB715A81CF58

Function 00E3470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E347A0
__flush.LIBCMT ref: 00E347C0
__write.LIBCMT ref: 00E347F3
__flsbuf.LIBCMT ref: 00E34821

Part of subcall function 00E38B28: __getptd_noexit.LIBCMT ref: 00E38B28

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: f22f0a7f315e471a8b7738c614d654f5854deacd27d0086139818bf887dbd2ce
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: C841B3B5A007469BDB1C8E69C8889AE7FA5EF82364F24917EF815A76C0D770ED41CB40

Function 00E14C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E14CBA

Strings

EA06, xrefs: 00E4D8CC
AU3!P/, xrefs: 00E14CB4

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/$EA06
API String ID: 4104443479-182974850
Opcode ID: 5951b7a31270730b0dacc53f5b446fce38e2098f0444935fba4283aa5345b387
Instruction ID: 66398923b67e0b89bc1c9281ab8f730bd95175d195a4b67f9878ac0027a22c51
Opcode Fuzzy Hash: 5951b7a31270730b0dacc53f5b446fce38e2098f0444935fba4283aa5345b387
Instruction Fuzzy Hash: 2C412DF2A0415857DF219B64EC51BFE7FE29B45304F687465EC82BB3C2D6205DC583A1

Function 00E17285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E4EA39
GetOpenFileNameW.COMDLG32(?), ref: 00E4EA83

Part of subcall function 00E14750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E14743,?,?,00E137AE,?), ref: 00E14770

Part of subcall function 00E30791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E307B0

Strings

X, xrefs: 00E4EA51

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 02a410af085f954d6f965a62779ff6165875a0087ddcced8ad1f46d9fc6575ad
Instruction ID: 898aaaa7df728471adff0342d927d0f12b4876f8f6dffd63bf357df9ee68fea7
Opcode Fuzzy Hash: 02a410af085f954d6f965a62779ff6165875a0087ddcced8ad1f46d9fc6575ad
Instruction Fuzzy Hash: 0021D571A042589BCF01DF94D846BEE7BFDAF48714F00505AE548BB341DBB45989CFA1

Function 00E78D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E78DAC
__fread_nolock.LIBCMT ref: 00E78DC1

Strings

EA06, xrefs: 00E78DF3

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 6b6306c27f4630455e9e9a60be84b2b177febdb96412704397655363b71e1266
Instruction ID: 47e7b0da2cd6ec8cbc54003a8012ae9b239503923355aad6141b2ae09ec0d6e7
Opcode Fuzzy Hash: 6b6306c27f4630455e9e9a60be84b2b177febdb96412704397655363b71e1266
Instruction Fuzzy Hash: BA01F9729042187EDB28CAA8C81AEEE7FFCDB11311F00419EF556E2281E875A604C760

Function 00E798E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00E798F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00E7990F

Strings

aut, xrefs: 00E79909

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: aa04043695f80ae28b8135f43c0d231c2084777892782924035dcc494f8329e0
Instruction ID: 281ebbdd960ab6de8bda09bbfe40c8192de74dc2d1564c420c90e3ddfc4de673
Opcode Fuzzy Hash: aa04043695f80ae28b8135f43c0d231c2084777892782924035dcc494f8329e0
Instruction Fuzzy Hash: DAD05E7A54030DAFDB509BA0DD0EF9A773CE704701F4002B2FA94E11A1EAB195998B91

Function 00E8CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da495333aeb162ff7b7cfa695f417c28a5dc15c04aaed4549e6f190fa4808f71
Instruction ID: 7ac5c54aa33ca15a4be38aba93bdcf7d3f49bc08ef384747f84bbdeb48c97786
Opcode Fuzzy Hash: da495333aeb162ff7b7cfa695f417c28a5dc15c04aaed4549e6f190fa4808f71
Instruction Fuzzy Hash: EEF139716083009FC714EF28C484A6ABBE5FF89314F54992EF999AB252D730E945CF92

Function 00E1434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E14370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E14415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E14432

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 68d0e17a2887a6f2b3143900a41ce70396398c4ac3f5f532007e237a054bb6f3
Instruction ID: 11c9319e05f60f8f4369032ce6181ae9426ea705e0d2222a7bcf986f20216dd6
Opcode Fuzzy Hash: 68d0e17a2887a6f2b3143900a41ce70396398c4ac3f5f532007e237a054bb6f3
Instruction Fuzzy Hash: BB3184B15057018FC721DF25D8846DBBBF8FB48309F00092EF59AE6391D7716988CB52

Function 00E3571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00E35733

Part of subcall function 00E3A16B: __NMSG_WRITE.LIBCMT ref: 00E3A192
Part of subcall function 00E3A16B: __NMSG_WRITE.LIBCMT ref: 00E3A19C

__NMSG_WRITE.LIBCMT ref: 00E3573A

Part of subcall function 00E3A1C8: GetModuleFileNameW.KERNEL32(00000000,00ED33BA,00000104,?,00000001,00000000), ref: 00E3A25A
Part of subcall function 00E3A1C8: ___crtMessageBoxW.LIBCMT ref: 00E3A308

Part of subcall function 00E3309F: ___crtCorExitProcess.LIBCMT ref: 00E330A5
Part of subcall function 00E3309F: ExitProcess.KERNEL32 ref: 00E330AE

Part of subcall function 00E38B28: __getptd_noexit.LIBCMT ref: 00E38B28

RtlAllocateHeap.NTDLL(010F0000,00000000,00000001,00000000,?,?,?,00E30DD3,?), ref: 00E3575F

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 0d0052474dcedabf3c2f118a9d6cb41c02851f4fcdf3b62eb04530310537fc89
Instruction ID: d6ed10e4166ca6987cd6f7fbbb3ce73c41fc23018a750c92c803ba1fcfe9efd8
Opcode Fuzzy Hash: 0d0052474dcedabf3c2f118a9d6cb41c02851f4fcdf3b62eb04530310537fc89
Instruction Fuzzy Hash: 1C01DE36201B02DED6142739EC8EA6A6F988B82366F102537F805BA292DEB08840C661

Function 00E798A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00E79548,?,?,?,?,?,00000004), ref: 00E798BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00E79548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00E798D1
CloseHandle.KERNEL32(00000000,?,00E79548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00E798D8

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 62b4f77edbc81b529be546e77731ac27ce4d09b87699698932d9d820896f24c6
Instruction ID: 65f67220943d833fa41fc8a1d12423d5158a65c86f4465a20f1730e8d96467b6
Opcode Fuzzy Hash: 62b4f77edbc81b529be546e77731ac27ce4d09b87699698932d9d820896f24c6
Instruction Fuzzy Hash: D5E08632141314BBE7211B66EC09FCE7B19EB06765F108222FB54B90E187B1151597D8

Function 00E78D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E78D1B

Part of subcall function 00E32D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00E39A24), ref: 00E32D69
Part of subcall function 00E32D55: GetLastError.KERNEL32(00000000,?,00E39A24), ref: 00E32D7B

_free.LIBCMT ref: 00E78D2C
_free.LIBCMT ref: 00E78D3E

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c56cf7ee783aa8295308e84720220828ccc4d403300e1e82c1220f1652f177a4
Instruction ID: f36e3ee1f04c2a5ca7805b21295ab7b9e6044d6cbf2161b0d57b399f38569906
Opcode Fuzzy Hash: c56cf7ee783aa8295308e84720220828ccc4d403300e1e82c1220f1652f177a4
Instruction Fuzzy Hash: A1E012B164160146CB34A578AE4CA9317EC4F68356B64691DB64DF7186DF64F842C124

Function 00E1A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00E4FC01

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 8f2fae5c16949c03066f25daae9b5d9012f8a8738c9a744420fe65d6bb046af4
Instruction ID: 7b0aea266a8afdb55da05d794bad36ce7acd5a04f87b5f3ffe59e501427927e4
Opcode Fuzzy Hash: 8f2fae5c16949c03066f25daae9b5d9012f8a8738c9a744420fe65d6bb046af4
Instruction Fuzzy Hash: 1E226D70509301DFC724DF14C454AAABBE1FF85304F19A96DE89AAB362D731ED85CB82

Function 00E17A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E17AAB
_memmove.LIBCMT ref: 00E17B16

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 40fbce4a1fea4cfe3bf1a015a5a2827c9472d34ae18aa590b79f6fb0e3b65f37
Instruction ID: aee05567a7018d02b63af60c09c6a80f6054b040a93fd87d0e68ca406345dc9a
Opcode Fuzzy Hash: 40fbce4a1fea4cfe3bf1a015a5a2827c9472d34ae18aa590b79f6fb0e3b65f37
Instruction Fuzzy Hash: 3C31C2B1604606AFC704DF68C8D1EA9F3F9FF48720B549629E459DB391EB30E960CB90

Function 00E147D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00E14834

Part of subcall function 00E3336C: __lock.LIBCMT ref: 00E33372
Part of subcall function 00E3336C: DecodePointer.KERNEL32(00000001,?,00E14849,00E67C74), ref: 00E3337E
Part of subcall function 00E3336C: EncodePointer.KERNEL32(?,?,00E14849,00E67C74), ref: 00E33389

Part of subcall function 00E148FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00E14915
Part of subcall function 00E148FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00E1492A

Part of subcall function 00E13B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E13B68
Part of subcall function 00E13B3A: IsDebuggerPresent.KERNEL32 ref: 00E13B7A
Part of subcall function 00E13B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00ED52F8,00ED52E0,?,?), ref: 00E13BEB
Part of subcall function 00E13B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00E13C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00E14874

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: e9e6a5ec1ae2dc4abd4a5a10c1eb3f22006d20717cec6ec862270ef32d6c9a5c
Instruction ID: d96d73b141f3057d49383f05f4b2ed36e5b030a8f54c0e8b0f8e01e96dfde417
Opcode Fuzzy Hash: e9e6a5ec1ae2dc4abd4a5a10c1eb3f22006d20717cec6ec862270ef32d6c9a5c
Instruction Fuzzy Hash: 2B116A729093019FC700DF6AE84598EBFE8EB89750F10451FF051A32B1DB709589CB92

Function 00E30DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E3571C: __FF_MSGBANNER.LIBCMT ref: 00E35733
Part of subcall function 00E3571C: __NMSG_WRITE.LIBCMT ref: 00E3573A
Part of subcall function 00E3571C: RtlAllocateHeap.NTDLL(010F0000,00000000,00000001,00000000,?,?,?,00E30DD3,?), ref: 00E3575F

std::exception::exception.LIBCMT ref: 00E30DEC
__CxxThrowException@8.LIBCMT ref: 00E30E01

Part of subcall function 00E3859B: RaiseException.KERNEL32(?,?,?,00EC9E78,00000000,?,?,?,?,00E30E06,?,00EC9E78,?,00000001), ref: 00E385F0

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 1696a6bd7de7583b04cb1144b1eb6058bed5a690586e8fecce63a2c4c9654c5b
Instruction ID: 80364db4b7e2b74a3e58591abbaf8f4590ebe61522d8264240eed8cca3f3ca0a
Opcode Fuzzy Hash: 1696a6bd7de7583b04cb1144b1eb6058bed5a690586e8fecce63a2c4c9654c5b
Instruction Fuzzy Hash: 76F0A43150031966CB10BAA8ED1AADE7FEC9F05315F10646AF914B6A82DF71AA40C2D1

Function 00E355FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E3562C
__lock_file.LIBCMT ref: 00E3564D

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: d50e3a0278bdd47f487aa136c3ca87ca31fcdb291c4f495bc0649e3515e94cba
Instruction ID: 309f8df2ea6b2caaba5e9eca8663a7b18943e7efb8a8ebb1122cf24653034f2c
Opcode Fuzzy Hash: d50e3a0278bdd47f487aa136c3ca87ca31fcdb291c4f495bc0649e3515e94cba
Instruction Fuzzy Hash: 1D01F7B2800708EBCF12AF649D0F9AE7FA1AF90361F446115F8243B291DB318A11DF91

Function 00E353A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E38B28: __getptd_noexit.LIBCMT ref: 00E38B28

__lock_file.LIBCMT ref: 00E353EB

Part of subcall function 00E36C11: __lock.LIBCMT ref: 00E36C34

__fclose_nolock.LIBCMT ref: 00E353F6

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 60e68c27dbe69ad1f1dbf95932d902d31a2f77cc1bffc2bf8a678ef9a0d27496
Instruction ID: c6510ab3ea5abc81849da371ecdd23a3c24bd1fac4a6fe0675d7f376596012f1
Opcode Fuzzy Hash: 60e68c27dbe69ad1f1dbf95932d902d31a2f77cc1bffc2bf8a678ef9a0d27496
Instruction Fuzzy Hash: A4F09072801B049ADB11BB759D0E7AD6EE06F42374F25A208B424BB2C1CFBC8941DB92

Function 01183155 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01183985
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 011839A9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 011839CB

Memory Dump Source

Source File: 00000000.00000002.2064673390.0000000001181000.00000040.00000020.00020000.00000000.sdmp, Offset: 01181000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1181000_hesaphareketi-01.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction ID: e4f9f5042c3ef6678e1e05f7d6f1c106dcedea25ddb7d2a5e7906668a345956b
Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction Fuzzy Hash: C312DD24E24658C6EB24DF64D8507DEB232FF68300F1091E9910DEB7A5E77A4E81CF5A

Function 00E30C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00E30CB7

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 6a70736b96e658cd7fd1aefdac17b992f693453956d28d9bbc5fdc8966e3d67c
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 0431D570A001059BC718DF58C4A8A69FBA6FB59314F64A7A5E80AEB351D731EDC1DBC0

Function 00E4FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00E4FCB7

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 8d668c5346de4e428b5308ca1a296e6659452dd47ff59becb4c0398d1f2d0726
Instruction ID: d00e6fcf248747deac89df04e4f97f07ce453308988516aaf6d7b8a9c920e493
Opcode Fuzzy Hash: 8d668c5346de4e428b5308ca1a296e6659452dd47ff59becb4c0398d1f2d0726
Instruction Fuzzy Hash: DD411A746043519FDB14DF14C454B5ABBE1BF45318F0998ACE899AB362C732EC85CF52

Function 00E17B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E17BB3

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: b5acf007c83fbadd972e81498dea2e497597e0ce02603ba67946c4050b2edd8a
Instruction ID: 29f732dbc0797cc2ea869c159e4c56d613b87ce9ca9d976a7a2779b0bfaca95a
Opcode Fuzzy Hash: b5acf007c83fbadd972e81498dea2e497597e0ce02603ba67946c4050b2edd8a
Instruction Fuzzy Hash: 26213672A08A08EFDB188F16FC81BA9BBF4FB14751F21946DE886F5290EB3190D0C741

Function 00E14DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E14BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00E14BEF

Part of subcall function 00E3525B: __wfsopen.LIBCMT ref: 00E35266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00ED52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E14E0F

Part of subcall function 00E14B6A: FreeLibrary.KERNEL32(00000000), ref: 00E14BA4

Part of subcall function 00E14C70: _memmove.LIBCMT ref: 00E14CBA

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 73a84690ef72d830ccf6f5cbefb6914986d8d747e055a4299a6f3c62745991b6
Instruction ID: b02e50e050d73f7d30e31913acd8224043589339e770da16e47dfb49caa4fff3
Opcode Fuzzy Hash: 73a84690ef72d830ccf6f5cbefb6914986d8d747e055a4299a6f3c62745991b6
Instruction Fuzzy Hash: 0611E372604209ABCF15AF70CC16FEE77E9AF44710F109829F541FB2C1EA719A419B50

Function 00E4FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00E4FD91

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 3e31e6cdfc287836497eb863ff1bc0eeb4c5a74f52250136f7e106d6f3309a41
Instruction ID: df1b16be822f9707b171dd2e24bd83cff0fb21c78cdc52ef821cc69f2a8c203b
Opcode Fuzzy Hash: 3e31e6cdfc287836497eb863ff1bc0eeb4c5a74f52250136f7e106d6f3309a41
Instruction Fuzzy Hash: DA215770608301DFCB14DF24C454B6ABBE1BF88318F09986CF88A67722D731E849CB92

Function 00E3072A Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b837fddc62236676089ef9a64a40dfba558c432fde9405eed89bac92178759d4
Instruction ID: 18c68bc3adbff39629ef0a8e2664d8e5bff83c74d0af4bad626cdeba04341403
Opcode Fuzzy Hash: b837fddc62236676089ef9a64a40dfba558c432fde9405eed89bac92178759d4
Instruction Fuzzy Hash: 5C01F97A9101206FF7225A15A845EF7FBE8EB80765F0080BFE858E7841D62169A9CED1

Function 00E34863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00E348A6

Part of subcall function 00E38B28: __getptd_noexit.LIBCMT ref: 00E38B28

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 7a3b19ffc72cd9f2e1a934bde1c858e4f96c7fc7c89a20566dad4a4bf176c7dd
Instruction ID: 10c16a786be7269babd7c071d2869ce9dd886c9c456f3296a74314e9355ef1be
Opcode Fuzzy Hash: 7a3b19ffc72cd9f2e1a934bde1c858e4f96c7fc7c89a20566dad4a4bf176c7dd
Instruction Fuzzy Hash: 06F022B1900349EBDF15AFB08C0E7EE3EE0AF00328F01A408F424BA1C1CB788951DB41

Function 00E14E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00ED52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E14E7E

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 2533cf5806dba71cf3f3841d03afa48c04f08ac87c15cc9eda61fc3a708695d7
Instruction ID: cb04b9cd508ad35ba044dcaeabd14e675324fe3f82ee7e36e82baaadfbc64dc8
Opcode Fuzzy Hash: 2533cf5806dba71cf3f3841d03afa48c04f08ac87c15cc9eda61fc3a708695d7
Instruction Fuzzy Hash: 7BF030B5501711CFCB349F65E494892BBE1BF14329310993EE1D7AA750C7319884DF80

Function 00E30791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E307B0

Part of subcall function 00E17BCC: _memmove.LIBCMT ref: 00E17C06

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 5ce02ebd7b20eb550fbeee3b20e60e9f3468ff0a898810b8e83c32ef826b0953
Instruction ID: 0d6f849c2dee2a21c830c553ea11c5a01accbd2a1a3f8fc461b34b2f63d8f085
Opcode Fuzzy Hash: 5ce02ebd7b20eb550fbeee3b20e60e9f3468ff0a898810b8e83c32ef826b0953
Instruction Fuzzy Hash: 35E0CD769041285BC720D6599C05FEA77EDDFC87A0F0441F6FD0CE7215D9609CC086D0

Function 00E78E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00E78EC1

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: 635f834242edb47e9f96c68bf7e5cf1c6c77c42579ea0e0b356abe82e5876335
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: 75E092B1104B005BD7388A24DC14BE377E1EB15308F00181DF2AAD3241EB627841C759

Function 00E3525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00E35266

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 3f2f584bd586c0d4f26628f1c07b9eea9d81510a6086adb8d6dd919bcf683edb
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 23B0927644020C77CE012A82EC02A4A3F699B41764F408020FB0C28272A673E6649A89

Function 01184154 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01184169

Memory Dump Source

Source File: 00000000.00000002.2064673390.0000000001181000.00000040.00000020.00020000.00000000.sdmp, Offset: 01181000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1181000_hesaphareketi-01.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 06422e85b41ce9f4956287807fda274404936577f4acb49f062ae5e5d7fc59f3
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 86E0BF7494010EEFDB00EFA4D5496DD7BB4EF04301F1046A1FD05D7680DB309E548A62

Function 01184158 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01184169

Memory Dump Source

Source File: 00000000.00000002.2064673390.0000000001181000.00000040.00000020.00020000.00000000.sdmp, Offset: 01181000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1181000_hesaphareketi-01.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 86ea7a8de360daf736c4f26c4690954d518aa2d527cdf9e054e47733b031c857
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: A0E0E67494010EEFDB00EFB4D54969D7BB4EF04301F104261FD01D2280DB309D508A62

Non-executed Functions

Function 00E9CABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00E12612: GetWindowLongW.USER32(?,000000EB), ref: 00E12623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00E9CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00E9CB95
GetWindowLongW.USER32(?,000000F0), ref: 00E9CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E9CC00
SendMessageW.USER32 ref: 00E9CC29
_wcsncpy.LIBCMT ref: 00E9CC95
GetKeyState.USER32(00000011), ref: 00E9CCB6
GetKeyState.USER32(00000009), ref: 00E9CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00E9CCD9
GetKeyState.USER32(00000010), ref: 00E9CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E9CD0C
SendMessageW.USER32 ref: 00E9CD33
SendMessageW.USER32(?,00001030,?,00E9B348), ref: 00E9CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00E9CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00E9CE60
SetCapture.USER32(?), ref: 00E9CE69
ClientToScreen.USER32(?,?), ref: 00E9CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00E9CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00E9CEF5
ReleaseCapture.USER32 ref: 00E9CF00
GetCursorPos.USER32(?), ref: 00E9CF3A
ScreenToClient.USER32(?,?), ref: 00E9CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 00E9CFA3
SendMessageW.USER32 ref: 00E9CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 00E9D00E
SendMessageW.USER32 ref: 00E9D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00E9D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00E9D06D
GetCursorPos.USER32(?), ref: 00E9D08D
ScreenToClient.USER32(?,?), ref: 00E9D09A
GetParent.USER32(?), ref: 00E9D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 00E9D123
SendMessageW.USER32 ref: 00E9D154
ClientToScreen.USER32(?,?), ref: 00E9D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00E9D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 00E9D20C
SendMessageW.USER32 ref: 00E9D22F
ClientToScreen.USER32(?,?), ref: 00E9D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00E9D2B5

Part of subcall function 00E125DB: GetWindowLongW.USER32(?,000000EB), ref: 00E125EC

GetWindowLongW.USER32(?,000000F0), ref: 00E9D351

Strings

pb, xrefs: 00E9CEAF
F, xrefs: 00E9D235
@GUI_DRAGID, xrefs: 00E9CE9C

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pb
API String ID: 3977979337-96320988
Opcode ID: eb93d8e0163c9a1c8a5d0d6f3ff57f5eb14fb0e743efc4f9f8c44f773e8fed87
Instruction ID: 8d1ed0acca24ef1700e064a5ecc2eaec4d57dbc28e17ab8abd762ceca585ffbf
Opcode Fuzzy Hash: eb93d8e0163c9a1c8a5d0d6f3ff57f5eb14fb0e743efc4f9f8c44f773e8fed87
Instruction Fuzzy Hash: 5C42EB34208340AFCB24DF25CC84AAABBE5FF49354F24192AF695E72B1D731D854DB92

Function 00E26F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E271C3
_memset.LIBCMT ref: 00E27539
_memmove.LIBCMT ref: 00E276AC

Strings

_, xrefs: 00E623CB
[:<:]], xrefs: 00E27479
DEFINE, xrefs: 00E62103
P\, xrefs: 00E61AB8
\b(?<=\w), xrefs: 00E63773
3c, xrefs: 00E623A0
\b(?=\w), xrefs: 00E63769
[:>:]], xrefs: 00E27492
], xrefs: 00E61A22
Q\E, xrefs: 00E27FCB

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: _memmove$_memset
String ID: ]$3c$DEFINE$P\$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_
API String ID: 1357608183-1767882695
Opcode ID: 048282f3d51d850398f7d04e10ef85a1b977897276e8d28cf7a9069cbdd9db74
Instruction ID: 00e5803524f7f8d15e79b2c1e8cf60661cab3d367b4e99d6afd359a85d74aca6
Opcode Fuzzy Hash: 048282f3d51d850398f7d04e10ef85a1b977897276e8d28cf7a9069cbdd9db74
Instruction Fuzzy Hash: C693B271E40215DBDB24CFA8E881BEDB7B1FF48354F24A16AE955BB281E7709D81CB40

Function 00E148D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00E148DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E4D665
IsIconic.USER32(?), ref: 00E4D66E
ShowWindow.USER32(?,00000009), ref: 00E4D67B
SetForegroundWindow.USER32(?), ref: 00E4D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00E4D69B
GetCurrentThreadId.KERNEL32 ref: 00E4D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 00E4D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00E4D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 00E4D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 00E4D6CF
SetForegroundWindow.USER32(?), ref: 00E4D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E4D6E7
keybd_event.USER32(00000012,00000000), ref: 00E4D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E4D6FC
keybd_event.USER32(00000012,00000000), ref: 00E4D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E4D70A
keybd_event.USER32(00000012,00000000), ref: 00E4D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E4D719
keybd_event.USER32(00000012,00000000), ref: 00E4D71E
SetForegroundWindow.USER32(?), ref: 00E4D721
AttachThreadInput.USER32(?,?,00000000), ref: 00E4D748

Strings

Shell_TrayWnd, xrefs: 00E4D660

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: dc092ee827bc77ec1b9e60cf85c3d3f78a46f27d7006bd9818e2a1d2117f91d9
Instruction ID: d7200ef69f2e93d84d960c4163f1124b5193a5b9de169d413e91738db0d27050
Opcode Fuzzy Hash: dc092ee827bc77ec1b9e60cf85c3d3f78a46f27d7006bd9818e2a1d2117f91d9
Instruction Fuzzy Hash: 6D315371A40318BFEB216B629C49FBF7E6CEB44B50F114027FA04FA1D1C6B05D51AAA1

Function 00E68310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00E687E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E6882B
Part of subcall function 00E687E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E68858
Part of subcall function 00E687E1: GetLastError.KERNEL32 ref: 00E68865

_memset.LIBCMT ref: 00E68353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00E683A5
CloseHandle.KERNEL32(?), ref: 00E683B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00E683CD
GetProcessWindowStation.USER32 ref: 00E683E6
SetProcessWindowStation.USER32(00000000), ref: 00E683F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00E6840A

Part of subcall function 00E681CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00E68309), ref: 00E681E0
Part of subcall function 00E681CB: CloseHandle.KERNEL32(?,?,00E68309), ref: 00E681F2

Strings

, xrefs: 00E68362
winsta0, xrefs: 00E683C8
default, xrefs: 00E68405

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: d0caa8b0c0e9094f8f9e8f82c8b3356638654eb6ecba9124a3261647fb5e4f91
Instruction ID: 69e1bd51a47ba033a97d48a50ee78cebea331ea362a61d798678bbf4aee6b643
Opcode Fuzzy Hash: d0caa8b0c0e9094f8f9e8f82c8b3356638654eb6ecba9124a3261647fb5e4f91
Instruction Fuzzy Hash: E4817E71940209AFDF119FA4ED45AEE7BB8FF04348F14626AF911B2161DB318E14DB60

Function 00E7C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00E7C78D
FindClose.KERNEL32(00000000), ref: 00E7C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E7C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E7C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 00E7C844
__swprintf.LIBCMT ref: 00E7C890
__swprintf.LIBCMT ref: 00E7C8D3

Part of subcall function 00E17DE1: _memmove.LIBCMT ref: 00E17E22

__swprintf.LIBCMT ref: 00E7C927

Part of subcall function 00E33698: __woutput_l.LIBCMT ref: 00E336F1

__swprintf.LIBCMT ref: 00E7C975

Part of subcall function 00E33698: __flsbuf.LIBCMT ref: 00E33713
Part of subcall function 00E33698: __flsbuf.LIBCMT ref: 00E3372B

__swprintf.LIBCMT ref: 00E7C9C4
__swprintf.LIBCMT ref: 00E7CA13
__swprintf.LIBCMT ref: 00E7CA62

Strings

%02d, xrefs: 00E7C91B, 00E7C925, 00E7C973, 00E7C9C2, 00E7CA11, 00E7CA60
%4d%02d%02d%02d%02d%02d, xrefs: 00E7C88A
%4d, xrefs: 00E7C8CD

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 12cee7073c9d6f6c7ca078c0abd2ed03eb8a1a6999c3bd0892cd7d304b9f4bb8
Instruction ID: 5ef7bd67fa97b96a514f2de2a6bde8cf524e945129f5a9111480ad9f0427cfd5
Opcode Fuzzy Hash: 12cee7073c9d6f6c7ca078c0abd2ed03eb8a1a6999c3bd0892cd7d304b9f4bb8
Instruction Fuzzy Hash: FBA14EB1408304ABC704EFA4C996DEFB7ECAF85704F40591EF595E6192EB34DA48CB62

Function 00E7EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00E7EFB6
_wcscmp.LIBCMT ref: 00E7EFCB
_wcscmp.LIBCMT ref: 00E7EFE2
GetFileAttributesW.KERNEL32(?), ref: 00E7EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 00E7F00E
FindNextFileW.KERNEL32(00000000,?), ref: 00E7F026
FindClose.KERNEL32(00000000), ref: 00E7F031
FindFirstFileW.KERNEL32(*.*,?), ref: 00E7F04D
_wcscmp.LIBCMT ref: 00E7F074
_wcscmp.LIBCMT ref: 00E7F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 00E7F09D
SetCurrentDirectoryW.KERNEL32(00EC8920), ref: 00E7F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 00E7F0C5
FindClose.KERNEL32(00000000), ref: 00E7F0D2
FindClose.KERNEL32(00000000), ref: 00E7F0E4

Strings

*.*, xrefs: 00E7F048

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: c6e624fc4e3f647229e110861af6b75c297b76670b7f7466cd172b43ddc1e47d
Instruction ID: c2a9e8e8ca0b11387fe33aac80e4d81130ffde7c081b2eb3e792baf3dbd5da4b
Opcode Fuzzy Hash: c6e624fc4e3f647229e110861af6b75c297b76670b7f7466cd172b43ddc1e47d
Instruction Fuzzy Hash: 9331B0326012197FDB14EBB5DC58FEE77AC9F48364F149176E808F22A1DB70DA44CA61

Function 00E90857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E90953
RegCreateKeyExW.ADVAPI32(?,?,00000000,00E9F910,00000000,?,00000000,?,?), ref: 00E909C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00E90A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00E90A92
RegCloseKey.ADVAPI32(?), ref: 00E90DB2
RegCloseKey.ADVAPI32(00000000), ref: 00E90DBF

Strings

REG_DWORD, xrefs: 00E90C83
REG_EXPAND_SZ, xrefs: 00E90A2F
REG_SZ, xrefs: 00E90AD0
REG_QWORD, xrefs: 00E90D00
REG_BINARY, xrefs: 00E90D4D
REG_MULTI_SZ, xrefs: 00E90B7A

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 6d0a64a65ad8b9900db3cea5726ab84ca33b95473feae0f8dd0c20e7f37edd04
Instruction ID: 7875558929db46aea6835c4eefd7911ed77c1e30b86235141d9631c570951b8a
Opcode Fuzzy Hash: 6d0a64a65ad8b9900db3cea5726ab84ca33b95473feae0f8dd0c20e7f37edd04
Instruction Fuzzy Hash: 5E028D756006119FCB14EF24C895E6AB7E5FF89714F04985DF89AAB362CB30ED41CB81

Function 00E266E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON

Download Yara Rule

Strings

_, xrefs: 00E61465, 00E6150C, 00E615B4
0D, xrefs: 00E26733
UTF16), xrefs: 00E610CF
0E, xrefs: 00E2673D
LIMIT_MATCH=, xrefs: 00E61170
ANYCRLF), xrefs: 00E612FB
NO_AUTO_POSSESS), xrefs: 00E6112E
LIMIT_RECURSION=, xrefs: 00E611FC
NO_START_OPT), xrefs: 00E6114F
UTF), xrefs: 00E610FA
BSR_ANYCRLF), xrefs: 00E6131E
pG, xrefs: 00E26751
ANY), xrefs: 00E612DE
LF), xrefs: 00E612A4
CRLF), xrefs: 00E612C1
CR), xrefs: 00E61287
UCP), xrefs: 00E6110D
BSR_UNICODE), xrefs: 00E61338
3c, xrefs: 00E268FF
0F, xrefs: 00E26747

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID: 0D$0E$0F$3c$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pG$_
API String ID: 0-821810444
Opcode ID: 9e4a487421ae280fbf5b90348c48a02c471569440fa4cd731f703f5c6eb729c7
Instruction ID: ec3a3f56f582ea495e90777bfe93b21ecff58ebbc41f8b6520d97db77ac5caff
Opcode Fuzzy Hash: 9e4a487421ae280fbf5b90348c48a02c471569440fa4cd731f703f5c6eb729c7
Instruction Fuzzy Hash: 63726E71E40229CBDB15CF59E8817EEB7B5FF48354F1491AAE806FB291DB309981CB90

Function 00E7F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00E7F113
_wcscmp.LIBCMT ref: 00E7F128
_wcscmp.LIBCMT ref: 00E7F13F

Part of subcall function 00E74385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00E743A0

FindNextFileW.KERNEL32(00000000,?), ref: 00E7F16E
FindClose.KERNEL32(00000000), ref: 00E7F179
FindFirstFileW.KERNEL32(*.*,?), ref: 00E7F195
_wcscmp.LIBCMT ref: 00E7F1BC
_wcscmp.LIBCMT ref: 00E7F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 00E7F1E5
SetCurrentDirectoryW.KERNEL32(00EC8920), ref: 00E7F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 00E7F20D
FindClose.KERNEL32(00000000), ref: 00E7F21A
FindClose.KERNEL32(00000000), ref: 00E7F22C

Strings

*.*, xrefs: 00E7F190

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: b7ad033c480f2dfe270b3c6d30c5900d43e5ac0716017f5580ee6c0fbb289cb1
Instruction ID: 1d05b6f3fc72b8e8bbff4706503fb0c06a169c5abd9a762c5c44fe808507181e
Opcode Fuzzy Hash: b7ad033c480f2dfe270b3c6d30c5900d43e5ac0716017f5580ee6c0fbb289cb1
Instruction Fuzzy Hash: 4631D236501259BACB24EFB4EC49FEE77AC9F45364F109176E808F20A2DB31DE45CA64

Function 00E7A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00E7A20F
__swprintf.LIBCMT ref: 00E7A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 00E7A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00E7A293
_memset.LIBCMT ref: 00E7A2B2
_wcsncpy.LIBCMT ref: 00E7A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00E7A323
CloseHandle.KERNEL32(00000000), ref: 00E7A32E
RemoveDirectoryW.KERNEL32(?), ref: 00E7A337
CloseHandle.KERNEL32(00000000), ref: 00E7A341

Strings

:, xrefs: 00E7A252
\??\%s, xrefs: 00E7A22B
\, xrefs: 00E7A247

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 99369bbb24b51bd8b0fdcb047eb0b3ce87d22735531da7f288d9906fedaddf6b
Instruction ID: 309433c539630acb332340566188f4d3fec54ac2943d85361194835af4b7c640
Opcode Fuzzy Hash: 99369bbb24b51bd8b0fdcb047eb0b3ce87d22735531da7f288d9906fedaddf6b
Instruction Fuzzy Hash: EE31ADB1904209ABDB20DFA1DC49FEF37BCAF88705F1451BAF608E2161EB7096458B25

Function 00E7001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00E70097
SetKeyboardState.USER32(?), ref: 00E70102
GetAsyncKeyState.USER32(000000A0), ref: 00E70122
GetKeyState.USER32(000000A0), ref: 00E70139
GetAsyncKeyState.USER32(000000A1), ref: 00E70168
GetKeyState.USER32(000000A1), ref: 00E70179
GetAsyncKeyState.USER32(00000011), ref: 00E701A5
GetKeyState.USER32(00000011), ref: 00E701B3
GetAsyncKeyState.USER32(00000012), ref: 00E701DC
GetKeyState.USER32(00000012), ref: 00E701EA
GetAsyncKeyState.USER32(0000005B), ref: 00E70213
GetKeyState.USER32(0000005B), ref: 00E70221

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: f21b0fed5529de5f49d8c5562133ad6171e97a95358c2cd2a856d7d5925e5d65
Instruction ID: 8afd59872e9cfcb57dd96f9d421a75242b6d4af3bfa0e236be49f5f7b088b3f0
Opcode Fuzzy Hash: f21b0fed5529de5f49d8c5562133ad6171e97a95358c2cd2a856d7d5925e5d65
Instruction Fuzzy Hash: 65510B209053C8A9FB35DBA088147EABFF49F01394F48D59ED5CA761C3DAA49B8CC761

Function 00E903DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E90E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E8FDAD,?,?), ref: 00E90E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E904AC

Part of subcall function 00E19837: __itow.LIBCMT ref: 00E19862
Part of subcall function 00E19837: __swprintf.LIBCMT ref: 00E198AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00E9054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00E905E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00E90822
RegCloseKey.ADVAPI32(00000000), ref: 00E9082F

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 674219bf2d53124e38a6f4e3cd306b82e2337d94267e464597d3a3b49df8d4ad
Instruction ID: 081838016800794a29abc415d8e119c98123870b0e4452ba03fca4dd9b1a83da
Opcode Fuzzy Hash: 674219bf2d53124e38a6f4e3cd306b82e2337d94267e464597d3a3b49df8d4ad
Instruction Fuzzy Hash: 31E16F71204210AFCB14DF24C895E6ABBF8EF89314F44996DF85AEB262D730ED45CB91

Function 00E883BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E19837: __itow.LIBCMT ref: 00E19862
Part of subcall function 00E19837: __swprintf.LIBCMT ref: 00E198AC

CoInitialize.OLE32 ref: 00E88403
CoUninitialize.OLE32 ref: 00E8840E
CoCreateInstance.OLE32(?,00000000,00000017,00EA2BEC,?), ref: 00E8846E
IIDFromString.OLE32(?,?), ref: 00E884E1
VariantInit.OLEAUT32(?), ref: 00E8857B
VariantClear.OLEAUT32(?), ref: 00E885DC

Strings

Invalid parameter, xrefs: 00E884FA
NULL Pointer assignment, xrefs: 00E884B3
Failed to create object, xrefs: 00E88479, 00E8852F

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: e91c0ef9f811dc6dc9ed46c46d2d78903fb3b6ba212d5510142b88d5dba3cf7d
Instruction ID: 4c31c051599bf9d69595062d8a74ca4076d7ae30ba6bb96bf086182638104dae
Opcode Fuzzy Hash: e91c0ef9f811dc6dc9ed46c46d2d78903fb3b6ba212d5510142b88d5dba3cf7d
Instruction Fuzzy Hash: 7A619D716083129FC714EF14CA48FAAB7E4AF45754F40541AF99ABB291CB70ED48CB92

Function 00E84164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00E8418B
EmptyClipboard.USER32 ref: 00E84191
GlobalAlloc.KERNEL32(00000002,?), ref: 00E841A6
CloseClipboard.USER32 ref: 00E84245

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: c2a70dc22be235712a7ffc69e957c7b027d871f311bcc56c326c65f8b9ea2287
Instruction ID: 59aafc9f239a50d8ab393df10e67cd4297161a765938f90052b645fa9b2158ee
Opcode Fuzzy Hash: c2a70dc22be235712a7ffc69e957c7b027d871f311bcc56c326c65f8b9ea2287
Instruction Fuzzy Hash: 6221A1752012159FDB10AF65EC19BAD7BA8EF05750F10802BF94AFB2B2DB30AC45CB94

Function 00E737EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E14750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E14743,?,?,00E137AE,?), ref: 00E14770

Part of subcall function 00E74A31: GetFileAttributesW.KERNEL32(?,00E7370B), ref: 00E74A32

FindFirstFileW.KERNEL32(?,?), ref: 00E738A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00E7394B
MoveFileW.KERNEL32(?,?), ref: 00E7395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00E7397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00E7399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00E739B9

Strings

\*.*, xrefs: 00E7384E, 00E73857, 00E7386C

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 363d3c2fcd5d22016a30ecd802d996b4d06c789d172e34134d61087dba92f18e
Instruction ID: d8446a7aa8c75a9d84d2733ee4187135b0b1e4dead7d0f85bd93c0ab39d8f96f
Opcode Fuzzy Hash: 363d3c2fcd5d22016a30ecd802d996b4d06c789d172e34134d61087dba92f18e
Instruction Fuzzy Hash: 9151BD7180514CAACF05EBB0DA929EDB7B8AF54300F60906AE44AB7191EF306F4DDB61

Function 00E7F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00E17DE1: _memmove.LIBCMT ref: 00E17E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00E7F440
Sleep.KERNEL32(0000000A), ref: 00E7F470
_wcscmp.LIBCMT ref: 00E7F484
_wcscmp.LIBCMT ref: 00E7F49F
FindNextFileW.KERNEL32(?,?), ref: 00E7F53D
FindClose.KERNEL32(00000000), ref: 00E7F553

Strings

*.*, xrefs: 00E7F425

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 48d46ddf60055517af58fc9112dc1fbaf2e77f74d4aa8b4aa6d894ce3e5a4e7d
Instruction ID: 0422249daaf1bf1d5855fd913438a1407e0a9d5c188716c01a03cd100eafa3e0
Opcode Fuzzy Hash: 48d46ddf60055517af58fc9112dc1fbaf2e77f74d4aa8b4aa6d894ce3e5a4e7d
Instruction Fuzzy Hash: 20416C7190021AAFCF14DF64DC49AEEBBB8FF05314F149466E859B3191EB309E85DB90

Function 00E23030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON

Download Yara Rule

Strings

_, xrefs: 00E23322
3c, xrefs: 00E23225

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: __itow__swprintf
String ID: 3c$_
API String ID: 674341424-4099079164
Opcode ID: ab061ae2df89ccb291c44d96abbb253d450af797d705e561359fd7e90b2f2fa2
Instruction ID: 25e238650819c04da2f5094d3fa383f463ff45ba7b373df445a3bf2344fb450a
Opcode Fuzzy Hash: ab061ae2df89ccb291c44d96abbb253d450af797d705e561359fd7e90b2f2fa2
Instruction Fuzzy Hash: A922BF716083109FC724EF24D891BAEB7E4BF84714F40591DF89AA7291DB74EA48CF92

Function 00E25760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E258A5
_memmove.LIBCMT ref: 00E258F5
_memmove.LIBCMT ref: 00E2595B

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: c37a474257f90093a5eaf8764df3a27f439bf801ac04ceca33717c2ea4ce4add
Instruction ID: 121fa76ae354cdbbed9ae1f305854de2e97d51e5040a40f2616b44aa0932e331
Opcode Fuzzy Hash: c37a474257f90093a5eaf8764df3a27f439bf801ac04ceca33717c2ea4ce4add
Instruction Fuzzy Hash: 7412B971A00619DFDF08DFA5EA81AEEB7F5FF88300F105529E856B7250EB36A950CB50

Function 00E751BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00E687E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E6882B
Part of subcall function 00E687E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E68858
Part of subcall function 00E687E1: GetLastError.KERNEL32 ref: 00E68865

ExitWindowsEx.USER32(?,00000000), ref: 00E751F9

Strings

, xrefs: 00E751E7
@, xrefs: 00E751EC
SeShutdownPrivilege, xrefs: 00E751C9

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: fd6eaca1130ddaf5818561d191a278c3a387144cd8b7c8a95653b0f8d72119ec
Instruction ID: 607ffbc407952c278942a585277087b03969f5d72fb241d55e75660881b5ca12
Opcode Fuzzy Hash: fd6eaca1130ddaf5818561d191a278c3a387144cd8b7c8a95653b0f8d72119ec
Instruction Fuzzy Hash: C301F7337916516BE7286268BC8AFFA72A89B05345F21A926F91FF20E3D9D21C008590

Function 00E86283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00E862DC
WSAGetLastError.WSOCK32(00000000), ref: 00E862EB
bind.WSOCK32(00000000,?,00000010), ref: 00E86307
listen.WSOCK32(00000000,00000005), ref: 00E86316
WSAGetLastError.WSOCK32(00000000), ref: 00E86330
closesocket.WSOCK32(00000000,00000000), ref: 00E86344

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: ea91f290d0203806ff72039ef33dcc70f8122cc7701a8ff34bfaf552c2e2daba
Instruction ID: 17fa47ad9bbb67c76e74534b3c3cba87c259f33c7588d33a64e7571adca44e7e
Opcode Fuzzy Hash: ea91f290d0203806ff72039ef33dcc70f8122cc7701a8ff34bfaf552c2e2daba
Instruction Fuzzy Hash: E721D0716002049FCB10EF64D945BAEB7E9EF89324F24515AE81AF7392C770AD45CB51

Function 00E25520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00E30DB6: std::exception::exception.LIBCMT ref: 00E30DEC
Part of subcall function 00E30DB6: __CxxThrowException@8.LIBCMT ref: 00E30E01

_memmove.LIBCMT ref: 00E60258
_memmove.LIBCMT ref: 00E6036D
_memmove.LIBCMT ref: 00E60414

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 9eb811218a3200718f8fc2087ae2fbc666ab7dd3191b185414c69d5aefae15f2
Instruction ID: f55881faabb9560be4c5eaa97404f9bd324ef635c4f0135d12a479c8cb19bf36
Opcode Fuzzy Hash: 9eb811218a3200718f8fc2087ae2fbc666ab7dd3191b185414c69d5aefae15f2
Instruction Fuzzy Hash: 9302CE71A00219DFCF08DF64E985AAEBBF5FF44340F5490A9E80AEB251EB31D954CB90

Function 00E11287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00E12612: GetWindowLongW.USER32(?,000000EB), ref: 00E12623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00E119FA
GetSysColor.USER32(0000000F), ref: 00E11A4E
SetBkColor.GDI32(?,00000000), ref: 00E11A61

Part of subcall function 00E11290: DefDlgProcW.USER32(?,00000020,?), ref: 00E112D8

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: fd24c901484898b4f3ce6008c841f40073c939ee23f7e6d2e6e3fad3059f95a6
Instruction ID: 8b12be193c8ae7f8325d995669a34750a0489505a7f5123763cc0343c26b767f
Opcode Fuzzy Hash: fd24c901484898b4f3ce6008c841f40073c939ee23f7e6d2e6e3fad3059f95a6
Instruction Fuzzy Hash: FDA14971106544BEEB28AB29AC44EFF3D9CDF85389B24315EF702F5192CA24DD8192B2

Function 00E86747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00E87D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00E87DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00E8679E
WSAGetLastError.WSOCK32(00000000), ref: 00E867C7
bind.WSOCK32(00000000,?,00000010), ref: 00E86800
WSAGetLastError.WSOCK32(00000000), ref: 00E8680D
closesocket.WSOCK32(00000000,00000000), ref: 00E86821

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 3587d5a07d32a082dcb375629f9d0997c40244510e855bbd76d15563aaa7df2b
Instruction ID: e5dc6b634afb7901c9b3eb47e4fac6dccec75de57d19832ebec4374698034dfe
Opcode Fuzzy Hash: 3587d5a07d32a082dcb375629f9d0997c40244510e855bbd76d15563aaa7df2b
Instruction Fuzzy Hash: A141E075A00200AFEB14BF649C96FAE77E89F09714F449459F91ABB3C3CA709D408792

Function 00E95376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00E953C5
IsWindowEnabled.USER32 ref: 00E953D3
GetForegroundWindow.USER32(?,?,00000001), ref: 00E953E0
IsIconic.USER32 ref: 00E953EE
IsZoomed.USER32 ref: 00E953FC

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: cd6955a01dd7d059645e5d23e983ab5d1cb8845dfabf1d92080d00a164222198
Instruction ID: 45230be1b72cbb09e01720993aacd15a9b491ac83ae876c1ab4a1ace7af43af8
Opcode Fuzzy Hash: cd6955a01dd7d059645e5d23e983ab5d1cb8845dfabf1d92080d00a164222198
Instruction Fuzzy Hash: 5E11C432300A116FEF22AF279C44AAE7BD8EF457A1B51542AF846F7241CBB0DC41C7A0

Function 00E680A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00E680C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00E680CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00E680D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00E680E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00E680F6

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: ecbae172079a541ad91c58507c3acb3853e721e68b1e44643fe502bd238c97c1
Instruction ID: 194857c73cf57cd6ef24d62c49b373de780d324224d43b6fd6b0d2315b8989ef
Opcode Fuzzy Hash: ecbae172079a541ad91c58507c3acb3853e721e68b1e44643fe502bd238c97c1
Instruction Fuzzy Hash: 0AF06231242204BFEB104FA6EC8DE6B3BACEF4A799B100127F945E6150CF61DC46DA60

Function 00E14B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00E14AD0), ref: 00E14B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00E14B57

Strings

kernel32.dll, xrefs: 00E14B40
GetNativeSystemInfo, xrefs: 00E14B51

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 4abfe85fee0daf9fb1454f6a36afc20ce1418dd16e2657cc7d1019959f957fd7
Instruction ID: 4eba767962d08b7a9d67702c3019435de49b5b950faf83543c004bfb11475685
Opcode Fuzzy Hash: 4abfe85fee0daf9fb1454f6a36afc20ce1418dd16e2657cc7d1019959f957fd7
Instruction Fuzzy Hash: 84D012B4A10713DFDB209F33E818B4676E4AF05355B15983BD495F6290E670D4C0C654

Function 00E8EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00E8EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 00E8EE4B

Part of subcall function 00E17DE1: _memmove.LIBCMT ref: 00E17E22

Process32NextW.KERNEL32(00000000,?), ref: 00E8EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00E8EF1A

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 84bc9d68adc06b38a3871aa60d3daec42bcb7eb72c7fc9fb8e66eca531868a92
Instruction ID: 3a3217810a42f00155463b7c648fdb53c139e38fa2c5841dc2ff2306e185b822
Opcode Fuzzy Hash: 84bc9d68adc06b38a3871aa60d3daec42bcb7eb72c7fc9fb8e66eca531868a92
Instruction Fuzzy Hash: D55170715043019FD310EF24DC85EABB7E8EF94710F50582DF599A72A2EB70A948CB92

Function 00E6E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00E6E628

Strings

|, xrefs: 00E6E658
(, xrefs: 00E6E66E

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 32e8d69bf8892701f6faaa4924e1a9575fb9eb3870b911a4a5a17c70e55b0ca0
Instruction ID: 6f02556dd9ba5a513bda6f047477e3d775fca42c3307a8554bdedd877f52f62a
Opcode Fuzzy Hash: 32e8d69bf8892701f6faaa4924e1a9575fb9eb3870b911a4a5a17c70e55b0ca0
Instruction Fuzzy Hash: C4324779A407019FDB28CF59D4819AAB7F0FF48350B15D46EE89AEB3A1E770E941CB40

Function 00E822EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00E8180A,00000000), ref: 00E823E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00E82418

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: b237c9678172b0bb73fc7015ae7788f7e834f1070b888d405ae17d98650bd252
Instruction ID: 92997d50fab46981951b1d8c8e45970a209a93592afa1ca25c99326116bc83de
Opcode Fuzzy Hash: b237c9678172b0bb73fc7015ae7788f7e834f1070b888d405ae17d98650bd252
Instruction Fuzzy Hash: 9641C371A0420ABFEB20AE95DC85EBBB7FCEB40718F10506EF71DB6140EA759E419760

Function 00E7B3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00E7B40B
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00E7B465
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00E7B4B2

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: b6525288c25198dadbc73938788fb4d5dedf8e9da2e8033c64d56063db701d1f
Instruction ID: f3cf49be8813c4831e25dd11b3b5f2ada4c3effcb864a2dc7b2ae89f9253e5e3
Opcode Fuzzy Hash: b6525288c25198dadbc73938788fb4d5dedf8e9da2e8033c64d56063db701d1f
Instruction Fuzzy Hash: B0216035A00108EFCB00EFA5D884AEDBBF8FF49314F1480AAE905EB362DB319955CB51

Function 00E687E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00E30DB6: std::exception::exception.LIBCMT ref: 00E30DEC
Part of subcall function 00E30DB6: __CxxThrowException@8.LIBCMT ref: 00E30E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E6882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E68858
GetLastError.KERNEL32 ref: 00E68865

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 09be1994186c29c8133272a35a42300cf5273f619d70717277c8b4193cfb1892
Instruction ID: a13909234469477e55e42706b18db4013aaf91c543211dc0e5ec0068c0e2845e
Opcode Fuzzy Hash: 09be1994186c29c8133272a35a42300cf5273f619d70717277c8b4193cfb1892
Instruction Fuzzy Hash: 1A11B2B1404204AFD718DF54EC85D6BB7FCEB04310B50952EF455A3201DB70BC00CB60

Function 00E6874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00E68774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00E6878B
FreeSid.ADVAPI32(?), ref: 00E6879B

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 1054c5edb40f065a6c35001b06199bf50c6cb86d7263aa9b9859020d61505396
Instruction ID: 238bd095f30afe5dce457b9792c6c23944fc5a97977138b8f2bb0901b8ff73a2
Opcode Fuzzy Hash: 1054c5edb40f065a6c35001b06199bf50c6cb86d7263aa9b9859020d61505396
Instruction Fuzzy Hash: 2DF04975A5130CBFDF00DFF5DD89AAEBBBCEF08201F1045AAE901E2181E6716A089B50

Function 00E78889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00E7889B

Part of subcall function 00E3520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00E78F6E,00000000,?,?,?,?,00E7911F,00000000,?), ref: 00E35213
Part of subcall function 00E3520A: __aulldiv.LIBCMT ref: 00E35233

Strings

0e, xrefs: 00E78892

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0e
API String ID: 2893107130-533242481
Opcode ID: 2dde7af480648ddbb50c3a76e654305f8d99318ef1a0a448147b067118d295c4
Instruction ID: 45b05c5cb5d2063283afa2e1dd5d7b3e8add4c19369fb85a76f06540f1eb4273
Opcode Fuzzy Hash: 2dde7af480648ddbb50c3a76e654305f8d99318ef1a0a448147b067118d295c4
Instruction Fuzzy Hash: 1621D2326356108FD329CF25E841A52B3E1EBA4310B689E6DD0F9DB2D0CA34A949CB54

Function 00E74C7F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00E74CB3

Strings

DOWN, xrefs: 00E74C98

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: a4ee95e55635db22f3eb1aec676ce7072d3913e66697aef25f7e91184676f16e
Instruction ID: 04be579740411334e9263b2ad23e30c285f9f8992460e1811614bad6ceef9b77
Opcode Fuzzy Hash: a4ee95e55635db22f3eb1aec676ce7072d3913e66697aef25f7e91184676f16e
Instruction Fuzzy Hash: 96E086B119D7213CF9052559BD07EF707CC8B12335B11610BF814F50C1DE451C8264AC

Function 00E7C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00E7C6FB
FindClose.KERNEL32(00000000), ref: 00E7C72B

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 5924c1476185b636c1de5e94a88ac5b48bd2b279ab721022bf3586b674ba001b
Instruction ID: 258ade41be186bb61db3ca7648c9b61b5807d2788f5af90d335c89990657b35e
Opcode Fuzzy Hash: 5924c1476185b636c1de5e94a88ac5b48bd2b279ab721022bf3586b674ba001b
Instruction Fuzzy Hash: 49118E726002009FDB14EF29D855A6AF7E8EF85324F10851EF8A9E72A1DB30A805CB81

Function 00E7A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00E89468,?,00E9FB84,?), ref: 00E7A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00E89468,?,00E9FB84,?), ref: 00E7A0A9

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 3a13366c220183da7e0202529802684c6794d0157e34649e0d70ecde3e2ffea4
Instruction ID: 5128a90459aca2844b5089408f847ef2a82cd52fef1c1c2ff98823c13aac9ac0
Opcode Fuzzy Hash: 3a13366c220183da7e0202529802684c6794d0157e34649e0d70ecde3e2ffea4
Instruction Fuzzy Hash: 3FF0823510522DBBDB219FA5DC48FEE776CBF09761F008166F909E6191DA309944CBA1

Function 00E681CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00E68309), ref: 00E681E0
CloseHandle.KERNEL32(?,?,00E68309), ref: 00E681F2

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: e8855dbf16c40188af5a6f2699bf157414f728fc7e55337e5fed3ba3d28f45ea
Instruction ID: bb832b39959cf6c769d4ec37dbd4db3d1848b4c5d492430589207c8fce44d3b0
Opcode Fuzzy Hash: e8855dbf16c40188af5a6f2699bf157414f728fc7e55337e5fed3ba3d28f45ea
Instruction Fuzzy Hash: F4E0E671011510AFEB252B71FC09D777BEDEF04355B14992EF865D4470DB625C91DB10

Function 00E3A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00E38D57,?,?,?,00000001), ref: 00E3A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00E3A163

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: d67a81a662e8ab82742450ac15d8724188f3db44e6e7dbb0574f924ed69a0fe1
Instruction ID: ae069e0861b16856e4cc055b76c1a5e650ac65db145f1f3423e6b2b120d25ea9
Opcode Fuzzy Hash: d67a81a662e8ab82742450ac15d8724188f3db44e6e7dbb0574f924ed69a0fe1
Instruction Fuzzy Hash: 12B09231054208EFCA006BA2EC09B883F68EB44BA2F404023F60DD4060CB6654A48A91

Function 00E3F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c23fb1b286e421f84376b424c8f42c0041575274a7a84ad7b4f45894b9c185a9
Instruction ID: f36018bab80e69576494fd0a46badf558b9a723a60a939f79d9f2018ee283c5f
Opcode Fuzzy Hash: c23fb1b286e421f84376b424c8f42c0041575274a7a84ad7b4f45894b9c185a9
Instruction Fuzzy Hash: 9D324662D29F014DD7239635DC36336A649AFBB3C4F15E737F81AB59A6EB28D4838100

Function 00E4242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9cb86fa1842b1c068b174d76efc013d06a7bd12bcf300c45e629b82ae3e39e6
Instruction ID: e39a8a36cf1b5f22212c9e3c74a6f8a86797a3765cb4d663f808d9efe79cde2a
Opcode Fuzzy Hash: e9cb86fa1842b1c068b174d76efc013d06a7bd12bcf300c45e629b82ae3e39e6
Instruction Fuzzy Hash: 3FB11420D2AF404DD763963A8831336BB5CAFBB2C5F55D72BFC2670D22EB2195878141

Function 00E687B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00E68389), ref: 00E687D1

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 3ab381b1738cbf847bf59b33cb0fab921b399b038c91912395dfa805d5406f26
Instruction ID: 64619385caa85b855eda2f21c4124983d9697437a5ba4f4916a66eee59d027bf
Opcode Fuzzy Hash: 3ab381b1738cbf847bf59b33cb0fab921b399b038c91912395dfa805d5406f26
Instruction Fuzzy Hash: 44D05E3226450EAFEF018EA4DC01EAE3B69EB04B01F408112FE15D50A1C775D835AB60

Function 00E3A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00E3A12A

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: afec495989fddc838a6425e8be42a1a4ba94f57a9a8f8bd95b74599f57066436
Instruction ID: ff34f126b451e02379428ab1ceb7ecfa29275ec19490ad41278c2014ad1760d3
Opcode Fuzzy Hash: afec495989fddc838a6425e8be42a1a4ba94f57a9a8f8bd95b74599f57066436
Instruction Fuzzy Hash: 68A0113000020CEB8A002BA2EC08888BFACEB002A0B008022F80C800228B32A8A08A80

Function 00E28808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94d6485134ef9ba428686f7d6a2944d7327ad6eb03cc28538f6532ce1aa47bf8
Instruction ID: 809f4d59d6e4b60552729dcc5085bddc4f371ce381ee422f78e07015c42a28be
Opcode Fuzzy Hash: 94d6485134ef9ba428686f7d6a2944d7327ad6eb03cc28538f6532ce1aa47bf8
Instruction Fuzzy Hash: CF226672605526CBCF388B24E6947BC77A1FB41388F28A06BD846BB5A2DF70DDD1C641

Function 00E321C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 77a8a851f4684c5db1126f1b0616aced0e0d9f517e180584eb25b91c47d59665
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: F6C196322051930ADF2D4639C43803EFEA15EA37B6B5A279DD4F3EB1D4EE20D965D620

Function 00E325FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 0bac28686d83160a006ac1a50f6ad75d1c8b398ca4dba989b8eafd2d4bd0cc3c
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 91C176322051930ADF2D4639C43813EFEA15EE37B675A27ADD4F2EB1D5EE20C925D620

Function 00E31978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: fff0361e144b56e1ff0bb66c885e4eca2a0d75771368cf3b9784fd4d95bd0f2d
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 47C1813220519349DF2D4639C43813EFEA15EA37B675A27EDD4B3EB1C4EE20C925D620

Function 00E87806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00E8785B
DeleteObject.GDI32(00000000), ref: 00E8786D
DestroyWindow.USER32 ref: 00E8787B
GetDesktopWindow.USER32 ref: 00E87895
GetWindowRect.USER32(00000000), ref: 00E8789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00E879DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00E879ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E87A35
GetClientRect.USER32(00000000,?), ref: 00E87A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00E87A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E87A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E87AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E87ABB
GlobalLock.KERNEL32(00000000), ref: 00E87AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E87AD3
GlobalUnlock.KERNEL32(00000000), ref: 00E87ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E87AE3
GlobalFree.KERNEL32(00000000), ref: 00E87AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E87B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00EA2CAC,00000000), ref: 00E87B16
GlobalFree.KERNEL32(00000000), ref: 00E87B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00E87B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00E87B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E87B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E87D7A

Strings

static, xrefs: 00E87A75, 00E87BCC
, xrefs: 00E87D00
AutoIt v3, xrefs: 00E87A2D
DISPLAY, xrefs: 00E87BDD

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 718ad7ecd1b9900e36427dedd429fcb2fa97668720d54cd7ce402bd92a9362e1
Instruction ID: 05914f6694efe94a1694d26bd16207af30a6abc4b0fba370acc70e532fc0aaec
Opcode Fuzzy Hash: 718ad7ecd1b9900e36427dedd429fcb2fa97668720d54cd7ce402bd92a9362e1
Instruction Fuzzy Hash: 5E027A71900215AFDB14DFA5DC89EAEBBB9EB48310F10815AF959FB2A1C730ED45CB60

Function 00E9356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00E9F910), ref: 00E93627
IsWindowVisible.USER32(?), ref: 00E9364B

Strings

SHOWDROPDOWN, xrefs: 00E936E0
ISCHECKED, xrefs: 00E93839
FINDSTRING, xrefs: 00E93776
CURRENTTAB, xrefs: 00E936BD
GETCURRENTSELECTION, xrefs: 00E937E3
SETCURRENTSELECTION, xrefs: 00E937B6
ISENABLED, xrefs: 00E9366B
TABRIGHT, xrefs: 00E9369D
HIDEDROPDOWN, xrefs: 00E93700
SELECTSTRING, xrefs: 00E93806
GETLINECOUNT, xrefs: 00E938C6
SENDCOMMANDID, xrefs: 00E939DA
CHECK, xrefs: 00E9386D
DELSTRING, xrefs: 00E93749
ISVISIBLE, xrefs: 00E93637
GETSELECTED, xrefs: 00E938A3
EDITPASTE, xrefs: 00E9395F
GETLINE, xrefs: 00E9399B
GETCURRENTCOL, xrefs: 00E93928
ADDSTRING, xrefs: 00E93716
UNCHECK, xrefs: 00E93883
GETCURRENTLINE, xrefs: 00E938ED
TABLEFT, xrefs: 00E93687

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 99dc6415411538bb4870b4c7feccc515c5ea4d9319523f5a10647c4c502e8f34
Instruction ID: d05c096e4be881c06fc4a53cacf186f24fc3f9237c2173b07218330fd100f098
Opcode Fuzzy Hash: 99dc6415411538bb4870b4c7feccc515c5ea4d9319523f5a10647c4c502e8f34
Instruction Fuzzy Hash: 52D161702043019BCF14EF20C56AAAE7BE5AF95354F146459F8867B3A3DB31EE4ACB41

Function 00E9A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00E9A630
GetSysColorBrush.USER32(0000000F), ref: 00E9A661
GetSysColor.USER32(0000000F), ref: 00E9A66D
SetBkColor.GDI32(?,000000FF), ref: 00E9A687
SelectObject.GDI32(?,00000000), ref: 00E9A696
InflateRect.USER32(?,000000FF,000000FF), ref: 00E9A6C1
GetSysColor.USER32(00000010), ref: 00E9A6C9
CreateSolidBrush.GDI32(00000000), ref: 00E9A6D0
FrameRect.USER32(?,?,00000000), ref: 00E9A6DF
DeleteObject.GDI32(00000000), ref: 00E9A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 00E9A731
FillRect.USER32(?,?,00000000), ref: 00E9A763
GetWindowLongW.USER32(?,000000F0), ref: 00E9A78E

Part of subcall function 00E9A8CA: GetSysColor.USER32(00000012), ref: 00E9A903
Part of subcall function 00E9A8CA: SetTextColor.GDI32(?,?), ref: 00E9A907
Part of subcall function 00E9A8CA: GetSysColorBrush.USER32(0000000F), ref: 00E9A91D
Part of subcall function 00E9A8CA: GetSysColor.USER32(0000000F), ref: 00E9A928
Part of subcall function 00E9A8CA: GetSysColor.USER32(00000011), ref: 00E9A945
Part of subcall function 00E9A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00E9A953
Part of subcall function 00E9A8CA: SelectObject.GDI32(?,00000000), ref: 00E9A964
Part of subcall function 00E9A8CA: SetBkColor.GDI32(?,00000000), ref: 00E9A96D
Part of subcall function 00E9A8CA: SelectObject.GDI32(?,?), ref: 00E9A97A
Part of subcall function 00E9A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00E9A999
Part of subcall function 00E9A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00E9A9B0
Part of subcall function 00E9A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00E9A9C5
Part of subcall function 00E9A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00E9A9ED

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: fabf29233abaa81825d244cd815edec2fc3c409d3917849d69ed3e52d4ab73b1
Instruction ID: e7eca699247a2c4308b94ca5237f8f288210588411fa1ece5f30e9578b77c44c
Opcode Fuzzy Hash: fabf29233abaa81825d244cd815edec2fc3c409d3917849d69ed3e52d4ab73b1
Instruction Fuzzy Hash: 9A916071008301FFCB109F65DC08A9B7BA9FF88325F145A2BF962E61A1D771D948CB92

Function 00E12C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00E12CA2
DeleteObject.GDI32(00000000), ref: 00E12CE8
DeleteObject.GDI32(00000000), ref: 00E12CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00E12CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00E12D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00E4C43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00E4C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00E4C89D

Part of subcall function 00E11B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E12036,?,00000000,?,?,?,?,00E116CB,00000000,?), ref: 00E11B9A

SendMessageW.USER32(?,00001053), ref: 00E4C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00E4C8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00E4C907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00E4C912

Strings

0, xrefs: 00E4C731

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 42ee588d421f187d391817d496530dc72e5399eb2348c968255bf8c2cb429784
Instruction ID: 54283b326a6d1fffabfdd1240142e01f2309f29a993beb31fb40addb1c0630ee
Opcode Fuzzy Hash: 42ee588d421f187d391817d496530dc72e5399eb2348c968255bf8c2cb429784
Instruction Fuzzy Hash: 89129D30601201EFDB54CF24D888BA9B7E5BF44304F64A56EFA95EB262C731EC95CB91

Function 00E874AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00E874DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00E8759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00E875DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00E875ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00E87633
GetClientRect.USER32(00000000,?), ref: 00E8763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00E87683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00E87692
GetStockObject.GDI32(00000011), ref: 00E876A2
SelectObject.GDI32(00000000,00000000), ref: 00E876A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00E876B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E876BF
DeleteDC.GDI32(00000000), ref: 00E876C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00E876F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 00E8770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00E87746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00E8775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 00E8776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00E8779B
GetStockObject.GDI32(00000011), ref: 00E877A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00E877B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00E877BB

Strings

static, xrefs: 00E8767D, 00E87795
AutoIt v3, xrefs: 00E8762B
msctls_progress32, xrefs: 00E8773C
DISPLAY, xrefs: 00E87688

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 52cc8ecb03284db96f925106c93123c9545b34f02836fc07a9e5f8b178e9a711
Instruction ID: facf9c2cd4eed8fa0e16e29a24415cd6b97da7cebff74d6caadf6ab8df465d28
Opcode Fuzzy Hash: 52cc8ecb03284db96f925106c93123c9545b34f02836fc07a9e5f8b178e9a711
Instruction Fuzzy Hash: 2BA16DB1A41605BFEB14DBA5DC4AFAE7BB9EB08710F104116FA14F72E1C670AD04CBA4

Function 00E7AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00E7AD1E
GetDriveTypeW.KERNEL32(?,00E9FAC0,?,\\.\,00E9F910), ref: 00E7ADFB
SetErrorMode.KERNEL32(00000000,00E9FAC0,?,\\.\,00E9F910), ref: 00E7AF59

Strings

PhysicalDrive, xrefs: 00E7ADA7
MMC, xrefs: 00E7AF1A
Fixed, xrefs: 00E7AE43
USB, xrefs: 00E7AEF0
RAMDisk, xrefs: 00E7AE25
Fibre, xrefs: 00E7AEE9
ATAPI, xrefs: 00E7AECD
\\.\, xrefs: 00E7AD70
RAID, xrefs: 00E7AEF7
Virtual, xrefs: 00E7AF21
1394, xrefs: 00E7AEDB
SATA, xrefs: 00E7AF0C
SSA, xrefs: 00E7AEE2
ATA, xrefs: 00E7AED4
Removable, xrefs: 00E7AE4D
FileBackedVirtual, xrefs: 00E7AF28
SAS, xrefs: 00E7AF05
Unknown, xrefs: 00E7AE1B, 00E7AEBF
SSD, xrefs: 00E7AE86
Network, xrefs: 00E7AE39
SCSI, xrefs: 00E7AEC6
CDROM, xrefs: 00E7AE2F
iSCSI, xrefs: 00E7AEFE

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: a0aa281ab9b6e7debcae28f27918da1f9c8e7cf5d0c0b1367665e25840634112
Instruction ID: 596ecbdcd0313cab18bd94296792dacf5bbfa5e45be5601d308b290bdb5bb574
Opcode Fuzzy Hash: a0aa281ab9b6e7debcae28f27918da1f9c8e7cf5d0c0b1367665e25840634112
Instruction Fuzzy Hash: E65162B1745205AA8B58DB10CB52DFD73A1EB88704728F07BE41BB72D1DA729D42DB43

Function 00E168DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00E16931
__wcsnicmp.LIBCMT ref: 00E16949
__wcsnicmp.LIBCMT ref: 00E16961
__wcsnicmp.LIBCMT ref: 00E16979
__wcsnicmp.LIBCMT ref: 00E16991
__wcsnicmp.LIBCMT ref: 00E169A9
__wcsnicmp.LIBCMT ref: 00E169C1
__wcsnicmp.LIBCMT ref: 00E169D5
__wcsnicmp.LIBCMT ref: 00E16A16
__wcsnicmp.LIBCMT ref: 00E16A2A
__wcsnicmp.LIBCMT ref: 00E16A3E
__wcsnicmp.LIBCMT ref: 00E16A52

Strings

#pragma compile, xrefs: 00E1692B
Unterminated group of comments, xrefs: 00E4E403
Bad directive syntax error, xrefs: 00E4E31A
#cs, xrefs: 00E169CF, 00E16A24
#OnAutoItStartRegister, xrefs: 00E16973
Cannot parse #include, xrefs: 00E4E3F0
#include, xrefs: 00E169A3
#include-once, xrefs: 00E1698B
#comments-start, xrefs: 00E169BB, 00E16A10
#ce, xrefs: 00E16A4C
#requireadmin, xrefs: 00E1695B
#notrayicon, xrefs: 00E16943
#comments-end, xrefs: 00E16A38

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 284566945e926d408995239aaaed88be8bb84188e4ad71eb88a39ff0bb7d8fe6
Instruction ID: 0bb1ed530c051181df2e73bbd2a735e27145291573feca985e56ec5bde19fc00
Opcode Fuzzy Hash: 284566945e926d408995239aaaed88be8bb84188e4ad71eb88a39ff0bb7d8fe6
Instruction Fuzzy Hash: BD81E2B1640305ABCF21AE60EC46FFF7BA8BF55704F047025F905BA192EB61DE85C2A1

Function 00E99A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00E99AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00E99B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 00E99BA7

Strings

0, xrefs: 00E99BE4

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 9af2a056b1e9897cc4ca9d7ca6eb2cf8d051100a796b7ca9736db47ea8b2d6da
Instruction ID: 2cf46e9da7b3d206fa3744a04e91aa60199ee34524058cbd4d9f14d2156b352e
Opcode Fuzzy Hash: 9af2a056b1e9897cc4ca9d7ca6eb2cf8d051100a796b7ca9736db47ea8b2d6da
Instruction Fuzzy Hash: A402D130204301AFDB25CF29CC49BAABBE5FF49308F04552EF995E62A2C775D844CB92

Function 00E9A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00E9A903
SetTextColor.GDI32(?,?), ref: 00E9A907
GetSysColorBrush.USER32(0000000F), ref: 00E9A91D
GetSysColor.USER32(0000000F), ref: 00E9A928
CreateSolidBrush.GDI32(?), ref: 00E9A92D
GetSysColor.USER32(00000011), ref: 00E9A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00E9A953
SelectObject.GDI32(?,00000000), ref: 00E9A964
SetBkColor.GDI32(?,00000000), ref: 00E9A96D
SelectObject.GDI32(?,?), ref: 00E9A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 00E9A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00E9A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00E9A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00E9A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00E9AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 00E9AA32
DrawFocusRect.USER32(?,?), ref: 00E9AA3D
GetSysColor.USER32(00000011), ref: 00E9AA4B
SetTextColor.GDI32(?,00000000), ref: 00E9AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00E9AA67
SelectObject.GDI32(?,00E9A5FA), ref: 00E9AA7E
DeleteObject.GDI32(?), ref: 00E9AA89
SelectObject.GDI32(?,?), ref: 00E9AA8F
DeleteObject.GDI32(?), ref: 00E9AA94
SetTextColor.GDI32(?,?), ref: 00E9AA9A
SetBkColor.GDI32(?,?), ref: 00E9AAA4

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 4bb982908586b7bd3e8b7f19e2933f15612908e74c501d25821262cb6e015343
Instruction ID: cebbc076ce8921c8053662877ab240ea7f301f8e927e1f499434beaaf0346dfb
Opcode Fuzzy Hash: 4bb982908586b7bd3e8b7f19e2933f15612908e74c501d25821262cb6e015343
Instruction Fuzzy Hash: D8513A71901218EFDF109FA5DC48AAE7BB9FF48320F254226F911FB2A1D6719944CB90

Function 00E989D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00E98AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E98AD2
CharNextW.USER32(0000014E), ref: 00E98B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00E98B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00E98B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E98B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00E98B86
SetWindowTextW.USER32(?,0000014E), ref: 00E98BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00E98BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00E98C1F
_memset.LIBCMT ref: 00E98C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00E98C8D
_memset.LIBCMT ref: 00E98CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00E98D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00E98D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00E98E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00E98E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E98E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E98EB4
DrawMenuBar.USER32(?), ref: 00E98EC3
SetWindowTextW.USER32(?,0000014E), ref: 00E98EEB

Strings

0, xrefs: 00E98E55

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: bc788ebd0aed0ebdf280638f5076b4a07a5aa03994d7956e3a92718c1d115f2b
Instruction ID: f059fe06a9496636a057a8b60ed669e60ee3422bd32e4a7b7b399e13133d1094
Opcode Fuzzy Hash: bc788ebd0aed0ebdf280638f5076b4a07a5aa03994d7956e3a92718c1d115f2b
Instruction Fuzzy Hash: 7FE18071900208AFDF209F61CD84EEE7BB9EF06714F10915AF915BB2A1DB708A84DF60

Function 00E9488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00E949CA
GetDesktopWindow.USER32 ref: 00E949DF
GetWindowRect.USER32(00000000), ref: 00E949E6
GetWindowLongW.USER32(?,000000F0), ref: 00E94A48
DestroyWindow.USER32(?), ref: 00E94A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00E94A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E94ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00E94AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00E94AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00E94B09
IsWindowVisible.USER32(?), ref: 00E94B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00E94B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00E94B58
GetWindowRect.USER32(?,?), ref: 00E94B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00E94B96
GetMonitorInfoW.USER32(00000000,?), ref: 00E94BB0
CopyRect.USER32(?,?), ref: 00E94BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00E94C32

Strings

0, xrefs: 00E94975
(, xrefs: 00E94BA3
tooltips_class32, xrefs: 00E94A96

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 2446d3fc6d4eb9a565a534f98fc5537fd66e0e629edc595c26c08b234d3afaa3
Instruction ID: 99b74c9546d1c82384704fb4f171a55b5fb3aac5cda16ae2675b20fd40dcfda1
Opcode Fuzzy Hash: 2446d3fc6d4eb9a565a534f98fc5537fd66e0e629edc595c26c08b234d3afaa3
Instruction Fuzzy Hash: 50B18BB1608340AFDB04DF65C844F9ABBE4FF88314F00991DF599AB2A2D771E846CB95

Function 00E7449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00E744AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00E744D2
_wcscpy.LIBCMT ref: 00E74500
_wcscmp.LIBCMT ref: 00E7450B
_wcscat.LIBCMT ref: 00E74521
_wcsstr.LIBCMT ref: 00E7452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00E74548
_wcscat.LIBCMT ref: 00E74591
_wcscat.LIBCMT ref: 00E74598
_wcsncpy.LIBCMT ref: 00E745C3

Strings

%u.%u.%u.%u, xrefs: 00E74626
StringFileInfo\, xrefs: 00E7451B
04090000, xrefs: 00E7457E
DefaultLangCodepage, xrefs: 00E745AB
\VarFileInfo\Translation, xrefs: 00E74540

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: b8aa38b4fc745c56138c475f1747efe3940d2f66b716fe0245acd44d9fc34af7
Instruction ID: c3626b6221861d360ff1a288496906a7132a45466b25a83fd0ea5bf7326812fd
Opcode Fuzzy Hash: b8aa38b4fc745c56138c475f1747efe3940d2f66b716fe0245acd44d9fc34af7
Instruction Fuzzy Hash: 6E41F572A003107BDB10AA759C0BEBF7BECDF41710F00606AF909F61C2EB759A01D6A9

Function 00E127D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E128BC
GetSystemMetrics.USER32(00000007), ref: 00E128C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E128EF
GetSystemMetrics.USER32(00000008), ref: 00E128F7
GetSystemMetrics.USER32(00000004), ref: 00E1291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00E12939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00E12949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00E1297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00E12990
GetClientRect.USER32(00000000,000000FF), ref: 00E129AE
GetStockObject.GDI32(00000011), ref: 00E129CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00E129D5

Part of subcall function 00E12344: GetCursorPos.USER32(?), ref: 00E12357
Part of subcall function 00E12344: ScreenToClient.USER32(00ED57B0,?), ref: 00E12374
Part of subcall function 00E12344: GetAsyncKeyState.USER32(00000001), ref: 00E12399
Part of subcall function 00E12344: GetAsyncKeyState.USER32(00000002), ref: 00E123A7

SetTimer.USER32(00000000,00000000,00000028,00E11256), ref: 00E129FC

Strings

AutoIt v3 GUI, xrefs: 00E12974

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 53dfe6cd02e5637e5c0874da07c579e47cfe6af84b4581936f43bc7e21d5e97d
Instruction ID: 6d766d04ba3dc5ab588ce62528b2a091359ff60b89194fa1e36f91aaecc8d1cd
Opcode Fuzzy Hash: 53dfe6cd02e5637e5c0874da07c579e47cfe6af84b4581936f43bc7e21d5e97d
Instruction Fuzzy Hash: 7EB14871A0120AEFDB14DFA9DC45BEE7BA4FB08315F20512AFA15F72A0DB74A850CB50

Function 00E6A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00E6A47A
__swprintf.LIBCMT ref: 00E6A51B
_wcscmp.LIBCMT ref: 00E6A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00E6A583
_wcscmp.LIBCMT ref: 00E6A5BF
GetClassNameW.USER32(?,?,00000400), ref: 00E6A5F6
GetDlgCtrlID.USER32(?), ref: 00E6A648
GetWindowRect.USER32(?,?), ref: 00E6A67E
GetParent.USER32(?), ref: 00E6A69C
ScreenToClient.USER32(00000000), ref: 00E6A6A3
GetClassNameW.USER32(?,?,00000100), ref: 00E6A71D
_wcscmp.LIBCMT ref: 00E6A731
GetWindowTextW.USER32(?,?,00000400), ref: 00E6A757
_wcscmp.LIBCMT ref: 00E6A76B

Part of subcall function 00E3362C: _iswctype.LIBCMT ref: 00E33634

Strings

%s%u, xrefs: 00E6A515

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 607e09d585f677d076c41b50e3422bf557822b4235fa4dd235a737854402250d
Instruction ID: 275378ebbee80dc3a36c4749f1f2288a1e770ae06a109c74351c7fa2bdf5b734
Opcode Fuzzy Hash: 607e09d585f677d076c41b50e3422bf557822b4235fa4dd235a737854402250d
Instruction Fuzzy Hash: 93A1C171644306AFC714DF60D884BAAB7E8FF44388F08552AF999F2150DB30E955CF92

Function 00E6AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00E6AF18
_wcscmp.LIBCMT ref: 00E6AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 00E6AF51
CharUpperBuffW.USER32(?,00000000), ref: 00E6AF6E
_wcscmp.LIBCMT ref: 00E6AF8C
_wcsstr.LIBCMT ref: 00E6AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00E6AFD5
_wcscmp.LIBCMT ref: 00E6AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 00E6B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 00E6B055
_wcscmp.LIBCMT ref: 00E6B065
GetClassNameW.USER32(00000010,?,00000400), ref: 00E6B08D
GetWindowRect.USER32(00000004,?), ref: 00E6B0F6

Strings

ThumbnailClass, xrefs: 00E6AFE0, 00E6B060
@, xrefs: 00E6AEF9

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 0d7a0a5b19a4c59c67138e336da9d42637239a9f385f60768d6f6fa99a21d12a
Instruction ID: da250d45e9330db983951c5cdf1e4b3ff2a513d61f6d579b8672c3bec39ed60e
Opcode Fuzzy Hash: 0d7a0a5b19a4c59c67138e336da9d42637239a9f385f60768d6f6fa99a21d12a
Instruction Fuzzy Hash: 55819371144305AFDB04DF10D885FAA7BD8EF44398F04A46AFD95EA092DB30DD89CB62

Function 00E9C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E12612: GetWindowLongW.USER32(?,000000EB), ref: 00E12623

DragQueryPoint.SHELL32(?,?), ref: 00E9C627

Part of subcall function 00E9AB37: ClientToScreen.USER32(?,?), ref: 00E9AB60
Part of subcall function 00E9AB37: GetWindowRect.USER32(?,?), ref: 00E9ABD6
Part of subcall function 00E9AB37: PtInRect.USER32(?,?,00E9C014), ref: 00E9ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 00E9C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00E9C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00E9C6BE
_wcscat.LIBCMT ref: 00E9C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00E9C705
SendMessageW.USER32(?,000000B0,?,?), ref: 00E9C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 00E9C735
SendMessageW.USER32(?,000000B1,?,?), ref: 00E9C757
DragFinish.SHELL32(?), ref: 00E9C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00E9C851

Strings

@GUI_DROPID, xrefs: 00E9C77E
pb, xrefs: 00E9C79B
@GUI_DRAGFILE, xrefs: 00E9C800
@GUI_DRAGID, xrefs: 00E9C7C9

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pb
API String ID: 169749273-730855631
Opcode ID: fd91acea7fa11b7a3f88e95be2750d1d14f0deae47fb33fbe3920e7124452b27
Instruction ID: 018c78fa5a233a9df285abddf1131b1b76ffbcc0e0bf3300dad68b75f82281c2
Opcode Fuzzy Hash: fd91acea7fa11b7a3f88e95be2750d1d14f0deae47fb33fbe3920e7124452b27
Instruction Fuzzy Hash: 31616D72108300AFC705EF65DC85DAFBBE8EFC9750F10192EF595A21A2DB309949CB92

Function 00E6ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00E6AC33

Strings

REGEXP=, xrefs: 00E6AC48
ACTIVE, xrefs: 00E6AC0E
CLASSNAME=, xrefs: 00E6AC70
[HANDLE:, xrefs: 00E6AC3F
[LAST, xrefs: 00E6ACE0
[ALL, xrefs: 00E6ACD9
HANDLE=, xrefs: 00E6AC2C
ALL, xrefs: 00E6ACC7
[REGEXPTITLE:, xrefs: 00E6AC5B
LAST, xrefs: 00E6ABF8
[CLASS:, xrefs: 00E6AC83
[ACTIVE, xrefs: 00E6AC20

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: c31fb282d86e749afb8f3a6baa954f40bbc16600ca2a5034e2dd78cc2d38261d
Instruction ID: bccde196c04c67fded03e50f81cf3686de17ed9447fb59965ec431684cb04546
Opcode Fuzzy Hash: c31fb282d86e749afb8f3a6baa954f40bbc16600ca2a5034e2dd78cc2d38261d
Instruction Fuzzy Hash: FD319231A88309AADB14EA61EE07FEEB7E4AF10754F643429F491710D1EF526F44CE52

Function 00E84FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00E85013
LoadCursorW.USER32(00000000,00007F00), ref: 00E8501E
LoadCursorW.USER32(00000000,00007F03), ref: 00E85029
LoadCursorW.USER32(00000000,00007F8B), ref: 00E85034
LoadCursorW.USER32(00000000,00007F01), ref: 00E8503F
LoadCursorW.USER32(00000000,00007F81), ref: 00E8504A
LoadCursorW.USER32(00000000,00007F88), ref: 00E85055
LoadCursorW.USER32(00000000,00007F80), ref: 00E85060
LoadCursorW.USER32(00000000,00007F86), ref: 00E8506B
LoadCursorW.USER32(00000000,00007F83), ref: 00E85076
LoadCursorW.USER32(00000000,00007F85), ref: 00E85081
LoadCursorW.USER32(00000000,00007F82), ref: 00E8508C
LoadCursorW.USER32(00000000,00007F84), ref: 00E85097
LoadCursorW.USER32(00000000,00007F04), ref: 00E850A2
LoadCursorW.USER32(00000000,00007F02), ref: 00E850AD
LoadCursorW.USER32(00000000,00007F89), ref: 00E850B8
GetCursorInfo.USER32(?), ref: 00E850C8

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 9605a3b1c415bb52d38c73ceb1dc45c9ff79ee11d7734ed08209ffcfa2746227
Instruction ID: 0925ea25119f7190a617e498edf1933484e248fe90c2ba69ef73e7376f0baaac
Opcode Fuzzy Hash: 9605a3b1c415bb52d38c73ceb1dc45c9ff79ee11d7734ed08209ffcfa2746227
Instruction Fuzzy Hash: 0C3121B1D487196ADB109FB68C899AFBFE8FB04754F50452AA50CF7280DA78A5008F91

Function 00E9A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E9A259
DestroyWindow.USER32(?,?), ref: 00E9A2D3

Part of subcall function 00E17BCC: _memmove.LIBCMT ref: 00E17C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00E9A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00E9A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E9A382
DestroyWindow.USER32(00000000), ref: 00E9A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00E10000,00000000), ref: 00E9A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E9A3F4
GetDesktopWindow.USER32 ref: 00E9A40D
GetWindowRect.USER32(00000000), ref: 00E9A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00E9A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00E9A444

Part of subcall function 00E125DB: GetWindowLongW.USER32(?,000000EB), ref: 00E125EC

Strings

tooltips_class32, xrefs: 00E9A346, 00E9A3D4
0, xrefs: 00E9A26F

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 2b2acc00e58af8d8e1c19364c22a1e513d414d69b2515f7602942931c74d11ce
Instruction ID: 7c25a0a112dc68de0549905bad08487f6609495f5976702eab52cdd154cf1475
Opcode Fuzzy Hash: 2b2acc00e58af8d8e1c19364c22a1e513d414d69b2515f7602942931c74d11ce
Instruction Fuzzy Hash: 8671AE71140304AFDB25CF28CC49FAA77E6FB89304F08452EF985A72A1C770E946CB92

Function 00E94392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00E94424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00E9446F

Strings

ISCHECKED, xrefs: 00E945F2
GETITEMCOUNT, xrefs: 00E94551
CHECK, xrefs: 00E9448F
SELECT, xrefs: 00E94620
COLLAPSE, xrefs: 00E944B5
EXISTS, xrefs: 00E944D8
GETTOTALCOUNT, xrefs: 00E94456
GETSELECTED, xrefs: 00E9457F
UNCHECK, xrefs: 00E9464B
EXPAND, xrefs: 00E94521
GETTEXT, xrefs: 00E945C2

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 3e28f00edebe0eb87f5c7731e48914fe092ee01b17b3e2cc5a9e3ee337f5126c
Instruction ID: b9be4fb4d0c130234d3b09c44952ac186907e50cbb0eab3005b9a36f5f88bd22
Opcode Fuzzy Hash: 3e28f00edebe0eb87f5c7731e48914fe092ee01b17b3e2cc5a9e3ee337f5126c
Instruction Fuzzy Hash: 62914BB12047019BCB04EF10C465AAEB7E5AF95354F05686DF8967B3A3CB31ED4ACB81

Function 00E9B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00E9B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00E991C2), ref: 00E9B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E9B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00E9B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E9B9C3
FreeLibrary.KERNEL32(?), ref: 00E9B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00E9B9DF
DestroyIcon.USER32(?,?,?,?,?,00E991C2), ref: 00E9B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00E9BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00E9BA17

Part of subcall function 00E32EFD: __wcsicmp_l.LIBCMT ref: 00E32F86

Strings

.dll, xrefs: 00E9B86D
.icl, xrefs: 00E9B82A
.exe, xrefs: 00E9B84A

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 3701a25b94d60671284907bd065a112fcc5226e642444bf4c29ea8deb4b4f2e0
Instruction ID: 8e7aecda5ba32f535f7d41b7fdc09d1d0622ab12d8680959168110794cfd989a
Opcode Fuzzy Hash: 3701a25b94d60671284907bd065a112fcc5226e642444bf4c29ea8deb4b4f2e0
Instruction Fuzzy Hash: C761ED71910218BEEF18DF65ED45FBA7BA8EF08710F10411AFA15E61C1DB749980DBA0

Function 00E7A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00E19837: __itow.LIBCMT ref: 00E19862
Part of subcall function 00E19837: __swprintf.LIBCMT ref: 00E198AC

CharLowerBuffW.USER32(?,?), ref: 00E7A3CB
GetDriveTypeW.KERNEL32 ref: 00E7A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E7A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E7A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E7A4C5

Part of subcall function 00E17BCC: _memmove.LIBCMT ref: 00E17C06

Strings

close, xrefs: 00E7A3D1
wait, xrefs: 00E7A482
open, xrefs: 00E7A3F2
close cd wait, xrefs: 00E7A4B0
type cdaudio alias cd wait, xrefs: 00E7A443
set cd door , xrefs: 00E7A466
closed, xrefs: 00E7A3DF, 00E7A3E8
open , xrefs: 00E7A427

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 7a861a268cc43500cac58335cfe355047d534390c0ad98945fd7a112b2db4ab6
Instruction ID: 795ae811f1a764d4e12a322034922364a7606f633b91ff4d80751cae0cb6a4ba
Opcode Fuzzy Hash: 7a861a268cc43500cac58335cfe355047d534390c0ad98945fd7a112b2db4ab6
Instruction Fuzzy Hash: 6B513C711083059FC704EF10C991DAEB7F4EF98718F44986DF89AA7261DB31AD4ACB52

Function 00E6F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00E4E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00E6F8DF
LoadStringW.USER32(00000000,?,00E4E029,00000001), ref: 00E6F8E8

Part of subcall function 00E17DE1: _memmove.LIBCMT ref: 00E17E22

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,00E4E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00E6F90A
LoadStringW.USER32(00000000,?,00E4E029,00000001), ref: 00E6F90D
__swprintf.LIBCMT ref: 00E6F95D
__swprintf.LIBCMT ref: 00E6F96E
_wprintf.LIBCMT ref: 00E6FA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00E6FA2E

Strings

Line %d:, xrefs: 00E6F968
%s (%d) : ==> %s: %s %s, xrefs: 00E6FA12
^ ERROR, xrefs: 00E6F9C3
Error: , xrefs: 00E6F9E5
Line %d (File "%s"):, xrefs: 00E6F957

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 9a2350fc1e3dc79136806475cd4cc0715ca611c7efb9c85a7a276bc58348a071
Instruction ID: 6f86ee9756ebbce4b2769da2be2cd3cd7732ed5b1b6507fd9056ef8ed21472f7
Opcode Fuzzy Hash: 9a2350fc1e3dc79136806475cd4cc0715ca611c7efb9c85a7a276bc58348a071
Instruction Fuzzy Hash: E941327284420DAACF04FBE0EE46DEEB7B8AF58740F501465F505B60A2EA316F49CB61

Function 00E9BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00E99207,?,?), ref: 00E9BA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00E99207,?,?,00000000,?), ref: 00E9BA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00E99207,?,?,00000000,?), ref: 00E9BA78
CloseHandle.KERNEL32(00000000,?,?,?,?,00E99207,?,?,00000000,?), ref: 00E9BA85
GlobalLock.KERNEL32(00000000), ref: 00E9BA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00E99207,?,?,00000000,?), ref: 00E9BA9D
GlobalUnlock.KERNEL32(00000000), ref: 00E9BAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,00E99207,?,?,00000000,?), ref: 00E9BAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00E99207,?,?,00000000,?), ref: 00E9BABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00EA2CAC,?), ref: 00E9BAD7
GlobalFree.KERNEL32(00000000), ref: 00E9BAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 00E9BB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00E9BB36
DeleteObject.GDI32(00000000), ref: 00E9BB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00E9BB74

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 8e21269f21ad0a8d41131d37270f987635759009153e6f399c00f7cbe2bb287b
Instruction ID: 9147144d08f17c72875a8f17af0ad117639a47e851f817c31be584235adacf36
Opcode Fuzzy Hash: 8e21269f21ad0a8d41131d37270f987635759009153e6f399c00f7cbe2bb287b
Instruction Fuzzy Hash: F1414975600208EFDB119F66ED88EAEBBB8FB89715F10406AF909E7260D7709D05CB60

Function 00E7D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00E7DA10
_wcscat.LIBCMT ref: 00E7DA28
_wcscat.LIBCMT ref: 00E7DA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E7DA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 00E7DA63
GetFileAttributesW.KERNEL32(?), ref: 00E7DA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 00E7DA95
SetCurrentDirectoryW.KERNEL32(?), ref: 00E7DAA7

Strings

*.*, xrefs: 00E7DAE6

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 9c8a802f305bebe740d35b385b9c35031b89bbb0cf7cb26a0100104ebecbfc65
Instruction ID: 876767c8f594f79f731c1cf46e5bf88fbb14d0d78622feb5d3b68ebe0829e1e9
Opcode Fuzzy Hash: 9c8a802f305bebe740d35b385b9c35031b89bbb0cf7cb26a0100104ebecbfc65
Instruction Fuzzy Hash: 5A8160725082419FCB24DF64CC44AAAB7F4BFC9314F18A82EF98DE7251E670D945CB52

Function 00E9C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E12612: GetWindowLongW.USER32(?,000000EB), ref: 00E12623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00E9C1FC
GetFocus.USER32 ref: 00E9C20C
GetDlgCtrlID.USER32(00000000), ref: 00E9C217
_memset.LIBCMT ref: 00E9C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00E9C36D
GetMenuItemCount.USER32(?), ref: 00E9C38D
GetMenuItemID.USER32(?,00000000), ref: 00E9C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00E9C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00E9C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00E9C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00E9C489

Strings

0, xrefs: 00E9C33A

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 05ac5801d676a51ca561a4c4ac54bb644ed1441db2ee65d819111f45d074d147
Instruction ID: ab3977a5473c0a524810a968b568d4031987b677529b6728eda617c95e75ac0a
Opcode Fuzzy Hash: 05ac5801d676a51ca561a4c4ac54bb644ed1441db2ee65d819111f45d074d147
Instruction Fuzzy Hash: B8818F712083019FDB10EF15D994AABBBE8FB88718F20592EF995B7291C770D905CB92

Function 00E8731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00E8738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00E8739B
CreateCompatibleDC.GDI32(?), ref: 00E873A7
SelectObject.GDI32(00000000,?), ref: 00E873B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00E87408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00E87444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00E87468
SelectObject.GDI32(00000006,?), ref: 00E87470
DeleteObject.GDI32(?), ref: 00E87479
DeleteDC.GDI32(00000006), ref: 00E87480
ReleaseDC.USER32(00000000,?), ref: 00E8748B

Strings

(, xrefs: 00E87410

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 85f5f11930e92414e5f6a7658035406d143747cca776556ac88cc33f3e2f39ca
Instruction ID: 4b3d304bd0ccd2f0a0ba3f3c7a57ccc952f881effffc63a9bc40f70405854d38
Opcode Fuzzy Hash: 85f5f11930e92414e5f6a7658035406d143747cca776556ac88cc33f3e2f39ca
Instruction Fuzzy Hash: A1513875904309EFCB15DFA9CC85EAEBBB9EF48310F24842AF999E7211C731A944CB50

Function 00E16A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00E30957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00E16B0C,?,00008000), ref: 00E30973

Part of subcall function 00E14750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E14743,?,?,00E137AE,?), ref: 00E14770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00E16BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00E16CFA

Part of subcall function 00E1586D: _wcscpy.LIBCMT ref: 00E158A5

Part of subcall function 00E3363D: _iswctype.LIBCMT ref: 00E33645

Strings

AU3!, xrefs: 00E16B61
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00E4E421
Bad directive syntax error, xrefs: 00E4E79D
>>>AUTOIT SCRIPT<<<, xrefs: 00E4E496
Error opening the file, xrefs: 00E4E43D, 00E4E4B8
EA06, xrefs: 00E4E452
Unterminated string, xrefs: 00E4E7E4

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 48282bf47e14e341d8b54f4b29b199d11f8a7c5ef7b62653d5ad0d92793fc572
Instruction ID: 6bdd788e9f3fdb26a3573a18fc49b1c96d8748cb49c6e292b34575337b1e0cff
Opcode Fuzzy Hash: 48282bf47e14e341d8b54f4b29b199d11f8a7c5ef7b62653d5ad0d92793fc572
Instruction Fuzzy Hash: 84029B711083409FC714EF24D881AEFBBE5BF95318F14691EF49AA72A1DB30D989CB52

Function 00E72D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E72D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00E72DDD
GetMenuItemCount.USER32(00ED5890), ref: 00E72E66
DeleteMenu.USER32(00ED5890,00000005,00000000,000000F5,?,?), ref: 00E72EF6
DeleteMenu.USER32(00ED5890,00000004,00000000), ref: 00E72EFE
DeleteMenu.USER32(00ED5890,00000006,00000000), ref: 00E72F06
DeleteMenu.USER32(00ED5890,00000003,00000000), ref: 00E72F0E
GetMenuItemCount.USER32(00ED5890), ref: 00E72F16
SetMenuItemInfoW.USER32(00ED5890,00000004,00000000,00000030), ref: 00E72F4C
GetCursorPos.USER32(?), ref: 00E72F56
SetForegroundWindow.USER32(00000000), ref: 00E72F5F
TrackPopupMenuEx.USER32(00ED5890,00000000,?,00000000,00000000,00000000), ref: 00E72F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00E72F7E

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: d0535d6db20fd6043cf105c52c5cd4dc878d55ca7b9b5783183c6ce34e07e432
Instruction ID: a339f6e3972efe762190f111d50c11c1ce0b361d1664382c360b6ba9110b27c4
Opcode Fuzzy Hash: d0535d6db20fd6043cf105c52c5cd4dc878d55ca7b9b5783183c6ce34e07e432
Instruction Fuzzy Hash: 9271C271600205BFEB268F55DC85FAABFA4FB04328F10921AF729BA1E1C7715C64DB91

Function 00E888AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E888D7
CoInitialize.OLE32(00000000), ref: 00E88904
CoUninitialize.OLE32 ref: 00E8890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00E88A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00E88B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00EA2C0C), ref: 00E88B6F
CoGetObject.OLE32(?,00000000,00EA2C0C,?), ref: 00E88B92
SetErrorMode.KERNEL32(00000000), ref: 00E88BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00E88C25
VariantClear.OLEAUT32(?), ref: 00E88C35

Strings

,,, xrefs: 00E888C1

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,
API String ID: 2395222682-1556401989
Opcode ID: d1b64b0406cf71f7f956eeb22b6f437bf2a07c531646724e60b4db9097e285ab
Instruction ID: 46427515a9524837a34dedba7b66ebbb87bd560ce11e82723141997100016f9e
Opcode Fuzzy Hash: d1b64b0406cf71f7f956eeb22b6f437bf2a07c531646724e60b4db9097e285ab
Instruction Fuzzy Hash: 74C155B1608305AFC704EF24C98496AB7E9FF89348F00595DF88AEB251DB31ED05CB52

Function 00E677DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00E17BCC: _memmove.LIBCMT ref: 00E17C06

_memset.LIBCMT ref: 00E6786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00E678A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00E678BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00E678D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00E67902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00E6792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00E67935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00E6793A

Strings

\CLSID, xrefs: 00E67822
SOFTWARE\Classes\, xrefs: 00E6780C
\IPC$, xrefs: 00E67882

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: b6818c6e632b576dfde44613bee6e020eb11a65d32bba633463f3fca9b154293
Instruction ID: a298777f86368139e7c249e33c945fad134848624226fa3c21886e5d97e2e8af
Opcode Fuzzy Hash: b6818c6e632b576dfde44613bee6e020eb11a65d32bba633463f3fca9b154293
Instruction Fuzzy Hash: A5412672C1422DAACB11EBA4EC85DEDB7B8BF58754F40502AF855B3161EB305E48CB90

Function 00E90E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E8FDAD,?,?), ref: 00E90E31

Strings

HKCC, xrefs: 00E90EFF
HKEY_CURRENT_CONFIG, xrefs: 00E90EEE
HKCR, xrefs: 00E90ED9
HKLM, xrefs: 00E90EAF
HKEY_LOCAL_MACHINE, xrefs: 00E90E9A
HKEY_USERS, xrefs: 00E90F32
HKEY_CURRENT_USER, xrefs: 00E90F10
HKU, xrefs: 00E90F43
HKCU, xrefs: 00E90F21
HKEY_CLASSES_ROOT, xrefs: 00E90EC4

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 7da2e4c7361441930205c66f07ca7ae747f0646b68d78ee15c9fb2972d155cc1
Instruction ID: 7404cd19d1ef1de39c43bc6b7c9a250c4fecd664ece5ca2a5f09634a6a921d5e
Opcode Fuzzy Hash: 7da2e4c7361441930205c66f07ca7ae747f0646b68d78ee15c9fb2972d155cc1
Instruction Fuzzy Hash: 1E4150312002498FCF14EF10E9AAAEE37A4BF91304F543459FC6677292D7319A5AC760

Function 00E6F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00E4E2A0,00000010,?,Bad directive syntax error,00E9F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00E6F7C2
LoadStringW.USER32(00000000,?,00E4E2A0,00000010), ref: 00E6F7C9

Part of subcall function 00E17DE1: _memmove.LIBCMT ref: 00E17E22

_wprintf.LIBCMT ref: 00E6F7FC
__swprintf.LIBCMT ref: 00E6F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00E6F88D

Strings

Line %d:, xrefs: 00E6F818
Error: , xrefs: 00E6F85B
., xrefs: 00E6F873
Line %d (File "%s"):, xrefs: 00E6F833
%s (%d) : ==> %s.: %s %s, xrefs: 00E6F7F7

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 3d784d797c88f0e0b9d210fdfb9d3129e19c593cbe5b726b6f5635115b8d47b1
Instruction ID: 4efbad9b8ee003ed8e4241caa8414a82e26f2afe4af275828a063af0e0dc7962
Opcode Fuzzy Hash: 3d784d797c88f0e0b9d210fdfb9d3129e19c593cbe5b726b6f5635115b8d47b1
Instruction Fuzzy Hash: E221813294021DEFCF15EF90DD0AEED77B9BF18700F041466F515760A2EA319658CB51

Function 00E752C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00E17BCC: _memmove.LIBCMT ref: 00E17C06

Part of subcall function 00E17924: _memmove.LIBCMT ref: 00E179AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00E75330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00E75346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E75357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00E75369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00E7537A

Strings

alias PlayMe, xrefs: 00E75309
play PlayMe, xrefs: 00E75375
status PlayMe mode, xrefs: 00E7532B
play PlayMe wait, xrefs: 00E75364
open , xrefs: 00E752DF
close PlayMe, xrefs: 00E75341, 00E7536E

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 3b37d6e31abce00a697ef89498d54f4c515d228087963f5dcb4a97e314880cab
Instruction ID: eb883b69dff5b0a9bb80a2ff2a8de1566067fc5184730469b273b86ed5d97c74
Opcode Fuzzy Hash: 3b37d6e31abce00a697ef89498d54f4c515d228087963f5dcb4a97e314880cab
Instruction Fuzzy Hash: BB11B231A5022979D720B661CE4AEFFBBBCEBD5F44F00282EB455B20E1EEA10D45C5A0

Function 00E746B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00E746D2
gethostname.WSOCK32(?,00000100), ref: 00E746EC
gethostbyname.WSOCK32(?), ref: 00E746F9
_wcscpy.LIBCMT ref: 00E74721
_memmove.LIBCMT ref: 00E74734
inet_ntoa.WSOCK32(?), ref: 00E7473F
_strcat.LIBCMT ref: 00E7474D
_wcscpy.LIBCMT ref: 00E74764
WSACleanup.WSOCK32 ref: 00E74772
_wcscpy.LIBCMT ref: 00E74780

Strings

0.0.0.0, xrefs: 00E7471B

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 7493fea3a11fac3e8b3ded8694a5958fa01ee0d46c4d8b6e2565611e7d461473
Instruction ID: 5dcce594c44018ca23af39e0d9b834c18d4e070673f15a528bccefb4eb333c65
Opcode Fuzzy Hash: 7493fea3a11fac3e8b3ded8694a5958fa01ee0d46c4d8b6e2565611e7d461473
Instruction Fuzzy Hash: 29110571600114AFCB28AB709C4AEDA7BBCEB02311F0051BBF549F60A1EF718A85CA50

Function 00E74F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00E74F7A

Part of subcall function 00E3049F: timeGetTime.WINMM(?,75A8B400,00E20E7B), ref: 00E304A3

Sleep.KERNEL32(0000000A), ref: 00E74FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00E74FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00E74FEC
SetActiveWindow.USER32 ref: 00E7500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00E75019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00E75038
Sleep.KERNEL32(000000FA), ref: 00E75043
IsWindow.USER32 ref: 00E7504F
EndDialog.USER32(00000000), ref: 00E75060

Strings

BUTTON, xrefs: 00E74FDE

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: cf32d98db944d9e282f1ff48c5b953c0c761cb98fc99bb400110537b96a38ba5
Instruction ID: 4f80cdc12eb1d01b85ec23cee7c07eff6ea3494c1804ff5b856b4b7578961366
Opcode Fuzzy Hash: cf32d98db944d9e282f1ff48c5b953c0c761cb98fc99bb400110537b96a38ba5
Instruction Fuzzy Hash: D0219FB5206604BFE7105F72FC88A263BBAEB04749F04742BF109F11F9CB758D589661

Function 00E7D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E19837: __itow.LIBCMT ref: 00E19862
Part of subcall function 00E19837: __swprintf.LIBCMT ref: 00E198AC

CoInitialize.OLE32(00000000), ref: 00E7D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00E7D67D
SHGetDesktopFolder.SHELL32(?), ref: 00E7D691
CoCreateInstance.OLE32(00EA2D7C,00000000,00000001,00EC8C1C,?), ref: 00E7D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00E7D74C
CoTaskMemFree.OLE32(?,?), ref: 00E7D7A4
_memset.LIBCMT ref: 00E7D7E1
SHBrowseForFolderW.SHELL32(?), ref: 00E7D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00E7D840
CoTaskMemFree.OLE32(00000000), ref: 00E7D847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00E7D87E
CoUninitialize.OLE32(00000001,00000000), ref: 00E7D880

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: c56750916ea6438db624f900f7018fa637fb96a5c982b3e76b7a60538fd111b8
Instruction ID: c20810db82969e632e29c46625f1f07610b9a9429169f267ddd08407da653858
Opcode Fuzzy Hash: c56750916ea6438db624f900f7018fa637fb96a5c982b3e76b7a60538fd111b8
Instruction Fuzzy Hash: 81B1FA75A00109AFDB04DFA4C889DAEBBF9FF48314B149469F90AEB261DB30ED45CB50

Function 00E6C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00E6C283
GetWindowRect.USER32(00000000,?), ref: 00E6C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00E6C2F3
GetDlgItem.USER32(?,00000002), ref: 00E6C2FE
GetWindowRect.USER32(00000000,?), ref: 00E6C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00E6C364
GetDlgItem.USER32(?,000003E9), ref: 00E6C372
GetWindowRect.USER32(00000000,?), ref: 00E6C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00E6C3C6
GetDlgItem.USER32(?,000003EA), ref: 00E6C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00E6C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 00E6C3FE

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: bea3cc45ec25fb362aec595f696c4a95debc3d0bc9a164990d4a747b392ad7b9
Instruction ID: fa0e81b82e82bff80581ed717ad07d27c87b133cf1f0e9f87c6c4e3324509953
Opcode Fuzzy Hash: bea3cc45ec25fb362aec595f696c4a95debc3d0bc9a164990d4a747b392ad7b9
Instruction Fuzzy Hash: EF518371B40205AFDB08CFA9DD89ABEBBB6EB88310F14812EF515E7290D7709D048B50

Function 00E1201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00E11B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E12036,?,00000000,?,?,?,?,00E116CB,00000000,?), ref: 00E11B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00E120D3
KillTimer.USER32(-00000001,?,?,?,?,00E116CB,00000000,?,?,00E11AE2,?,?), ref: 00E1216E
DestroyAcceleratorTable.USER32(00000000), ref: 00E4BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E116CB,00000000,?,?,00E11AE2,?,?), ref: 00E4BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E116CB,00000000,?,?,00E11AE2,?,?), ref: 00E4BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E116CB,00000000,?,?,00E11AE2,?,?), ref: 00E4BD0A
DeleteObject.GDI32(00000000), ref: 00E4BD1C

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 92b0f831e6f81049c004e1d894342b8c75c2b5815cc874a8a9f007b9f5038990
Instruction ID: b85ff5ec1c45afe6772afcb77f55f9e1779b7e08d42842f3e5d7d8f4b8b79a20
Opcode Fuzzy Hash: 92b0f831e6f81049c004e1d894342b8c75c2b5815cc874a8a9f007b9f5038990
Instruction Fuzzy Hash: 7961AE35601A00DFCB399F15ED48BA9B7F1FF44316F10652EE642BA9B0C770A8A4DB80

Function 00E121A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00E125DB: GetWindowLongW.USER32(?,000000EB), ref: 00E125EC

GetSysColor.USER32(0000000F), ref: 00E121D3

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: c67b2277fa5511369b76d11f81144d2025038a6873a5e15aa80754307d31696f
Instruction ID: 9709216387223d49e2fcf702b643dfa411b535207811692e4267c4e089e5bf65
Opcode Fuzzy Hash: c67b2277fa5511369b76d11f81144d2025038a6873a5e15aa80754307d31696f
Instruction Fuzzy Hash: 6C41B131100140AFDB255F29EC88BF93B65EB46325F18526AFE65EA1F2C7318C92DB51

Function 00E7A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00E9F910), ref: 00E7A90B
GetDriveTypeW.KERNEL32(00000061,00EC89A0,00000061), ref: 00E7A9D5
_wcscpy.LIBCMT ref: 00E7A9FF

Strings

fixed, xrefs: 00E7A953
ramdisk, xrefs: 00E7A97F
all, xrefs: 00E7A911
network, xrefs: 00E7A969
unknown, xrefs: 00E7A996
cdrom, xrefs: 00E7A927
removable, xrefs: 00E7A93D

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 1049b30f727e3eaa745b79c3eadb0f3813bdf224aee0c28d6814cb1546d34bcf
Instruction ID: 2cded4bce147c72bc03ded19ba860816c275e6ef2992062319c3f4c2af825d88
Opcode Fuzzy Hash: 1049b30f727e3eaa745b79c3eadb0f3813bdf224aee0c28d6814cb1546d34bcf
Instruction Fuzzy Hash: 8151BE311083019BC314EF14DA92AAFB7E5EFC4304F08A82DF59A772A2DB319949CB43

Function 00E19837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00E19862
__swprintf.LIBCMT ref: 00E198AC
__i64tow.LIBCMT ref: 00E4F5E6

Strings

%.15g, xrefs: 00E198A6
False, xrefs: 00E4F5AE
True, xrefs: 00E4F5A7
0x%p, xrefs: 00E4F5C8

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 5963e5a5d158aeb3212bcadace57aca5ce1fa070332d5e1065f2cc25fddcc07e
Instruction ID: 4efadec4f87bc4a9d9937c8c3c56415e8265080b689a267bc1d06393b64d82a8
Opcode Fuzzy Hash: 5963e5a5d158aeb3212bcadace57aca5ce1fa070332d5e1065f2cc25fddcc07e
Instruction Fuzzy Hash: 59412871500205AFEB28DF34E856EBA77E8FF45704F20646EE549F7282EA369D41CB10

Function 00E97152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E9716A
CreateMenu.USER32 ref: 00E97185
SetMenu.USER32(?,00000000), ref: 00E97194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E97221
IsMenu.USER32(?), ref: 00E97237
CreatePopupMenu.USER32 ref: 00E97241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00E9726E
DrawMenuBar.USER32 ref: 00E97276

Strings

F, xrefs: 00E97262
0, xrefs: 00E97160

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 4069375510b869f9148a99356cd9d6643af77bedce6ad868298b0f6b7c15799f
Instruction ID: 137930284c8bcfa716cb49e871fc33f4eb0e8146d3777b5881e08ef13581e6eb
Opcode Fuzzy Hash: 4069375510b869f9148a99356cd9d6643af77bedce6ad868298b0f6b7c15799f
Instruction Fuzzy Hash: A44136B9A11205EFDB20DFA5D984EDA7BB5FF49310F14002AF985A7361D731AD18CB90

Function 00E974BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00E9755E
CreateCompatibleDC.GDI32(00000000), ref: 00E97565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00E97578
SelectObject.GDI32(00000000,00000000), ref: 00E97580
GetPixel.GDI32(00000000,00000000,00000000), ref: 00E9758B
DeleteDC.GDI32(00000000), ref: 00E97594
GetWindowLongW.USER32(?,000000EC), ref: 00E9759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00E975B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00E975BE

Strings

static, xrefs: 00E974F6

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: e2094261bf80a730d4704cc9d2224db7af9902a8e56d69c3f10278c7f34fcc64
Instruction ID: 5c7e5dc8c03cc6f50400ccf5415d1cf0a103a98683d6891e0b725f44c117c344
Opcode Fuzzy Hash: e2094261bf80a730d4704cc9d2224db7af9902a8e56d69c3f10278c7f34fcc64
Instruction Fuzzy Hash: 61318A72105214AFDF119FA5DC09FDA3BA9FF09324F111226FA55F20A1C731D825DBA4

Function 00E36E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E36E3E

Part of subcall function 00E38B28: __getptd_noexit.LIBCMT ref: 00E38B28

__gmtime64_s.LIBCMT ref: 00E36ED7
__gmtime64_s.LIBCMT ref: 00E36F0D
__gmtime64_s.LIBCMT ref: 00E36F2A
__allrem.LIBCMT ref: 00E36F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E36F9C
__allrem.LIBCMT ref: 00E36FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E36FD1
__allrem.LIBCMT ref: 00E36FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E37006
__invoke_watson.LIBCMT ref: 00E37077

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 2404d4aaad9ce81953947d413117bb4b5b6a718d9cc6c27b8936af2d6893db8f
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 987109B6A00716ABD728AE79DC45B5ABBF8AF04328F149529F554F72C1E770DE00CB90

Function 00E72527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E72542
GetMenuItemInfoW.USER32(00ED5890,000000FF,00000000,00000030), ref: 00E725A3
SetMenuItemInfoW.USER32(00ED5890,00000004,00000000,00000030), ref: 00E725D9
Sleep.KERNEL32(000001F4), ref: 00E725EB
GetMenuItemCount.USER32(?), ref: 00E7262F
GetMenuItemID.USER32(?,00000000), ref: 00E7264B
GetMenuItemID.USER32(?,-00000001), ref: 00E72675
GetMenuItemID.USER32(?,?), ref: 00E726BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00E72700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E72714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E72735

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 94deb4be37cb40844ded77e7dfc7efb50b2a27b1c2da6057eec5702a15ba3625
Instruction ID: a0c99e594c3f8afe7f897228099f8cb3d16be8ce8ec08f479e6dcd99c1a3be59
Opcode Fuzzy Hash: 94deb4be37cb40844ded77e7dfc7efb50b2a27b1c2da6057eec5702a15ba3625
Instruction Fuzzy Hash: 1661AFB0900249AFDB15CFA4DD88DBE7BB8EB01308F14915FEA45B7291D731AD09DB21

Function 00E96F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00E96FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00E96FA8
GetWindowLongW.USER32(?,000000F0), ref: 00E96FCC
_memset.LIBCMT ref: 00E96FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00E96FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00E97067

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 43c49b024bf2d49859767811a7f903e398ec092b3ce8ef9b35bc8f893d661d35
Instruction ID: 6c7d222e3755759669b734b6acf7bb23fd592804de5259ec24df585bf36bb583
Opcode Fuzzy Hash: 43c49b024bf2d49859767811a7f903e398ec092b3ce8ef9b35bc8f893d661d35
Instruction Fuzzy Hash: EC617A75A00208AFDB10DFA4CC81EEE77F8EB09714F1011AAFA14BB2A1C771AD45DB90

Function 00E66B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00E66BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00E66C18
VariantInit.OLEAUT32(?), ref: 00E66C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00E66C4A
VariantCopy.OLEAUT32(?,?), ref: 00E66C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00E66CB1
VariantClear.OLEAUT32(?), ref: 00E66CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00E66CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E66CDC
VariantClear.OLEAUT32(?), ref: 00E66CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E66CF9

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 02c548c713fe6da3d42a8dd295b137e5d99cf2a89574f656c020b60640bb1fde
Instruction ID: b91d1013f7d665513344c8ca39d5d7cfc7f72c6ff9d7c84591df055684178cdd
Opcode Fuzzy Hash: 02c548c713fe6da3d42a8dd295b137e5d99cf2a89574f656c020b60640bb1fde
Instruction Fuzzy Hash: 50415F71A402199FCF04DFA9D8449EEBBB9EF48354F00906AE955F7261CB30A949CB90

Function 00E85732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00E85793
inet_addr.WSOCK32(?,?,?), ref: 00E857D8
gethostbyname.WSOCK32(?), ref: 00E857E4
IcmpCreateFile.IPHLPAPI ref: 00E857F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00E85862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00E85878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00E858ED
WSACleanup.WSOCK32 ref: 00E858F3

Strings

Ping, xrefs: 00E85816

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: cc7e25e071f192da680f7e286ffd031fb3973801103308cd06aef4dc985022c8
Instruction ID: 0d7e291f337101445553a184377dfbc0ffe4cd2927a420866451b1323ea62ff4
Opcode Fuzzy Hash: cc7e25e071f192da680f7e286ffd031fb3973801103308cd06aef4dc985022c8
Instruction Fuzzy Hash: 06518C32604700DFDB14AF65DC45B6AB7E4AF48724F14592AF95AFB2A1DB30E844CB42

Function 00E7B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00E7B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00E7B546
GetLastError.KERNEL32 ref: 00E7B550
SetErrorMode.KERNEL32(00000000,READY), ref: 00E7B5BD

Strings

READONLY, xrefs: 00E7B588
NOTREADY, xrefs: 00E7B57C
UNKNOWN, xrefs: 00E7B575
READY, xrefs: 00E7B596
INVALID, xrefs: 00E7B58F

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 18b63fd8ca91a27b6badc71a38dab6801a7a0d93f0afc2c9342aad2f4e6f05ca
Instruction ID: fb66871613f748588ebd00899e4f18a22636fd2c751f4c9441644354f5a5657c
Opcode Fuzzy Hash: 18b63fd8ca91a27b6badc71a38dab6801a7a0d93f0afc2c9342aad2f4e6f05ca
Instruction Fuzzy Hash: 39318035A00205EFCB00EB68D945FEEBBB5FF44314F10916AE509F7291DB719A46CB51

Function 00E68F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E17DE1: _memmove.LIBCMT ref: 00E17E22

Part of subcall function 00E6AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00E6AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00E69014
GetDlgCtrlID.USER32 ref: 00E6901F
GetParent.USER32 ref: 00E6903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00E6903E
GetDlgCtrlID.USER32(?), ref: 00E69047
GetParent.USER32(?), ref: 00E69063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00E69066

Strings

ListBox, xrefs: 00E68FD1
ComboBox, xrefs: 00E68F9C

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: d88d1ea6608e1bc1399ca29f516278a04574e31f164afba68d92a7372b4de003
Instruction ID: e7dd20699da3696285a3bcebdaa26b9521938d5a59ed74e77d9b5ffaf86c6d53
Opcode Fuzzy Hash: d88d1ea6608e1bc1399ca29f516278a04574e31f164afba68d92a7372b4de003
Instruction Fuzzy Hash: A5212871A40208BFDF04ABA1DC85EFEBBB8EF45350F10011AF961B72A2DB354859DB20

Function 00E6907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E17DE1: _memmove.LIBCMT ref: 00E17E22

Part of subcall function 00E6AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00E6AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00E690FD
GetDlgCtrlID.USER32 ref: 00E69108
GetParent.USER32 ref: 00E69124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00E69127
GetDlgCtrlID.USER32(?), ref: 00E69130
GetParent.USER32(?), ref: 00E6914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 00E6914F

Strings

ListBox, xrefs: 00E690BC
ComboBox, xrefs: 00E69087

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: a4d0668faaf1df83c69d2cf66e225f9c7112fe5933e054ad793232674d5c8d03
Instruction ID: b5581b0450cbfd928f4eb594607a060b4508a661137f230bc0c731f6585d20e1
Opcode Fuzzy Hash: a4d0668faaf1df83c69d2cf66e225f9c7112fe5933e054ad793232674d5c8d03
Instruction Fuzzy Hash: 3121D3B5A40208BFDF10ABA1DC85EFEBBB8EF45300F101016F961B72A2DB754859DA20

Function 00E69163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00E6916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00E69184
_wcscmp.LIBCMT ref: 00E69196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00E69211

Strings

smallicons, xrefs: 00E691D9
SHELLDLL_DefView, xrefs: 00E69190
largeicons, xrefs: 00E691A5
details, xrefs: 00E691BF
list, xrefs: 00E691F3

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 31cc7176e714016bfff5dd7c2b50abfb9519e8178d288353ad2e04df64ed8bcc
Instruction ID: d81d4d93730ec064ca8fb9a95de01b020586e4ef580076644dea3ff75d620687
Opcode Fuzzy Hash: 31cc7176e714016bfff5dd7c2b50abfb9519e8178d288353ad2e04df64ed8bcc
Instruction Fuzzy Hash: 7411E736288307B9EA112625FC1BDE73B9C9F15760F21202BFA10F54E3EE7258525994

Function 00E77990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00E77A6C

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: db3a1ffb6a376dac1ec7864c5e6529ade592365eb394fb326ab58330ffcecceb
Instruction ID: 6ef9e9d8dc13725db4f1bb084478cd6429aafa5b6b614926823b24ffb8fbd215
Opcode Fuzzy Hash: db3a1ffb6a376dac1ec7864c5e6529ade592365eb394fb326ab58330ffcecceb
Instruction Fuzzy Hash: BCB19C71A0820A9FDB01DFA4C884BBEB7F5EF0D325F209429E699F7241D734A941CB91

Function 00E711CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00E711F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00E70268,?,00000001), ref: 00E71204
GetWindowThreadProcessId.USER32(00000000), ref: 00E7120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E70268,?,00000001), ref: 00E7121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00E7122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E70268,?,00000001), ref: 00E71245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E70268,?,00000001), ref: 00E71257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00E70268,?,00000001), ref: 00E7129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00E70268,?,00000001), ref: 00E712B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00E70268,?,00000001), ref: 00E712BC

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 10442c0bf898e8d7c219da348acf84b66c4ae79e13fc80f8273340258ffc25a8
Instruction ID: 6bc0084b4f25e6410682f0f4c5239695f130135f6942a1c03b534a86cc1163cd
Opcode Fuzzy Hash: 10442c0bf898e8d7c219da348acf84b66c4ae79e13fc80f8273340258ffc25a8
Instruction Fuzzy Hash: FB319C75601704BFDF209F5AEC48BA937ADEB54315F108157F908F61A2E7709D489B90

Function 00E1FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00E1FAA6
OleUninitialize.OLE32(?,00000000), ref: 00E1FB45
UnregisterHotKey.USER32(?), ref: 00E1FC9C
DestroyWindow.USER32(?), ref: 00E545D6
FreeLibrary.KERNEL32(?), ref: 00E5463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00E54668

Strings

close all, xrefs: 00E1FAA1

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 2c7e8d6037f12dab8dcf480d2013d1df6a6a666717d04b527d76799079f5dffc
Instruction ID: db3ddf970c1d005dd99b06cfc6fafd5d11d691567373895b9168c271da7aa8d8
Opcode Fuzzy Hash: 2c7e8d6037f12dab8dcf480d2013d1df6a6a666717d04b527d76799079f5dffc
Instruction Fuzzy Hash: FBA18271301212CFCB19EF14C594BA9F3A4BF45705F5066ADE80ABB291DB30AC96CF90

Function 00E89113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E89167
VariantInit.OLEAUT32(?), ref: 00E89238
VariantInit.OLEAUT32(?), ref: 00E89339
VariantClear.OLEAUT32(?), ref: 00E89343
VariantClear.OLEAUT32(?), ref: 00E893A0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00E8931C
,,, xrefs: 00E891E5
Null Object assignment in FOR..IN loop, xrefs: 00E891C8, 00E892F6, 00E893AE

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-218231672
Opcode ID: 071228204982643227bbbb04ba7d5ce3ccc39e8b4dc799462dff5b79de0df593
Instruction ID: daafa337a32ae9122e9d9cdc179ddf1fd6a1dddd464c226f7c5ca32589237dbc
Opcode Fuzzy Hash: 071228204982643227bbbb04ba7d5ce3ccc39e8b4dc799462dff5b79de0df593
Instruction Fuzzy Hash: 3391AF30E00209ABCF24EFA5D848FAEB7B8EF45714F149119F51DBB291D7709901CBA0

Function 00E6A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00E6A439), ref: 00E6A377

Strings

TEXT, xrefs: 00E6A2AE
NAME, xrefs: 00E6A1A9
REGEXPCLASS, xrefs: 00E6A13C
CLASSNN, xrefs: 00E6A119
CLASS, xrefs: 00E6A0F6
INSTANCE, xrefs: 00E6A285

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: a6e68d61aec0e06b747bb9deb3f9f41aafcd6519e0fa467565697263ad8ffd57
Instruction ID: 870c940bdf6bd6eed9ee6b7a00438e770a772c8ddcfe4c0e2457e68ec55529a0
Opcode Fuzzy Hash: a6e68d61aec0e06b747bb9deb3f9f41aafcd6519e0fa467565697263ad8ffd57
Instruction Fuzzy Hash: 3B911730E80605AACB08DFA0E456BEDFBB4BF44344F48B129E45AB7251DF316999CF91

Function 00E12E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00E12EAE

Part of subcall function 00E11DB3: GetClientRect.USER32(?,?), ref: 00E11DDC
Part of subcall function 00E11DB3: GetWindowRect.USER32(?,?), ref: 00E11E1D
Part of subcall function 00E11DB3: ScreenToClient.USER32(?,?), ref: 00E11E45

GetDC.USER32 ref: 00E4CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00E4CD45
SelectObject.GDI32(00000000,00000000), ref: 00E4CD53
SelectObject.GDI32(00000000,00000000), ref: 00E4CD68
ReleaseDC.USER32(?,00000000), ref: 00E4CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00E4CDFB

Strings

U, xrefs: 00E4CCD0

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 694ded12919f51eaeed3802fcd69c1338324338168b28a2a91f6af0d162b8e23
Instruction ID: e721af73d2c8b142f1ce0ea1860c267a61ab9cf451074122e17d998135b88e6f
Opcode Fuzzy Hash: 694ded12919f51eaeed3802fcd69c1338324338168b28a2a91f6af0d162b8e23
Instruction Fuzzy Hash: E071AF31901205DFCF658F64DC80AEA7BB5FF48318F24626AEE55BB2A6C7318891DB50

Function 00E81A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00E81A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00E81A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00E81ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00E81AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E81AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00E81B10
InternetCloseHandle.WININET(00000000), ref: 00E81B57

Part of subcall function 00E82483: GetLastError.KERNEL32(?,?,00E81817,00000000,00000000,00000001), ref: 00E82498
Part of subcall function 00E82483: SetEvent.KERNEL32(?,?,00E81817,00000000,00000000,00000001), ref: 00E824AD

Strings

, xrefs: 00E81B01

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: a08aa8612a6263eab0554bbc5e344592b3476f484ec3d32fe03e24c54b319a90
Instruction ID: 9c309e92dcb2cf7d4347fc30a8f114ce76dadd898d4aae276323272bd6cc5043
Opcode Fuzzy Hash: a08aa8612a6263eab0554bbc5e344592b3476f484ec3d32fe03e24c54b319a90
Instruction Fuzzy Hash: 574150B1501218BFEB15AF51CC85FFA7BACEF08354F00516BFA09BA151E7709E459BA0

Function 00E88C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00E9F910), ref: 00E88D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00E9F910), ref: 00E88D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00E88ED6
SysFreeString.OLEAUT32(?), ref: 00E88F00

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 967d1df38ebf0614038388568ad0b22cc5a9cb00d8c741c924ec8acc71ea958f
Instruction ID: d906ed84d8db1e93b1d808982f31ecea00dfbf45c718ad270e760d7ebc8d599e
Opcode Fuzzy Hash: 967d1df38ebf0614038388568ad0b22cc5a9cb00d8c741c924ec8acc71ea958f
Instruction Fuzzy Hash: 71F13771A00209AFCB14EF94C984EAEB7B9FF49314F148499F90ABB251DB31AE45CB51

Function 00E8F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E8F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00E8F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00E8F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00E8F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00E8F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00E8FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00E8FA7C
CloseHandle.KERNEL32(?), ref: 00E8FAAB
CloseHandle.KERNEL32(?), ref: 00E8FB22

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 5d83abe48bb856a9c0edc16af63285debd5960fc1ee6f065fc5569ef663ce3e0
Instruction ID: c3ebb5c619797e1809a9998ead68353b758911c64b45aa8fadd64e5c09c2c043
Opcode Fuzzy Hash: 5d83abe48bb856a9c0edc16af63285debd5960fc1ee6f065fc5569ef663ce3e0
Instruction Fuzzy Hash: 6AE1BF316043009FDB15EF24C891B6ABBE1EF85354F14996DF89DAB2A2CB31EC45CB52

Function 00E74CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E7466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E73697,?), ref: 00E7468B

Part of subcall function 00E7466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00E73697,?), ref: 00E746A4

Part of subcall function 00E74A31: GetFileAttributesW.KERNEL32(?,00E7370B), ref: 00E74A32

lstrcmpiW.KERNEL32(?,?), ref: 00E74D40
_wcscmp.LIBCMT ref: 00E74D5A
MoveFileW.KERNEL32(?,?), ref: 00E74D75

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: feb08fc5083c3b24c0aa2bdebc747cf88638695db5acbb7beaec85aedb78026a
Instruction ID: 4ff8a098a0996d32c3deea712eb641fa01777092fadd9f23c4fa071eb0c89167
Opcode Fuzzy Hash: feb08fc5083c3b24c0aa2bdebc747cf88638695db5acbb7beaec85aedb78026a
Instruction Fuzzy Hash: 245163B21083459BC725DBA0D8819DFB7ECAF84354F40592EF2C9E3191EF30A588C766

Function 00E98645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00E986FF

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 4e24dd601101f6abaed7fa4bb34c5b7fea3eb339904989755594dcc27d440ccd
Instruction ID: 8bc9e2f9059acfe4df0ec5eeca138754674365ed2b4832cb111d7f0fc70c1f84
Opcode Fuzzy Hash: 4e24dd601101f6abaed7fa4bb34c5b7fea3eb339904989755594dcc27d440ccd
Instruction Fuzzy Hash: 9851A170500244BEDF249F65DE85FAD3BA5EB06354F602127F951FA1B2CB71A990CB50

Function 00E12B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00E4C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00E4C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00E4C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00E4C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00E4C370
DestroyIcon.USER32(00000000), ref: 00E4C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00E4C39C
DestroyIcon.USER32(?), ref: 00E4C3AB

Part of subcall function 00E9A4AF: DeleteObject.GDI32(00000000), ref: 00E9A4E8

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 9a6288fd4e6d64ed884ea12744694b89621e42d6292433809ed2f46c4984e6f3
Instruction ID: 438965f1fdbedef2980dc2e1bc772027a27dc74a389259ea3d72430305f5e336
Opcode Fuzzy Hash: 9a6288fd4e6d64ed884ea12744694b89621e42d6292433809ed2f46c4984e6f3
Instruction Fuzzy Hash: 65516A74A00209AFDB24DF65DC45FAA77E5EB44314F20552AFA02F72A0D7B0ACA0DB90

Function 00E6966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E6A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00E6A84C
Part of subcall function 00E6A82C: GetCurrentThreadId.KERNEL32 ref: 00E6A853
Part of subcall function 00E6A82C: AttachThreadInput.USER32(00000000,?,00E69683,?,00000001), ref: 00E6A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 00E6968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00E696AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00E696AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 00E696B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00E696D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00E696D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 00E696E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00E696F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00E696FB

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 9e9e87dad2084d829fa401513c54b5f50ec2ed64dcd8e2b2246502e94c6cb378
Instruction ID: 033c13023d7146edde8c86abffc2bae61ac9e31750bbcb510fc4a5f52896fa77
Opcode Fuzzy Hash: 9e9e87dad2084d829fa401513c54b5f50ec2ed64dcd8e2b2246502e94c6cb378
Instruction Fuzzy Hash: 0411E571950218BEF6106F72DC49F6A3B6DDB4C790F101426F244FB0A2C9F25C50DAE4

Function 00E68921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00E6853C,00000B00,?,?), ref: 00E6892A
HeapAlloc.KERNEL32(00000000,?,00E6853C,00000B00,?,?), ref: 00E68931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00E6853C,00000B00,?,?), ref: 00E68946
GetCurrentProcess.KERNEL32(?,00000000,?,00E6853C,00000B00,?,?), ref: 00E6894E
DuplicateHandle.KERNEL32(00000000,?,00E6853C,00000B00,?,?), ref: 00E68951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00E6853C,00000B00,?,?), ref: 00E68961
GetCurrentProcess.KERNEL32(00E6853C,00000000,?,00E6853C,00000B00,?,?), ref: 00E68969
DuplicateHandle.KERNEL32(00000000,?,00E6853C,00000B00,?,?), ref: 00E6896C
CreateThread.KERNEL32(00000000,00000000,00E68992,00000000,00000000,00000000), ref: 00E68986

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 164475afc6894ccb154dfcab3c2b69e056d4f85419bef02d5b420d3dbdd3d9c9
Instruction ID: 88bb52968a4281f53f4ce62722d429db08eb4bf1d43846a3fbaf7b854d1377f3
Opcode Fuzzy Hash: 164475afc6894ccb154dfcab3c2b69e056d4f85419bef02d5b420d3dbdd3d9c9
Instruction Fuzzy Hash: F001BF75641304FFE710ABA6DC4DF6B3B6CEB89711F504422FA05EB1A2CA70D804CB64

Function 00E89B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00E89BA4, 00E89EC8
Not an Object type, xrefs: 00E89B7B

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 6402ae3846b78e37ed26e1996484ae0f3b58e1b9a7d09fbc026f0fe629523d3b
Instruction ID: 1438e6298e65ffb6c29595d8f6eedf02b689e9e5999b84565200560462add09f
Opcode Fuzzy Hash: 6402ae3846b78e37ed26e1996484ae0f3b58e1b9a7d09fbc026f0fe629523d3b
Instruction Fuzzy Hash: B6C18171E002099FDF10EF98D984ABEB7F5BB48314F189429E90DBB281E771AD45CB90

Function 00E8975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00E6710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E67044,80070057,?,?,?,00E67455), ref: 00E67127
Part of subcall function 00E6710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E67044,80070057,?,?), ref: 00E67142
Part of subcall function 00E6710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E67044,80070057,?,?), ref: 00E67150
Part of subcall function 00E6710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E67044,80070057,?), ref: 00E67160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00E89806
_memset.LIBCMT ref: 00E89813
_memset.LIBCMT ref: 00E89956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00E89982
CoTaskMemFree.OLE32(?), ref: 00E8998D

Strings

NULL Pointer assignment, xrefs: 00E899DB

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 874e22f82bfd80c243f7275f0d75943d85dddb23e07f0c475797b213d310c32b
Instruction ID: ff02497d9619a216e0dd2c8b145a429a9b7c16690c4aa7422b24fe6c544805a6
Opcode Fuzzy Hash: 874e22f82bfd80c243f7275f0d75943d85dddb23e07f0c475797b213d310c32b
Instruction Fuzzy Hash: E7916971D00228EBDB10EFA5DC85EEEBBB9AF48710F10415AF419B7241DB715A44CFA0

Function 00E96D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00E96E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00E96E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00E96E52
_wcscat.LIBCMT ref: 00E96EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00E96EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00E96EF2

Strings

SysListView32, xrefs: 00E96DF6

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 6e40b51872d217d9bbd4effa8e49222a5dae6ed86d255a7e295d917684aa0e43
Instruction ID: 913ea261f2bdaadce21e01134241dff1f5119b461b4c48f9336801c4a4d74b29
Opcode Fuzzy Hash: 6e40b51872d217d9bbd4effa8e49222a5dae6ed86d255a7e295d917684aa0e43
Instruction Fuzzy Hash: 86418F71A00348AFEF219F64CC85BEAB7E8EF08354F10142BF594F7292D6729D848B60

Function 00E8E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00E73C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00E73C7A
Part of subcall function 00E73C55: Process32FirstW.KERNEL32(00000000,?), ref: 00E73C88
Part of subcall function 00E73C55: CloseHandle.KERNEL32(00000000), ref: 00E73D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E8E9A4
GetLastError.KERNEL32 ref: 00E8E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E8E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 00E8EA63
GetLastError.KERNEL32(00000000), ref: 00E8EA6E
CloseHandle.KERNEL32(00000000), ref: 00E8EAA3

Strings

SeDebugPrivilege, xrefs: 00E8E9C2

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: f9d1c40fd63c5de28c93726678bcf5f4650ba3aae40b8dc9c12cd8666637d489
Instruction ID: e790cd7937506686abb4d3b9f2b5c2e90b8a9e98478ddd0850119b1913feed74
Opcode Fuzzy Hash: f9d1c40fd63c5de28c93726678bcf5f4650ba3aae40b8dc9c12cd8666637d489
Instruction Fuzzy Hash: F841BC312002009FDB18EF64DCA5FADB7E5AF81754F149459F90AAB3D3CB74A849CB91

Function 00E72F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00E73033

Strings

info, xrefs: 00E72FD4
question, xrefs: 00E72FEC
blank, xrefs: 00E72FB5
warning, xrefs: 00E7301C
stop, xrefs: 00E73004

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 7f7e40f8b8c1107bd51e71b0c10c4b58519596d9e910c71d6638ce9e6ce74b3f
Instruction ID: 140a37d50ba3cf02cd53f9b8ad66d6896c77fe504e9a355c8d25602427b589ff
Opcode Fuzzy Hash: 7f7e40f8b8c1107bd51e71b0c10c4b58519596d9e910c71d6638ce9e6ce74b3f
Instruction Fuzzy Hash: AD115B31348346BED7159A65DD42DAF7B9C9F15324F10502EFA08B6181DBB15F0066A4

Function 00E742F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00E74312
LoadStringW.USER32(00000000), ref: 00E74319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00E7432F
LoadStringW.USER32(00000000), ref: 00E74336
_wprintf.LIBCMT ref: 00E7435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00E7437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00E74357

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: c811e6fe08b4df6e469f5cbf301df1e62bd48de01464432db81c8cc81828a914
Instruction ID: 3c0074363d86ae0f9ed16c8a78b9b5a0100adc46f3af01da7b00ca322dea5e44
Opcode Fuzzy Hash: c811e6fe08b4df6e469f5cbf301df1e62bd48de01464432db81c8cc81828a914
Instruction Fuzzy Hash: 91014FF2900208BFE71197A1DD89EFA776CDB08301F0005A7F749F6052EA759E894BB1

Function 00E9D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E12612: GetWindowLongW.USER32(?,000000EB), ref: 00E12623

GetSystemMetrics.USER32(0000000F), ref: 00E9D47C
GetSystemMetrics.USER32(0000000F), ref: 00E9D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00E9D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00E9D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00E9D716
ShowWindow.USER32(00000003,00000000), ref: 00E9D735
InvalidateRect.USER32(?,00000000,00000001), ref: 00E9D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 00E9D77D

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 260e12c10fbc1ed64bc4f36bf96a6837724c80aad69ebf987318acca1e5894ba
Instruction ID: 16f765f5acee94b3d35932b29acc4dfcc620b0bbbe1fe2c6e2cb94399d8a4959
Opcode Fuzzy Hash: 260e12c10fbc1ed64bc4f36bf96a6837724c80aad69ebf987318acca1e5894ba
Instruction Fuzzy Hash: 68B19975604229EFDF18CF69C9857AD7BB1FF04705F08906AEC48AB296D730A954CBA0

Function 00E12A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00E4C1C7,00000004,00000000,00000000,00000000), ref: 00E12ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00E4C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00E12B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00E4C1C7,00000004,00000000,00000000,00000000), ref: 00E4C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00E4C1C7,00000004,00000000,00000000,00000000), ref: 00E4C286

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: efe568ee466b9f6a9765c7b427e44fa63a7f5d57e30951da838ec28f9403ffc8
Instruction ID: 9ba04a867dbdc0addb9c2261fa163d55b4a49a3ebba0d5b6ff8cd68058f460bc
Opcode Fuzzy Hash: efe568ee466b9f6a9765c7b427e44fa63a7f5d57e30951da838ec28f9403ffc8
Instruction Fuzzy Hash: C7412D312097C09FC7799B299C88BEB7B91AF85304F24A41FE247B7571C6B1A8E5D720

Function 00E770C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00E770DD

Part of subcall function 00E30DB6: std::exception::exception.LIBCMT ref: 00E30DEC
Part of subcall function 00E30DB6: __CxxThrowException@8.LIBCMT ref: 00E30E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00E77114
EnterCriticalSection.KERNEL32(?), ref: 00E77130
_memmove.LIBCMT ref: 00E7717E
_memmove.LIBCMT ref: 00E7719B
LeaveCriticalSection.KERNEL32(?), ref: 00E771AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00E771BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 00E771DE

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: dd5620537b44ce4822b925b8a5b87e19a2c660f76e4b350308905e25afca7108
Instruction ID: c83f7a70a801ac55147a68167a0a1f2ab2b0b1d6aa9855a37c1258cb53c5c924
Opcode Fuzzy Hash: dd5620537b44ce4822b925b8a5b87e19a2c660f76e4b350308905e25afca7108
Instruction Fuzzy Hash: 10312F71A00205EFDF10DFA5DC89AAE7BB8EF45710F5441A6E904AA256D7709A14CBA0

Function 00E961D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00E961EB
GetDC.USER32(00000000), ref: 00E961F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E961FE
ReleaseDC.USER32(00000000,00000000), ref: 00E9620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00E96246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00E96257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00E9902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00E96291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00E962B1

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 32ecd8431acf84b01ebde486f26203b981370e0b5fb93f553a09aef28d2810d0
Instruction ID: 9b55fb4a28bcefd4ddb7100899479b281aae64e3b6c77ac7591d5f2856d4bad5
Opcode Fuzzy Hash: 32ecd8431acf84b01ebde486f26203b981370e0b5fb93f553a09aef28d2810d0
Instruction Fuzzy Hash: 243171721012107FEF114F51CC8AFEA3BADEF49755F044066FE08EA1A2C6759C51CBA0

Function 00E6BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00E6BBC4
_memcmp.LIBCMT ref: 00E6BBE6
_memcmp.LIBCMT ref: 00E6BBFE
_memcmp.LIBCMT ref: 00E6BC11
_memcmp.LIBCMT ref: 00E6BC2B
_memcmp.LIBCMT ref: 00E6BC3E
_memcmp.LIBCMT ref: 00E6BC56
_memcmp.LIBCMT ref: 00E6BC71

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 5940fe40fe5edb9c0626776694d66a717d5e2302f52617707f538fefd8424b00
Instruction ID: ae08926a3702c7c3a0bbc4e3a2ddac29ad18bea80b83692cc7dff5e896d7ab07
Opcode Fuzzy Hash: 5940fe40fe5edb9c0626776694d66a717d5e2302f52617707f538fefd8424b00
Instruction Fuzzy Hash: D821B0716813057BE2146625BD42FFBB79C9E153D8F086028FE04FA643EB65EF51C2A1

Function 00E7EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00E19837: __itow.LIBCMT ref: 00E19862
Part of subcall function 00E19837: __swprintf.LIBCMT ref: 00E198AC

Part of subcall function 00E2FC86: _wcscpy.LIBCMT ref: 00E2FCA9

_wcstok.LIBCMT ref: 00E7EC94
_wcscpy.LIBCMT ref: 00E7ED23
_memset.LIBCMT ref: 00E7ED56

Strings

X, xrefs: 00E7ED93

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 72f6fccd9b86c71ccc387f3382f9419af5d56fe58f95e741b86f65d468dd5c18
Instruction ID: 197c3c43527a8d42f6e3f37bbd740796092cc77a46771116c52b2cada358f227
Opcode Fuzzy Hash: 72f6fccd9b86c71ccc387f3382f9419af5d56fe58f95e741b86f65d468dd5c18
Instruction Fuzzy Hash: 9BC150716083409FC714EF24C855E9AB7E4EF89314F10996DF999A73A2DB30ED45CB82

Function 00E86B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00E86C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00E86C21
WSAGetLastError.WSOCK32(00000000), ref: 00E86C34
htons.WSOCK32(?,?,?,00000000,?), ref: 00E86CEA
inet_ntoa.WSOCK32(?), ref: 00E86CA7

Part of subcall function 00E6A7E9: _strlen.LIBCMT ref: 00E6A7F3
Part of subcall function 00E6A7E9: _memmove.LIBCMT ref: 00E6A815

_strlen.LIBCMT ref: 00E86D44
_memmove.LIBCMT ref: 00E86DAD

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 3588ba05d1959e510c96af03a1d3479b4d459a9962a0e6a8117839ab07677b46
Instruction ID: d1d6dc54a8626ce80ac5f9a43882586f8fdc12bda8897d1f06231354abe8b73e
Opcode Fuzzy Hash: 3588ba05d1959e510c96af03a1d3479b4d459a9962a0e6a8117839ab07677b46
Instruction Fuzzy Hash: 1481D271204300AFC710FB64DC96EAAB7E8AF84718F14691DF559BB2E2DA70ED44CB52

Function 00E11424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f46f30fea543bdc1c69f772ea91e8bf751e01f57051813aae01585480fbae19e
Instruction ID: 1d6bdd3392815e88b59d9d9077c7df2787c8daddd8960b4ab4352544c593deb5
Opcode Fuzzy Hash: f46f30fea543bdc1c69f772ea91e8bf751e01f57051813aae01585480fbae19e
Instruction Fuzzy Hash: 54716F30900119EFCB04CF99CC49AFEBBB9FF85714F148199FA15BA251C734AA91CBA4

Function 00E9B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01104FB8), ref: 00E9B3EB
IsWindowEnabled.USER32(01104FB8), ref: 00E9B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00E9B4DB
SendMessageW.USER32(01104FB8,000000B0,?,?), ref: 00E9B512
IsDlgButtonChecked.USER32(?,?), ref: 00E9B54F
GetWindowLongW.USER32(01104FB8,000000EC), ref: 00E9B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00E9B589

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: b41378f0f1743f7a614cf55d194c3ea62ab6c11d52ae47bdae202fabe44ca695
Instruction ID: 09b7eab708e37b36dab5ad86b54fc5e6b17bae5391b0217cbdf6772181f23e39
Opcode Fuzzy Hash: b41378f0f1743f7a614cf55d194c3ea62ab6c11d52ae47bdae202fabe44ca695
Instruction Fuzzy Hash: 8371AE34600304EFDF20DF65EA94FBA7BB9EF49304F14606AE951B72A2D731A851EB50

Function 00E8F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E8F448
_memset.LIBCMT ref: 00E8F511
ShellExecuteExW.SHELL32(?), ref: 00E8F556

Part of subcall function 00E19837: __itow.LIBCMT ref: 00E19862
Part of subcall function 00E19837: __swprintf.LIBCMT ref: 00E198AC

Part of subcall function 00E2FC86: _wcscpy.LIBCMT ref: 00E2FCA9

GetProcessId.KERNEL32(00000000), ref: 00E8F5CD
CloseHandle.KERNEL32(00000000), ref: 00E8F5FC

Strings

@, xrefs: 00E8F525

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 5b14bbf1ce46b89ee862d93b2f490e27dadfb9c0422751777be947d224157e5c
Instruction ID: adfbe8e366c25cc9d52457d0aaaa5faaee91e50049443aa4f2ebba1535adaae6
Opcode Fuzzy Hash: 5b14bbf1ce46b89ee862d93b2f490e27dadfb9c0422751777be947d224157e5c
Instruction Fuzzy Hash: 5C61BD71A00619DFCB04EFA4C4919AEBBF4FF48314F14906AE859BB352CB30AE41CB90

Function 00E70F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00E70F8C
GetKeyboardState.USER32(?), ref: 00E70FA1
SetKeyboardState.USER32(?), ref: 00E71002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00E71030
PostMessageW.USER32(?,00000101,00000011,?), ref: 00E7104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00E71095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00E710B8

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: e16a8f8f744c3c349e8fe149a825a110fd76e2ec0012a6b46c282e6ad6a43998
Instruction ID: 8427c90892a0840ed314f99c4528c05dbdce5b83da09f8dfd14a16b54d184e0b
Opcode Fuzzy Hash: e16a8f8f744c3c349e8fe149a825a110fd76e2ec0012a6b46c282e6ad6a43998
Instruction Fuzzy Hash: F251E3606047D57DFB3646388C15BBABEE95B06308F08D5C9E1DCA98D3C2A8ECD8D751

Function 00E70D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00E70DA5
GetKeyboardState.USER32(?), ref: 00E70DBA
SetKeyboardState.USER32(?), ref: 00E70E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00E70E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00E70E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00E70EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00E70EC9

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 6464d0dd1c169827cfc8de99a43be554cf352e4c1d25428c7c2397481fb3d111
Instruction ID: 0bb3f88c83c1ef2988c4e297587b531ffbe58126745e0ac58644171378375f6f
Opcode Fuzzy Hash: 6464d0dd1c169827cfc8de99a43be554cf352e4c1d25428c7c2397481fb3d111
Instruction Fuzzy Hash: D45119A05047D5BEFB3687348C45B7ABFA99B06304F08D889F1DCA64C3C395AC98D750

Function 00E755FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00E7560A
_wcsncpy.LIBCMT ref: 00E7563F
_wcsncpy.LIBCMT ref: 00E75671
_wcsncpy.LIBCMT ref: 00E756A4
_wcsncpy.LIBCMT ref: 00E756E6
_wcsncpy.LIBCMT ref: 00E75720
_wcsncpy.LIBCMT ref: 00E7574F

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 2ae2ab37705a4173d3c2220cccc6b6738ee13957c7c347bcbd74d446521d423f
Instruction ID: 65be38b9a41387884f08c9487b24da8f0add2887054778078140483652bda2d3
Opcode Fuzzy Hash: 2ae2ab37705a4173d3c2220cccc6b6738ee13957c7c347bcbd74d446521d423f
Instruction Fuzzy Hash: 80418476D1061476CB15EBB48C4A9CFB7F89F04310F50A95AE618F3221EA34E255CBAA

Function 00E6D56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00E6D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00E6D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00E6D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00E6D69D

Strings

,,, xrefs: 00E6D578
DllGetClassObject, xrefs: 00E6D610

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,$DllGetClassObject
API String ID: 753597075-2867008933
Opcode ID: a30c30d44c61c585d96483aa1a2ae017e72293c9dd0a8ac7d17cdb61f8462ddf
Instruction ID: 16c98368356f8551e8f477967c7b543bf0ea404b7647e717c019a406853db19d
Opcode Fuzzy Hash: a30c30d44c61c585d96483aa1a2ae017e72293c9dd0a8ac7d17cdb61f8462ddf
Instruction Fuzzy Hash: 0D41CFB1A44204EFDB04CF15DC84A9A7BA9EF48354F5590AEEC0AEF205D7B1D944CBA0

Function 00E73671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E7466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E73697,?), ref: 00E7468B

Part of subcall function 00E7466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00E73697,?), ref: 00E746A4

lstrcmpiW.KERNEL32(?,?), ref: 00E736B7
_wcscmp.LIBCMT ref: 00E736D3
MoveFileW.KERNEL32(?,?), ref: 00E736EB
_wcscat.LIBCMT ref: 00E73733
SHFileOperationW.SHELL32(?), ref: 00E7379F

Strings

\*.*, xrefs: 00E7372D

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 04b5a457c5e3afbd9986767639b261c1c5020c2b0b49d5e90f850ec25c5e02c3
Instruction ID: a8d63aebb4d3dddeb3f3f4996fa93aeb294474a16eebfb4a27eafcbb915eca00
Opcode Fuzzy Hash: 04b5a457c5e3afbd9986767639b261c1c5020c2b0b49d5e90f850ec25c5e02c3
Instruction Fuzzy Hash: 5F41B1B1108345AEC755EF74D4459DFB7E8AF88384F00682EF49AE3291EB34D689C752

Function 00E97291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E972AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E97351
IsMenu.USER32(?), ref: 00E97369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00E973B1
DrawMenuBar.USER32 ref: 00E973C4

Strings

0, xrefs: 00E9729E

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: dee212a848174d437a44520bcfe5d113df785897b48a41f0ed1701c2cfd23e9c
Instruction ID: 4058ab53d376b0cfa3c160180aedb74b785a67651f97c6732c3278d2f6a7e7fc
Opcode Fuzzy Hash: dee212a848174d437a44520bcfe5d113df785897b48a41f0ed1701c2cfd23e9c
Instruction Fuzzy Hash: F2413575A14208EFDF20DF51D884A9ABBF8FB08314F14A52AFD95AB250D730AD58EF50

Function 00E90FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00E90FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E90FFE
FreeLibrary.KERNEL32(00000000), ref: 00E910B5

Part of subcall function 00E90FA5: RegCloseKey.ADVAPI32(?), ref: 00E9101B
Part of subcall function 00E90FA5: FreeLibrary.KERNEL32(?), ref: 00E9106D
Part of subcall function 00E90FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00E91090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00E91058

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 85255989931dbabce74b21ccad93cced66e6b05e548493be4e191c43cbc70360
Instruction ID: 2b863553447adb8dbfe329ba08716789e03f63b2beb34354c50dc17dfe4f5ae7
Opcode Fuzzy Hash: 85255989931dbabce74b21ccad93cced66e6b05e548493be4e191c43cbc70360
Instruction Fuzzy Hash: 90312BB1901109BFDF159F91DC89EFFB7BCEF08304F0001AAE501F2141EA759E899AA0

Function 00E962CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00E962EC
GetWindowLongW.USER32(01104FB8,000000F0), ref: 00E9631F
GetWindowLongW.USER32(01104FB8,000000F0), ref: 00E96354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00E96386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00E963B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00E963C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00E963DB

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 4da047babf0984ff48b6be7a956dab736c0f4898599f9acfdb7f44a905b471a8
Instruction ID: 5d7f340f906b110d31ab54a1c6278c0ed5ceb22e78fa34232f008c0d3b5b1e04
Opcode Fuzzy Hash: 4da047babf0984ff48b6be7a956dab736c0f4898599f9acfdb7f44a905b471a8
Instruction Fuzzy Hash: CB3102356442509FDB21CF1AEC85F5837E1FB8A718F1911A6F901EF2B2CB71A844EB90

Function 00E6DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E6DB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E6DB54
SysAllocString.OLEAUT32(00000000), ref: 00E6DB57
SysAllocString.OLEAUT32(?), ref: 00E6DB75
SysFreeString.OLEAUT32(?), ref: 00E6DB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 00E6DBA3
SysAllocString.OLEAUT32(?), ref: 00E6DBB1

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 64c58bb15a1d9168a778ae51d0db5ad422c0bd87ebd6fe632a9672be5651799c
Instruction ID: fafc17164d8ba74eed355681024ead50533a1ff49f6686603c7fc058f85faa86
Opcode Fuzzy Hash: 64c58bb15a1d9168a778ae51d0db5ad422c0bd87ebd6fe632a9672be5651799c
Instruction Fuzzy Hash: 3821C732B04219AFDF10DFA9DC88CBB77ECEB093A4B418166F914EB250DA70DC458760

Function 00E86173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00E87D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00E87DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00E861C6
WSAGetLastError.WSOCK32(00000000), ref: 00E861D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00E8620E
connect.WSOCK32(00000000,?,00000010), ref: 00E86217
WSAGetLastError.WSOCK32 ref: 00E86221
closesocket.WSOCK32(00000000), ref: 00E8624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00E86263

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: ad53de55ee2d668c0cce61a4ca16540debcbded2f5176254fa95915acda3531e
Instruction ID: b690f1c0b67c95fb095e707597800b81b665533e2b4511bd9e1658d93ee23460
Opcode Fuzzy Hash: ad53de55ee2d668c0cce61a4ca16540debcbded2f5176254fa95915acda3531e
Instruction Fuzzy Hash: DE319071600118AFDF10AF64CC89BFE77A8EB45765F04406AF90DF7292DB70AD448BA1

Function 00E6F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00E6F671
__wcsnicmp.LIBCMT ref: 00E6F692
__wcsnicmp.LIBCMT ref: 00E6F6AC

Strings

#requireadmin, xrefs: 00E6F68C
#OnAutoItStartRegister, xrefs: 00E6F6A6
#notrayicon, xrefs: 00E6F669

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: b9f8bd13d0c65e3edc3b625289d095168c7d1a03ba25d7e9b4e9f716d677278d
Instruction ID: 15df5590d5eee3a9ec151b7b46915247be4c76ddca036298d60093c1fb3f7625
Opcode Fuzzy Hash: b9f8bd13d0c65e3edc3b625289d095168c7d1a03ba25d7e9b4e9f716d677278d
Instruction Fuzzy Hash: E1216EB229421166D620BA34FC07EFB73D8EF59394F14703AF946B6091EB51AD82C3E5

Function 00E6DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E6DC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E6DC2F
SysAllocString.OLEAUT32(00000000), ref: 00E6DC32
SysAllocString.OLEAUT32 ref: 00E6DC53
SysFreeString.OLEAUT32 ref: 00E6DC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 00E6DC76
SysAllocString.OLEAUT32(?), ref: 00E6DC84

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: d6f6c3f1b4652388dd5c664dfa8bcd23535850a6c0ad981996812e8c4b6a1656
Instruction ID: 9bfd8108fffbd2d3e7f7ffac2ee53063cc7299d331a61458af7a443d25d7e8cd
Opcode Fuzzy Hash: d6f6c3f1b4652388dd5c664dfa8bcd23535850a6c0ad981996812e8c4b6a1656
Instruction Fuzzy Hash: 3D215835B48108AFDB10DFA9DC88DABB7ECEB093A0B518126F914EB261D670DC55C764

Function 00E975CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E11D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E11D73
Part of subcall function 00E11D35: GetStockObject.GDI32(00000011), ref: 00E11D87
Part of subcall function 00E11D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E11D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00E97632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00E9763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00E9764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00E97659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00E97665

Strings

Msctls_Progress32, xrefs: 00E97603

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 17d9789967e54c203d82573cf794548b347ac072c6b6a709fd8c80408623f8a0
Instruction ID: 486487882390ca532ff44cc43fc1a67a3f38f437b6825c126682a84c2b2c3056
Opcode Fuzzy Hash: 17d9789967e54c203d82573cf794548b347ac072c6b6a709fd8c80408623f8a0
Instruction Fuzzy Hash: 5E11B2B2110219BFEF118F65CC85EE77F6DEF08798F115115BA44B20A1CB729C21DBA4

Function 00E39AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00E39AE6

Part of subcall function 00E33187: EncodePointer.KERNEL32(00000000), ref: 00E3318A
Part of subcall function 00E33187: __initp_misc_winsig.LIBCMT ref: 00E331A5
Part of subcall function 00E33187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00E39EA0
Part of subcall function 00E33187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00E39EB4
Part of subcall function 00E33187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00E39EC7
Part of subcall function 00E33187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00E39EDA
Part of subcall function 00E33187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00E39EED
Part of subcall function 00E33187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00E39F00
Part of subcall function 00E33187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00E39F13
Part of subcall function 00E33187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00E39F26
Part of subcall function 00E33187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00E39F39
Part of subcall function 00E33187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00E39F4C
Part of subcall function 00E33187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00E39F5F
Part of subcall function 00E33187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00E39F72
Part of subcall function 00E33187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00E39F85
Part of subcall function 00E33187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00E39F98
Part of subcall function 00E33187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00E39FAB
Part of subcall function 00E33187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00E39FBE

__mtinitlocks.LIBCMT ref: 00E39AEB
__mtterm.LIBCMT ref: 00E39AF4

Part of subcall function 00E39B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00E39AF9,00E37CD0,00ECA0B8,00000014), ref: 00E39C56
Part of subcall function 00E39B5C: _free.LIBCMT ref: 00E39C5D
Part of subcall function 00E39B5C: DeleteCriticalSection.KERNEL32(02,?,?,00E39AF9,00E37CD0,00ECA0B8,00000014), ref: 00E39C7F

__calloc_crt.LIBCMT ref: 00E39B19
__initptd.LIBCMT ref: 00E39B3B
GetCurrentThreadId.KERNEL32 ref: 00E39B42

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 388021f6bd1187dfe520afe49361369df34899b7b758a4d6995255d07295b8ea
Instruction ID: eaf8338f167bce7ba5ee05ad2c1a8008406594e91207bedc26de5a399d8a9863
Opcode Fuzzy Hash: 388021f6bd1187dfe520afe49361369df34899b7b758a4d6995255d07295b8ea
Instruction Fuzzy Hash: EBF090326097115EE6347775BC0FA9A6EE09F42734F202B6AF460F51D3EFE18441C1A4

Function 00E9B635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E9B644
_memset.LIBCMT ref: 00E9B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00ED6F20,00ED6F64), ref: 00E9B682
CloseHandle.KERNEL32 ref: 00E9B694

Strings

o, xrefs: 00E9B63E
do, xrefs: 00E9B64D

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: o$do
API String ID: 3277943733-2180341428
Opcode ID: 87fc2d914c952f0abc73161366faa6c12ad5c62471e146cb3d48c08eceea74d2
Instruction ID: b077c62003f8853d8a3094840d9a1d19f1345073551b34982c3d2b75a0222d4d
Opcode Fuzzy Hash: 87fc2d914c952f0abc73161366faa6c12ad5c62471e146cb3d48c08eceea74d2
Instruction Fuzzy Hash: 54F05EB2741704BEE2106B62BC0AFBB3B9CEB08395F005022FA08F5192D7755C04C7A8

Function 00E3406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00E33F85), ref: 00E34085
GetProcAddress.KERNEL32(00000000), ref: 00E3408C
EncodePointer.KERNEL32(00000000), ref: 00E34097
DecodePointer.KERNEL32(00E33F85), ref: 00E340B2

Strings

RoUninitialize, xrefs: 00E34074
combase.dll, xrefs: 00E34080

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 3690e84ea9289edc61c40c4eab995fb241e3a71ddc64484482ae51b0d99ef072
Instruction ID: 784bd75ab54338bc5f4eeb7d637aa600c5d6b9e52dce458e23f18ef99fdb1bdf
Opcode Fuzzy Hash: 3690e84ea9289edc61c40c4eab995fb241e3a71ddc64484482ae51b0d99ef072
Instruction Fuzzy Hash: ECE09A70643302AFDB109F77EC0DB093BA4F704746F10502BF501F50A1CBB69608CA16

Function 00E764B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E7660B
_memmove.LIBCMT ref: 00E76546

Part of subcall function 00E19837: __itow.LIBCMT ref: 00E19862
Part of subcall function 00E19837: __swprintf.LIBCMT ref: 00E198AC

_memmove.LIBCMT ref: 00E765B9
_memmove.LIBCMT ref: 00E766A0
_memmove.LIBCMT ref: 00E766B9
_memmove.LIBCMT ref: 00E766D5

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: a38f8cee58cdd1a553a867f348e1a9f6d063674736154af17e6ddf8f80265b64
Instruction ID: 2d63b45f3935d6bd6ffda710623bb9c20ce3b0d80508dbd78f5107642f60ff4f
Opcode Fuzzy Hash: a38f8cee58cdd1a553a867f348e1a9f6d063674736154af17e6ddf8f80265b64
Instruction Fuzzy Hash: CE619B3090065A9BCF05EF60CC96EFE3BE9AF05308F449968F8597B192DB34E945CB50

Function 00E901E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E17DE1: _memmove.LIBCMT ref: 00E17E22

Part of subcall function 00E90E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E8FDAD,?,?), ref: 00E90E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E902BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E902FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00E90320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00E90349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00E9038C
RegCloseKey.ADVAPI32(00000000), ref: 00E90399

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: e6fcb796da530f0abf41eeeb18437ee8611ef13c464b36d880e8a4237062bcb0
Instruction ID: f9c2edd34a3ab32333759df0dbbd888b266e966254123f681f7458f800113e7b
Opcode Fuzzy Hash: e6fcb796da530f0abf41eeeb18437ee8611ef13c464b36d880e8a4237062bcb0
Instruction Fuzzy Hash: 50514971208300AFCB14EF64C895EAEBBE9FF84314F44592DF495A72A2DB31E945CB52

Function 00E95799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00E957FB
GetMenuItemCount.USER32(00000000), ref: 00E95832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00E9585A
GetMenuItemID.USER32(?,?), ref: 00E958C9
GetSubMenu.USER32(?,?), ref: 00E958D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00E95928

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: dcddb9eec626a98479ac192dc4cb3c66723bd2c8a6439697ab68ae204ef2b30e
Instruction ID: 62e415b1823d35a3b2683e2d580ff8b8527cb4e85a5bb79a3953a66bab4b9c7c
Opcode Fuzzy Hash: dcddb9eec626a98479ac192dc4cb3c66723bd2c8a6439697ab68ae204ef2b30e
Instruction Fuzzy Hash: 1E513A72A00615AFCF15EF64C855AAEBBF4EF48320F10546AE856BB351CB70AE41CB90

Function 00E6EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E6EF06
VariantClear.OLEAUT32(00000013), ref: 00E6EF78
VariantClear.OLEAUT32(00000000), ref: 00E6EFD3
_memmove.LIBCMT ref: 00E6EFFD
VariantClear.OLEAUT32(?), ref: 00E6F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00E6F078

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: d65195ac0e9f4a9860dd45e86f0070b592fa93a4d5ee2deda5a2cfa7bf25bde6
Instruction ID: c7692e34fa618dae9766f9d1e8ed378f0dce034f1fd61f529c2503eaf228edf9
Opcode Fuzzy Hash: d65195ac0e9f4a9860dd45e86f0070b592fa93a4d5ee2deda5a2cfa7bf25bde6
Instruction Fuzzy Hash: EC516D75A00209DFCB14CF58D884AAAB7F8FF4C354B15856AE959EB301E334E911CB90

Function 00E7220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E72258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E722A3
IsMenu.USER32(00000000), ref: 00E722C3
CreatePopupMenu.USER32 ref: 00E722F7
GetMenuItemCount.USER32(000000FF), ref: 00E72355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00E72386

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: a868d134e4b51eb5e9b471f61b918da2c2669cf1dd13f329f179dc6213298fee
Instruction ID: 9d2f820f5acf31872735d00a41e72983a16396966178f058d271818c2896f9c7
Opcode Fuzzy Hash: a868d134e4b51eb5e9b471f61b918da2c2669cf1dd13f329f179dc6213298fee
Instruction Fuzzy Hash: CB519F7060024AEFDF21CF68D888BADBBF5AF45318F10D22EEA59B7291D3749944CB51

Function 00E11765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00E12612: GetWindowLongW.USER32(?,000000EB), ref: 00E12623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00E1179A
GetWindowRect.USER32(?,?), ref: 00E117FE
ScreenToClient.USER32(?,?), ref: 00E1181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00E1182C
EndPaint.USER32(?,?), ref: 00E11876

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 73fc9af90dc11427553cf1d1c7383544e16b890d5381aeecae646bbd602ee431
Instruction ID: e9e9aaf38c94e401c9670ce6a4bcd476ac69c749c98e20c7a8ceacfdd1536fd6
Opcode Fuzzy Hash: 73fc9af90dc11427553cf1d1c7383544e16b890d5381aeecae646bbd602ee431
Instruction Fuzzy Hash: 4741C4711003009FC714DF25EC84FFA7BE8EB49724F14426AF6A4E71A2C7309889DB62

Function 00E9B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00ED57B0,00000000,01104FB8,?,?,00ED57B0,?,00E9B5A8,?,?), ref: 00E9B712
EnableWindow.USER32(00000000,00000000), ref: 00E9B736
ShowWindow.USER32(00ED57B0,00000000,01104FB8,?,?,00ED57B0,?,00E9B5A8,?,?), ref: 00E9B796
ShowWindow.USER32(00000000,00000004,?,00E9B5A8,?,?), ref: 00E9B7A8
EnableWindow.USER32(00000000,00000001), ref: 00E9B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00E9B7EF

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: e89172b3279e45980f71a9a0e1e6862cf24a4e0c887e14dc592c3544135d8f69
Instruction ID: 36a6892a7283d58a2c7dbb9ed4b60f5b947d685f85a33a6d0e786c47c8201c37
Opcode Fuzzy Hash: e89172b3279e45980f71a9a0e1e6862cf24a4e0c887e14dc592c3544135d8f69
Instruction Fuzzy Hash: 01416234600240AFDF21CFA4E599B947BE1FB85314F1853BBED48AF6A2C731A856CB51

Function 00E8709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00E84E41,?,?,00000000,00000001), ref: 00E870AC

Part of subcall function 00E839A0: GetWindowRect.USER32(?,?), ref: 00E839B3

GetDesktopWindow.USER32 ref: 00E870D6
GetWindowRect.USER32(00000000), ref: 00E870DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00E8710F

Part of subcall function 00E75244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E752BC

GetCursorPos.USER32(?), ref: 00E8713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00E87199

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: e7a2cec7aaf1ab577b2f024bd89e4a2017b67ebb5fd34789f37573e3967234d0
Instruction ID: f6ab30d246ab93a33c9f11e3b695f7aab4f3e70dc926780a0405ad64b0f48ef8
Opcode Fuzzy Hash: e7a2cec7aaf1ab577b2f024bd89e4a2017b67ebb5fd34789f37573e3967234d0
Instruction Fuzzy Hash: E931B272509305AFD720EF14D849B9BB7E9FF88314F10091AF58DE7191CA74EA09CB92

Function 00E68879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E680A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00E680C0
Part of subcall function 00E680A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00E680CA
Part of subcall function 00E680A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00E680D9
Part of subcall function 00E680A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00E680E0
Part of subcall function 00E680A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00E680F6

GetLengthSid.ADVAPI32(?,00000000,00E6842F), ref: 00E688CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00E688D6
HeapAlloc.KERNEL32(00000000), ref: 00E688DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 00E688F6
GetProcessHeap.KERNEL32(00000000,00000000,00E6842F), ref: 00E6890A
HeapFree.KERNEL32(00000000), ref: 00E68911

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 3d1ef4c1e77a902d85c8dd5868b0cc65dda672a3f5e8ed5d5da1b139699ab5f8
Instruction ID: d0c9965ca3e1ceb0c38447b3241f2a7fd1e3fac4577bbe98f3970198218449bb
Opcode Fuzzy Hash: 3d1ef4c1e77a902d85c8dd5868b0cc65dda672a3f5e8ed5d5da1b139699ab5f8
Instruction Fuzzy Hash: D811E131541208FFDB108FA6ED09BBE77A8EB84355F10422EE889F3211CB329D04CB60

Function 00E685B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00E685E2
OpenProcessToken.ADVAPI32(00000000), ref: 00E685E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00E685F8
CloseHandle.KERNEL32(00000004), ref: 00E68603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00E68632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00E68646

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 8e781a113d429d5326ea4c298f0d1194038f308b84c78b43b79fab9283a66fb4
Instruction ID: 3ec6a6041fd897d3fd4a7b5c22ee19ea3cf6f8e55ba8609a3e5794734dfff228
Opcode Fuzzy Hash: 8e781a113d429d5326ea4c298f0d1194038f308b84c78b43b79fab9283a66fb4
Instruction Fuzzy Hash: FA115972540209AFDF018FA5ED49BDE7BA9EF08348F045166FE05F2160C7728D64EB60

Function 00E6B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00E6B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 00E6B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E6B7CD
ReleaseDC.USER32(00000000,00000000), ref: 00E6B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00E6B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 00E6B7FE

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: b8a517400528c7168b751890715213c1a9e72e9cf378718d356fa58c8dab78ee
Instruction ID: 9f84fcc00bcb33c31a6d495433b7fb17a4e9e73b3a9b6e1f01687db2e73b9992
Opcode Fuzzy Hash: b8a517400528c7168b751890715213c1a9e72e9cf378718d356fa58c8dab78ee
Instruction Fuzzy Hash: 52017175A40309BFEB109BA69C45A5ABFA8EB48351F0040A7FA04F7291D6309C10CFA0

Function 00E30162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E30193
MapVirtualKeyW.USER32(00000010,00000000), ref: 00E3019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E301A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E301B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00E301B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E301C1

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: c7237fae74972b7e50e7a9159b835805d6c18173b7446042dccf8ea7c21acafb
Instruction ID: 9c3ed25911360e780abc56fed22447029bc0ecfea671143a5cb91dbd923d760a
Opcode Fuzzy Hash: c7237fae74972b7e50e7a9159b835805d6c18173b7446042dccf8ea7c21acafb
Instruction Fuzzy Hash: 340148B09017597DE3008F5A8C85A52FEA8FF19354F00411BA15887942C7B5A868CBE5

Function 00E753E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00E753F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00E7540F
GetWindowThreadProcessId.USER32(?,?), ref: 00E7541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E7542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E75437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E7543E

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: b817c9c989bff4c1b57742144d8a186cbb2aae7e5aa8e95c3f7ba3f26de9d48a
Instruction ID: ee86cc0f6ef6f73fb785c7d32f53d247680c17bcd71a7b4cdc4c9e0e46af2f09
Opcode Fuzzy Hash: b817c9c989bff4c1b57742144d8a186cbb2aae7e5aa8e95c3f7ba3f26de9d48a
Instruction Fuzzy Hash: 23F01D32641658BFE7215BA39C0DEAF7A7CEBC6B11F00016BFA05E105296A51A0586F5

Function 00E77230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00E77243
EnterCriticalSection.KERNEL32(?,?,00E20EE4,?,?), ref: 00E77254
TerminateThread.KERNEL32(00000000,000001F6,?,00E20EE4,?,?), ref: 00E77261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00E20EE4,?,?), ref: 00E7726E

Part of subcall function 00E76C35: CloseHandle.KERNEL32(00000000,?,00E7727B,?,00E20EE4,?,?), ref: 00E76C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00E77281
LeaveCriticalSection.KERNEL32(?,?,00E20EE4,?,?), ref: 00E77288

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 256949295fba9baab8159b3bfd584028f32b17ca5a8967cdb53ece3ddb73c8af
Instruction ID: cb0b6c7ebf664432e8d2be008fccd6e905b2378462f64659704b3b823502a6a9
Opcode Fuzzy Hash: 256949295fba9baab8159b3bfd584028f32b17ca5a8967cdb53ece3ddb73c8af
Instruction Fuzzy Hash: 80F05E76541612EFD7121B65ED4CADA7729EF45706B101533F603F10B1CB766815CB50

Function 00E68992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00E6899D
UnloadUserProfile.USERENV(?,?), ref: 00E689A9
CloseHandle.KERNEL32(?), ref: 00E689B2
CloseHandle.KERNEL32(?), ref: 00E689BA
GetProcessHeap.KERNEL32(00000000,?), ref: 00E689C3
HeapFree.KERNEL32(00000000), ref: 00E689CA

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: e6ac075cfa2ccfa7703110dd1bce7e3025400b9bce79d129bf1a8cf976f0715e
Instruction ID: 2ec9df965f067492369dde7636271f4f0d57558738c08344969cc14dfb079c49
Opcode Fuzzy Hash: e6ac075cfa2ccfa7703110dd1bce7e3025400b9bce79d129bf1a8cf976f0715e
Instruction Fuzzy Hash: 1AE0C236004001FFDA015FF3EC0C90ABB69FB89322B208233F219E1071CB329428DB90

Function 00E67530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00EA2C7C,?), ref: 00E676EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00EA2C7C,?), ref: 00E67702
CLSIDFromProgID.OLE32(?,?,00000000,00E9FB80,000000FF,?,00000000,00000800,00000000,?,00EA2C7C,?), ref: 00E67727
_memcmp.LIBCMT ref: 00E67748

Strings

,,, xrefs: 00E6753D

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,
API String ID: 314563124-1556401989
Opcode ID: f013c1a6c6bf9f0dbd927fee475721e5e05bbd9228439d5b7c604889b7efed23
Instruction ID: f543848208c1dc8138a5c334a0dffe9e70ef44dac6fd207376ed659bbb5de2e2
Opcode Fuzzy Hash: f013c1a6c6bf9f0dbd927fee475721e5e05bbd9228439d5b7c604889b7efed23
Instruction Fuzzy Hash: 79815D71A00109EFCB04DFA4D984DEEB7B9FF89319F204199E546BB250DB71AE46CB60

Function 00E885ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E88613
CharUpperBuffW.USER32(?,?), ref: 00E88722
VariantClear.OLEAUT32(?), ref: 00E8889A

Part of subcall function 00E77562: VariantInit.OLEAUT32(00000000), ref: 00E775A2
Part of subcall function 00E77562: VariantCopy.OLEAUT32(00000000,?), ref: 00E775AB
Part of subcall function 00E77562: VariantClear.OLEAUT32(00000000), ref: 00E775B7

Strings

Incorrect Parameter format, xrefs: 00E8864B, 00E8880D
AUTOIT.ERROR, xrefs: 00E88728

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 904a6fd049a314d6ece32bba3e45cd853700417f1af4a7055411242a083f59a3
Instruction ID: 7d8754f2cc37a56b1c2eae31dbd8c5e4576ddc007eab6b47f1243085566cd82f
Opcode Fuzzy Hash: 904a6fd049a314d6ece32bba3e45cd853700417f1af4a7055411242a083f59a3
Instruction Fuzzy Hash: A091AC716043019FC714EF24C58499ABBE4EF89314F54982EF89EAB362DB31E945CB52

Function 00E72A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E2FC86: _wcscpy.LIBCMT ref: 00E2FCA9

_memset.LIBCMT ref: 00E72B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E72BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E72C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00E72C97

Strings

0, xrefs: 00E72B73

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 9a765949a2610823f83dcfb5abcf24f1ecd06ea4863100befdcac0a8429cf440
Instruction ID: fb12e0759658278352d1a18e8ef57537244078a529413f9e8c0b95d6a2f23a80
Opcode Fuzzy Hash: 9a765949a2610823f83dcfb5abcf24f1ecd06ea4863100befdcac0a8429cf440
Instruction Fuzzy Hash: E251D1716083019FD726DE28D84566FBBE8EFA4314F04AA2DFA98F2191DB70CD44D752

Function 00E23137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E23277
_memmove.LIBCMT ref: 00E23310
_free.LIBCMT ref: 00E23336
_memmove.LIBCMT ref: 00E233E9

Strings

_, xrefs: 00E23322
3c, xrefs: 00E23225

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: _memmove$_free
String ID: 3c$_
API String ID: 2620147621-4099079164
Opcode ID: 294702bc83a7b8610bbf339c0f9b4d249e1c4d9d0e1eb9848f7e19a1dd583337
Instruction ID: a9075af40299eb78a71f982fcd5cce4f4abc4813826cc0ea8e90b926f4ba19d0
Opcode Fuzzy Hash: 294702bc83a7b8610bbf339c0f9b4d249e1c4d9d0e1eb9848f7e19a1dd583337
Instruction Fuzzy Hash: AA519971A043118FDB24DF28D891B6EBBE1AF85314F48586DE899A7351EB35E901CF82

Function 00E26192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E26248
_memmove.LIBCMT ref: 00E262E4
_memset.LIBCMT ref: 00E26308

Strings

3c, xrefs: 00E262AF
ERCP, xrefs: 00E261B3

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: _memset$_memmove
String ID: 3c$ERCP
API String ID: 2532777613-1756721700
Opcode ID: ac55848c6f499eef91aa9c0e88e9c2baf50e46ce39ac647cdff29ee2c91a49ee
Instruction ID: 9fd11178c87597054587384ea51c5fe5050c26cfc37c8b06ecd5b874a57b8698
Opcode Fuzzy Hash: ac55848c6f499eef91aa9c0e88e9c2baf50e46ce39ac647cdff29ee2c91a49ee
Instruction Fuzzy Hash: 1C51B071900315DBDB24CF65D945BABBBF4EF84318F20566EE44AEB291E770AA44CB40

Function 00E72753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E727C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00E727DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00E72822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00ED5890,00000000), ref: 00E7286B

Strings

0, xrefs: 00E727B5

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 42234d5ddebf23662869167e61807a702a812dc4133f8822c15e1243d11acc74
Instruction ID: 8f8be3a8964b6104399550842dda6df0f4d43375094a739ccc1c76534767506b
Opcode Fuzzy Hash: 42234d5ddebf23662869167e61807a702a812dc4133f8822c15e1243d11acc74
Instruction Fuzzy Hash: E441C0702043419FE728DF25D844B5ABBE8EF85314F04992EFAA9A7291D731A805CB53

Function 00E8D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00E8D7C5

Part of subcall function 00E1784B: _memmove.LIBCMT ref: 00E17899

Strings

cdecl, xrefs: 00E8D81C
stdcall, xrefs: 00E8D847
winapi, xrefs: 00E8D836
none, xrefs: 00E8D8A0

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 4dc38122f6cc0a463a88eec3baa8aa5cb43df1e1b8939ff722a8d486a6a186f0
Instruction ID: d5e3b5e4d6b0b8312051da9828d010f085f9e3c90a28c8c6e2ee73baf5b1ab05
Opcode Fuzzy Hash: 4dc38122f6cc0a463a88eec3baa8aa5cb43df1e1b8939ff722a8d486a6a186f0
Instruction Fuzzy Hash: 9F31BE71908219ABCF04EF58DC559EEB7F4FF40324B10A629E869B72D1DB31A945CB80

Function 00E68E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E17DE1: _memmove.LIBCMT ref: 00E17E22

Part of subcall function 00E6AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00E6AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00E68F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00E68F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00E68F57

Part of subcall function 00E17BCC: _memmove.LIBCMT ref: 00E17C06

Strings

ListBox, xrefs: 00E68ED3
ComboBox, xrefs: 00E68E9E

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: a4737b2401755e19cdae03128b313debc99b88e13fd5c63fc207971eeb2406f6
Instruction ID: 3482bd4ced6a12bb008354049a7691cb8dda327cdae52d8795d8d330e3a2918d
Opcode Fuzzy Hash: a4737b2401755e19cdae03128b313debc99b88e13fd5c63fc207971eeb2406f6
Instruction Fuzzy Hash: 1821F271A44208BEDB14ABB0EC45DFEBBB9DF453A0F04622AF461B71E1DF350849DA50

Function 00E8182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00E8184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E81872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00E818A2
InternetCloseHandle.WININET(00000000), ref: 00E818E9

Part of subcall function 00E82483: GetLastError.KERNEL32(?,?,00E81817,00000000,00000000,00000001), ref: 00E82498
Part of subcall function 00E82483: SetEvent.KERNEL32(?,?,00E81817,00000000,00000000,00000001), ref: 00E824AD

Strings

, xrefs: 00E81893

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 2db578d919a115fc21a97a2c9171b957a87d66d375f23fd5fc8b3ca147d83460
Instruction ID: a5d07490d7ef1883da83a17d16702b516cb993b90ee80d6116a1b59b60eef16c
Opcode Fuzzy Hash: 2db578d919a115fc21a97a2c9171b957a87d66d375f23fd5fc8b3ca147d83460
Instruction Fuzzy Hash: E321AFB1500308BFEB12AB619C86EBB76EDEB48748F10516BF50DF3140DA208D0697A0

Function 00E963E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E11D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E11D73
Part of subcall function 00E11D35: GetStockObject.GDI32(00000011), ref: 00E11D87
Part of subcall function 00E11D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E11D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00E96461
LoadLibraryW.KERNEL32(?), ref: 00E96468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00E9647D
DestroyWindow.USER32(?), ref: 00E96485

Strings

SysAnimate32, xrefs: 00E9643C

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 7869ab5ef24a796e78486775aebd22c11e72f9eb59758c3fe07cd01ab2bc93c1
Instruction ID: e4e5a52d25e4f90dc5574356137dd81abd52699c76916afeb9cada85b6896daa
Opcode Fuzzy Hash: 7869ab5ef24a796e78486775aebd22c11e72f9eb59758c3fe07cd01ab2bc93c1
Instruction Fuzzy Hash: A0215B71200205BFEF108FA4DC84EBA77A9FB59768F10662BFA20A2191D7719C919760

Function 00E76D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00E76DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00E76DEF
GetStdHandle.KERNEL32(0000000C), ref: 00E76E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00E76E3B

Strings

nul, xrefs: 00E76E36

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 6adf273bd330a68ba95bdc3b4e58d794d92698045930ae0c37dbd80d0e668af1
Instruction ID: 435f3994ff579ae58fde7d91784dca82eb0571d14738cd058fbafcd61b920d1c
Opcode Fuzzy Hash: 6adf273bd330a68ba95bdc3b4e58d794d92698045930ae0c37dbd80d0e668af1
Instruction Fuzzy Hash: 57218174600609AFDB30AF29DC04A9A7BF4EF44728F20961AFDA4F72D0D77199548B60

Function 00E76E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00E76E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00E76EBB
GetStdHandle.KERNEL32(000000F6), ref: 00E76ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00E76F06

Strings

nul, xrefs: 00E76F01

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 504c7bdc850c677f4a5406da38fa6ccda2c7b99e957338a1c26690ef991be589
Instruction ID: 48301d95a37fea402f4d108b0c9d129e7e2824da1067e98af147c0ee278fc55e
Opcode Fuzzy Hash: 504c7bdc850c677f4a5406da38fa6ccda2c7b99e957338a1c26690ef991be589
Instruction Fuzzy Hash: 3C21A4755007059FDB209F69DC04A9A77E8EF45728F208A1AFCA4F72D0D770A951C761

Function 00E7AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00E7AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00E7ACA8
__swprintf.LIBCMT ref: 00E7ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,00E9F910), ref: 00E7ACFF

Strings

%lu, xrefs: 00E7ACBB

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 0adb9492e6ad6365ef9b5548442ec964e043d9a080389079cf0bd158e51ab493
Instruction ID: 5aeb22dc526e0683f655a487621b2f3ec3d4b8d05dc111887849dbad365d0860
Opcode Fuzzy Hash: 0adb9492e6ad6365ef9b5548442ec964e043d9a080389079cf0bd158e51ab493
Instruction Fuzzy Hash: 9D216231600109AFCB10DF65C945DEE7BF8EF89314B104069F509FB252DA31EA45CB61

Function 00E71142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00E6FCED,?,00E70D40,?,00008000), ref: 00E7115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00E6FCED,?,00E70D40,?,00008000), ref: 00E71184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00E6FCED,?,00E70D40,?,00008000), ref: 00E7118E
Sleep.KERNEL32(?,?,?,?,?,?,?,00E6FCED,?,00E70D40,?,00008000), ref: 00E711C1

Strings

@, xrefs: 00E7119D

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID: @
API String ID: 2875609808-411606354
Opcode ID: 929810730a040d88d711b3e399c8d26b2452b3d894a2fc14b1ca0163beb4c793
Instruction ID: 8637a4937cce3080a323c1a8878f1001ee3e1cac54c283db1c6a4d88e38f89dc
Opcode Fuzzy Hash: 929810730a040d88d711b3e399c8d26b2452b3d894a2fc14b1ca0163beb4c793
Instruction Fuzzy Hash: 44113031D0262DDBCF009FAAD848AEEBBB8FF09711F419096DA45B6241CB705554CBD5

Function 00E71AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00E71B19

Strings

APPEND, xrefs: 00E71B52
EXISTS, xrefs: 00E71B41
KEYS, xrefs: 00E71B30
REMOVE, xrefs: 00E71B1F

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 3d36aac4d0ab3e33956b5b5ce796a420d04ba90955e6c0fc6ee5e3e18f43a9f2
Instruction ID: 06cd35290e548a5e40b3d9a507968fcca8f004040df9180af0443448883b0a99
Opcode Fuzzy Hash: 3d36aac4d0ab3e33956b5b5ce796a420d04ba90955e6c0fc6ee5e3e18f43a9f2
Instruction Fuzzy Hash: 34113031900208CFCF00DF54DA569EEB7B4BFA5344F10A4A9D815B7255EB325906CB54

Function 00E8EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00E8EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00E8EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00E8ED6A
CloseHandle.KERNEL32(?), ref: 00E8EDEB

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 539e4af58bcced83f173b6fc8103ec932e579033bd9c4508c22a459e4d17d8b4
Instruction ID: 63cab9cbe625b1bcccaea1a66691802ab85f365f7cb67fb04ac095e64dca27ce
Opcode Fuzzy Hash: 539e4af58bcced83f173b6fc8103ec932e579033bd9c4508c22a459e4d17d8b4
Instruction Fuzzy Hash: 068180716003009FD724EF28D896FAAB7E5AF44710F14981DF999EB3D2D670AC45CB92

Function 00E90037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E17DE1: _memmove.LIBCMT ref: 00E17E22

Part of subcall function 00E90E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E8FDAD,?,?), ref: 00E90E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E900FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E9013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00E90183
RegCloseKey.ADVAPI32(?,?), ref: 00E901AF
RegCloseKey.ADVAPI32(00000000), ref: 00E901BC

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 5c7213638a1a3baa08d746eb761bad50d9eacf31b29188538bde9aa6f8d214b6
Instruction ID: 7d380186bfb94484f97f02bdedee467f5bd462adb764c8a70df2a5cb8a0963d6
Opcode Fuzzy Hash: 5c7213638a1a3baa08d746eb761bad50d9eacf31b29188538bde9aa6f8d214b6
Instruction Fuzzy Hash: B7515D71208204AFDB04EF58C881EAEB7E9FF84714F40592DF596A72A2DB31E944CB52

Function 00E8D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00E19837: __itow.LIBCMT ref: 00E19862
Part of subcall function 00E19837: __swprintf.LIBCMT ref: 00E198AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00E8D927
GetProcAddress.KERNEL32(00000000,?), ref: 00E8D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 00E8D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 00E8DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00E8DA21

Part of subcall function 00E15A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00E77896,?,?,00000000), ref: 00E15A2C
Part of subcall function 00E15A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00E77896,?,?,00000000,?,?), ref: 00E15A50

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 07d7393d43626b2ae2a848422dde50fc1abb8f6a0bc879bc02cae97e7069c0b5
Instruction ID: 95730fe57355d1a6714a4e30169f679df4d193cb2a010c1022cba982d7733855
Opcode Fuzzy Hash: 07d7393d43626b2ae2a848422dde50fc1abb8f6a0bc879bc02cae97e7069c0b5
Instruction Fuzzy Hash: EE510635A04205DFCB04EFA8C8949EDB7F5EF49314B1490A6E859BB362D730ED85CB91

Function 00E7E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00E7E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00E7E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00E7E687

Part of subcall function 00E19837: __itow.LIBCMT ref: 00E19862
Part of subcall function 00E19837: __swprintf.LIBCMT ref: 00E198AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00E7E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00E7E6B4

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: ec073ca29c5229ade8b895b6f7dd6df81897eb4c9e4252a31149d328e8a674f7
Instruction ID: 99dc37165fab18ae073a254dfb106a417aec57a8989cf290272f09ba41675a3c
Opcode Fuzzy Hash: ec073ca29c5229ade8b895b6f7dd6df81897eb4c9e4252a31149d328e8a674f7
Instruction Fuzzy Hash: BA512935A00205DFCB05EFA5C991AAEBBF5EF09314F1480A9E809BB362CB31ED51CB50

Function 00E9A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ae825a4cb94bd845b859b60526843e43d5835c7228ff391d0def1178ee3cf6a
Instruction ID: 8e272a7605093554dae08b983a26a0c23d40e137f1b3069d1f6e082d9c6ab882
Opcode Fuzzy Hash: 7ae825a4cb94bd845b859b60526843e43d5835c7228ff391d0def1178ee3cf6a
Instruction Fuzzy Hash: 9541CFB5906214AFCB209B29CC48FE9BBA4EF09310F191176E816B72E1C730AD45DA91

Function 00E12344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00E12357
ScreenToClient.USER32(00ED57B0,?), ref: 00E12374
GetAsyncKeyState.USER32(00000001), ref: 00E12399
GetAsyncKeyState.USER32(00000002), ref: 00E123A7

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 57159deab140caae6cdbed614100cafc787ee8590f5fe338f8b0d1c74e12c6b3
Instruction ID: 5e1559458b2fd9482915482da641c1da77cca922b0cf63b7223ab69451e7a0cc
Opcode Fuzzy Hash: 57159deab140caae6cdbed614100cafc787ee8590f5fe338f8b0d1c74e12c6b3
Instruction Fuzzy Hash: B8418235604106FFCF198F69DC44AEDBBB5BB05364F20531AF939B21A0C73599A4DBA0

Function 00E663AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E663E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00E66433
TranslateMessage.USER32(?), ref: 00E6645C
DispatchMessageW.USER32(?), ref: 00E66466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E66475

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 4e4bb2f0a86dbbd5d3f9d46601fbfa10bae1576cbd1dc26e5f2d7e636389d832
Instruction ID: ae1cb614c0fa189a23836d42f812524091c27d4264bc21b86c0d8e3c24a760d4
Opcode Fuzzy Hash: 4e4bb2f0a86dbbd5d3f9d46601fbfa10bae1576cbd1dc26e5f2d7e636389d832
Instruction Fuzzy Hash: 8031A331591646AFDB248FB1BC44BE67BB8FB01384F141167E421F61A1EB25948DD790

Function 00E68A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00E68A30
PostMessageW.USER32(?,00000201,00000001), ref: 00E68ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00E68AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00E68AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00E68AF8

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: f42e79d5ac1e712397e5f1b88f004e62674e86615cefc99a7b944c21b12ed41e
Instruction ID: eb8d5e958a1d5e92b0c8f2b2bc4725616795f2eea54de634dd0658358310092c
Opcode Fuzzy Hash: f42e79d5ac1e712397e5f1b88f004e62674e86615cefc99a7b944c21b12ed41e
Instruction Fuzzy Hash: 1F31E071900219EFDF14CFA8EA4CA9E3BB5EB04315F10922AF924F61D1C7B09954CB91

Function 00E6B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00E6B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00E6B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00E6B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00E6B27F
_wcsstr.LIBCMT ref: 00E6B289

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: bf56ebf6fa2d6fa134bf1283f1c8205553c519801bd6c027804b6cee2d7c57d4
Instruction ID: 4333c216c9621311008520fc9bb41e935f1b0bab5185e4a441aefd2749812784
Opcode Fuzzy Hash: bf56ebf6fa2d6fa134bf1283f1c8205553c519801bd6c027804b6cee2d7c57d4
Instruction Fuzzy Hash: 5B21F5312442007BEB155B76AC59E7F7FECDF497A0F00513AF805EA161EB619C80D2A0

Function 00E9B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00E12612: GetWindowLongW.USER32(?,000000EB), ref: 00E12623

GetWindowLongW.USER32(?,000000F0), ref: 00E9B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00E9B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00E9B1CF
GetSystemMetrics.USER32(00000004), ref: 00E9B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00E80E90,00000000), ref: 00E9B216

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 7bd4dc9b8f4f0985984482f13c611d15f8db3a132409589e272b90a47b90210f
Instruction ID: 4da6afbea07295cb9ab247161946ef352de16007b382ccac787aeba0dbcdbca1
Opcode Fuzzy Hash: 7bd4dc9b8f4f0985984482f13c611d15f8db3a132409589e272b90a47b90210f
Instruction Fuzzy Hash: 23219F71A11255AFCF149F3AED44A6A3BA4FB05325F11573AF932E71E0E7309820DB90

Function 00E69307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00E69320

Part of subcall function 00E17BCC: _memmove.LIBCMT ref: 00E17C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00E69352
__itow.LIBCMT ref: 00E6936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00E69392
__itow.LIBCMT ref: 00E693A3

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: d7fbf21b01246536ebe42a133d9d54c775f1a58075bc0dd83210fdaf61ffbafa
Instruction ID: ad2f72835ab5fd5ff82cc05000947c23575027e3b4a135a077fb87481768d0c9
Opcode Fuzzy Hash: d7fbf21b01246536ebe42a133d9d54c775f1a58075bc0dd83210fdaf61ffbafa
Instruction Fuzzy Hash: E8210731780208BBDB109B619C89EEE7BADEB48750F046025F945FB2C2D6B08D558791

Function 00E85A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00E85A6E
GetForegroundWindow.USER32 ref: 00E85A85
GetDC.USER32(00000000), ref: 00E85AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00E85ACD
ReleaseDC.USER32(00000000,00000003), ref: 00E85B08

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 789c5d7fe5ccfc743dd65fe7a16be4f4b070ebd83d0e089d4c329296032c92d4
Instruction ID: ef18d2f8d66f3501e037904a0dac8be210bee2b9727897d02a54b36d6ee545dc
Opcode Fuzzy Hash: 789c5d7fe5ccfc743dd65fe7a16be4f4b070ebd83d0e089d4c329296032c92d4
Instruction Fuzzy Hash: 1221A436A00204AFDB04EF65DC88A9AB7E5EF48310F14807AF809E7352CE30AD44CB90

Function 00E112F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E1134D
SelectObject.GDI32(?,00000000), ref: 00E1135C
BeginPath.GDI32(?), ref: 00E11373
SelectObject.GDI32(?,00000000), ref: 00E1139C

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: e7224b71478f7d3b78c897f9c5a9349421124660febf091abf170f8899e3a084
Instruction ID: 01f96736fee5f2f586c30d687b5a310b85743dff42366a1c09d3e6ef0a041e3f
Opcode Fuzzy Hash: e7224b71478f7d3b78c897f9c5a9349421124660febf091abf170f8899e3a084
Instruction Fuzzy Hash: A7215976801608EFDB149F26FC057A97BA8EB00326F15426BE920B61B4D37098D9EF90

Function 00E74A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00E74ABA
__beginthreadex.LIBCMT ref: 00E74AD8
MessageBoxW.USER32(?,?,?,?), ref: 00E74AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00E74B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00E74B0A

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: b551d14120aa1de9a2ae2503f2a5c516d69919cafc0a41aaf8d489faf2ca9d64
Instruction ID: 3d165c9bded1c87197e008c0e9bdbb40b0a6133e8991d8fb393562a7792251bd
Opcode Fuzzy Hash: b551d14120aa1de9a2ae2503f2a5c516d69919cafc0a41aaf8d489faf2ca9d64
Instruction Fuzzy Hash: E811E9B6905214BFC7018BAAAC04A9A7FACEB45321F144267F818F32A1D771CD0887A0

Function 00E68202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E6821E
GetLastError.KERNEL32(?,00E67CE2,?,?,?), ref: 00E68228
GetProcessHeap.KERNEL32(00000008,?,?,00E67CE2,?,?,?), ref: 00E68237
HeapAlloc.KERNEL32(00000000,?,00E67CE2,?,?,?), ref: 00E6823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E68255

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 7f02c60288fe0eecb7563531b8ab3beab03b03e63855a5f7a1bdd1d6c3cc25cb
Instruction ID: 7503f6d446826e688880defb54ea61847e7bbf9b3552900d07012438deceb0df
Opcode Fuzzy Hash: 7f02c60288fe0eecb7563531b8ab3beab03b03e63855a5f7a1bdd1d6c3cc25cb
Instruction Fuzzy Hash: A20162B1645204BFDB104FA6ED48D6B7B6CEF89795750052AF809E2220DA318C44CAA0

Function 00E6710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E67044,80070057,?,?,?,00E67455), ref: 00E67127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E67044,80070057,?,?), ref: 00E67142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E67044,80070057,?,?), ref: 00E67150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E67044,80070057,?), ref: 00E67160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E67044,80070057,?,?), ref: 00E6716C

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 11165b1afce2e670649bdbaa38d789489fd7b00e875d5ba2a3b3d838c12a60eb
Instruction ID: 17436d181f08e407ff6b0cad30f147152fc16a38429440eab55d144fc35bd955
Opcode Fuzzy Hash: 11165b1afce2e670649bdbaa38d789489fd7b00e875d5ba2a3b3d838c12a60eb
Instruction Fuzzy Hash: 7301DFB2602204BFDB248F25EC44BAA7BACEF45799F100067FD84E2220DB71DD408BA0

Function 00E75244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E75260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00E7526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E75276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00E75280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E752BC

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 126c2d0577188b6ae47dd44631a298caf6b8ea11ed537ad4a9ecb40f744b755f
Instruction ID: 330febfbdba0a748bbc599d0ff77c8e89209c29cef78c2a401bfc062054e9516
Opcode Fuzzy Hash: 126c2d0577188b6ae47dd44631a298caf6b8ea11ed537ad4a9ecb40f744b755f
Instruction Fuzzy Hash: 96016D32D02A1DDBCF00EFE6E8485EDBB78FB08711F404156E945F2162DBB055548BA5

Function 00E6810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00E68121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00E6812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E6813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00E68141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E68157

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: a6efae7c42652476bda466bc2a52ca0a437370b079fd8e1485c6701292f3b1f0
Instruction ID: 47e0aa87a5016d65428df526bb4242859fcd5f982b65094fd7e156f9b4fcef2d
Opcode Fuzzy Hash: a6efae7c42652476bda466bc2a52ca0a437370b079fd8e1485c6701292f3b1f0
Instruction Fuzzy Hash: 8FF06271242304BFEB210FA6EC99E6B3BACFF4A798B100127F945E6161CB61DD45DA60

Function 00E6C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00E6C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 00E6C20E
MessageBeep.USER32(00000000), ref: 00E6C226
KillTimer.USER32(?,0000040A), ref: 00E6C242
EndDialog.USER32(?,00000001), ref: 00E6C25C

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 706a6796101efd6dd2b3a4c8a56d8a6e8a4dabf4877c26e693c38a2c3517e0d4
Instruction ID: 4f51768ce4b9fb2f05fb736aec398cebea261ca104266863dde97961742e7799
Opcode Fuzzy Hash: 706a6796101efd6dd2b3a4c8a56d8a6e8a4dabf4877c26e693c38a2c3517e0d4
Instruction Fuzzy Hash: 0301A270544704ABEB205B61FD5EFA677B8BB00B06F04026BE982F14F1DBE4A9588BD0

Function 00E113B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00E113BF
StrokeAndFillPath.GDI32(?,?,00E4B888,00000000,?), ref: 00E113DB
SelectObject.GDI32(?,00000000), ref: 00E113EE
DeleteObject.GDI32 ref: 00E11401
StrokePath.GDI32(?), ref: 00E1141C

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 62762e0744e3c80948768fb1e5a872b510cc4fe13ab5a2c571d68a69819d1d97
Instruction ID: 651c8138d654372b530ca52093e376ffc3f07ef06ae717b560ce567606f5e3ad
Opcode Fuzzy Hash: 62762e0744e3c80948768fb1e5a872b510cc4fe13ab5a2c571d68a69819d1d97
Instruction Fuzzy Hash: 7AF0F635006B08AFDB195F27FC487983BA8E700326F088277E529A80B1C73049A9EF50

Function 00E7C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00E7C432
CoCreateInstance.OLE32(00EA2D6C,00000000,00000001,00EA2BDC,?), ref: 00E7C44A

Part of subcall function 00E17DE1: _memmove.LIBCMT ref: 00E17E22

CoUninitialize.OLE32 ref: 00E7C6B7

Strings

.lnk, xrefs: 00E7C3C6, 00E7C3EE, 00E7C3F8

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 70b85c8883879f2ebdc51f376017efb58a58f25fa5e21bd99088d4c6acbb212b
Instruction ID: 17f63cc9d84b31cffce687a08d67d8fb755fbe2fa7286dadd71593962cf22b74
Opcode Fuzzy Hash: 70b85c8883879f2ebdc51f376017efb58a58f25fa5e21bd99088d4c6acbb212b
Instruction Fuzzy Hash: 11A15B71104205AFD704EF64C891EAFB7ECEF89344F00591DF195AB1A2EB71EA89CB52

Function 00E22CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00E30DB6: std::exception::exception.LIBCMT ref: 00E30DEC
Part of subcall function 00E30DB6: __CxxThrowException@8.LIBCMT ref: 00E30E01

Part of subcall function 00E17DE1: _memmove.LIBCMT ref: 00E17E22

Part of subcall function 00E17A51: _memmove.LIBCMT ref: 00E17AAB

__swprintf.LIBCMT ref: 00E22ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00E22D66

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 7f40f6491b61ae196244ab97ffd3b8fe3df47ca64b5f6ce0e34b59c19fe64c5d
Instruction ID: 509028a15e6a46ee3fc7142177947e3de967bd7de561d8adc0bbd0cd4ede8534
Opcode Fuzzy Hash: 7f40f6491b61ae196244ab97ffd3b8fe3df47ca64b5f6ce0e34b59c19fe64c5d
Instruction Fuzzy Hash: 17916D71108211AFC714EF24D895CAEB7F8EF85714F40691DF995BB2A1EA30ED88CB52

Function 00E7B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E14750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E14743,?,?,00E137AE,?), ref: 00E14770

CoInitialize.OLE32(00000000), ref: 00E7B9BB
CoCreateInstance.OLE32(00EA2D6C,00000000,00000001,00EA2BDC,?), ref: 00E7B9D4
CoUninitialize.OLE32 ref: 00E7B9F1

Part of subcall function 00E19837: __itow.LIBCMT ref: 00E19862
Part of subcall function 00E19837: __swprintf.LIBCMT ref: 00E198AC

Strings

.lnk, xrefs: 00E7B99D, 00E7B9AB

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 261ef7886f1309e430d49d4602c204f981ebe9879e21e2644342be7e74365985
Instruction ID: 3df8bae49ffe6a8115cbbe34418b07533f65bc7fb3c8aa4efeec99815c660c72
Opcode Fuzzy Hash: 261ef7886f1309e430d49d4602c204f981ebe9879e21e2644342be7e74365985
Instruction Fuzzy Hash: 8BA17A756043019FCB04EF14C494E5AB7E5FF89314F148998F899AB3A2CB31ED46CB91

Function 00E6B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00E6B4BE

Strings

Container, xrefs: 00E6B43B
AutoIt3GUI, xrefs: 00E6B436
%, xrefs: 00E6B561

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%
API String ID: 3565006973-1286912533
Opcode ID: 298be2cf652c1769e713f2bebe117deed3b71d75417e2ebf6b0a28b72bea8be3
Instruction ID: f70744a1279a65ae3ef3393b2df80491c404a98f849a9df529836c0c692b47aa
Opcode Fuzzy Hash: 298be2cf652c1769e713f2bebe117deed3b71d75417e2ebf6b0a28b72bea8be3
Instruction Fuzzy Hash: 9E917C706406019FDB14DF64D884BAABBE9FF48740F10946DF94AEB3A1EB71E881CB50

Function 00E3501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00E350AD

Part of subcall function 00E400F0: __87except.LIBCMT ref: 00E4012B

Strings

pow, xrefs: 00E35085, 00E350A2

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 82ce7f3fe9199c1b1d7709ad08527efeace60d112e8de78215532366bbac152f
Instruction ID: aeeb36370bb2f68c2c43c2ec42db24b311cccf73269392881c60e21716bf473d
Opcode Fuzzy Hash: 82ce7f3fe9199c1b1d7709ad08527efeace60d112e8de78215532366bbac152f
Instruction Fuzzy Hash: 7651BC2290990286CB15B724EC093AE2FD0DB40314F20AD78E5C1B63EADF358DC8DEC6

Function 00E58584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E5862B
_memmove.LIBCMT ref: 00E58685

Strings

_, xrefs: 00E586FF, 00E5DFDC, 00E5DFF8
3c, xrefs: 00E5860C

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: _memmove
String ID: 3c$_
API String ID: 4104443479-4099079164
Opcode ID: b796853d937d28908723755c401e9daf831f643ae69b72cc0708dadbc497cb2a
Instruction ID: 94be3ecc4082511735d641a2c923643e0e0dcb6ca5794a2e6a4584c0a002efdf
Opcode Fuzzy Hash: b796853d937d28908723755c401e9daf831f643ae69b72cc0708dadbc497cb2a
Instruction Fuzzy Hash: 59516F70A00615DFCF24DF68D980AAEBBF1FF44305F14892AE85AF7250EB30A959CB51

Function 00E697F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E714BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00E69296,?,?,00000034,00000800,?,00000034), ref: 00E714E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00E6983F

Part of subcall function 00E71487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00E692C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00E714B1

Part of subcall function 00E713DE: GetWindowThreadProcessId.USER32(?,?), ref: 00E71409
Part of subcall function 00E713DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00E6925A,00000034,?,?,00001004,00000000,00000000), ref: 00E71419
Part of subcall function 00E713DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00E6925A,00000034,?,?,00001004,00000000,00000000), ref: 00E7142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00E698AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00E698F9

Strings

@, xrefs: 00E69911

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: dc39cc4a696e1314696794288fff52efa054c0d5ca2e692886f9fae84ebc1e0e
Instruction ID: cc35ca745494e04cde12eb3dc1de547a41a6659d6294ac9fc45be8bdf03bfae0
Opcode Fuzzy Hash: dc39cc4a696e1314696794288fff52efa054c0d5ca2e692886f9fae84ebc1e0e
Instruction Fuzzy Hash: AB41537690121CBFDB20DFA4CC45ADEBBB8EF45340F004199F959B7151DA716E45CBA0

Function 00E97946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00E9F910,00000000,?,?,?,?), ref: 00E979DF
GetWindowLongW.USER32 ref: 00E979FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00E97A0C

Strings

SysTreeView32, xrefs: 00E979B1

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 4f34bf3ea5663fa8362080d20a203510c69cd63126ce5abd4938020055fd9359
Instruction ID: 4242d8ad506706c96e04ca71b8dd29d4d8ee36cf2f72a742068a46b632bb8c3e
Opcode Fuzzy Hash: 4f34bf3ea5663fa8362080d20a203510c69cd63126ce5abd4938020055fd9359
Instruction Fuzzy Hash: EF31C031214206AFDF118E38DC41BEA77A9EB44328F215725F9B5F22E0D731ED558750

Function 00E973D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00E97461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00E97475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00E97499

Strings

SysMonthCal32, xrefs: 00E9742C

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: d96df60acf1dc9bf8486c03838b03598ef117985df7b34006de93873c56c8f38
Instruction ID: cb09be03b97b2c2b882347f43f223ab5ec8b532ed1d0cc480778a9649be3acf0
Opcode Fuzzy Hash: d96df60acf1dc9bf8486c03838b03598ef117985df7b34006de93873c56c8f38
Instruction Fuzzy Hash: 7121E132110218AFDF118E54CC42FEA3BAAEB48724F111214FE64BB1D1DA71AC95CBA0

Function 00E97B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00E97C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00E97C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00E97C5F

Strings

msctls_updown32, xrefs: 00E97BC4

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: fcdc5d834c47de1bb48290f0899f9397b00714f40e23d5dd8372dcb20d0da8a9
Instruction ID: f2979661f2b64b850f23aff161c3816bdfdbc15082982d6518e94d3f3fe8e85a
Opcode Fuzzy Hash: fcdc5d834c47de1bb48290f0899f9397b00714f40e23d5dd8372dcb20d0da8a9
Instruction Fuzzy Hash: C021AEB5214208AFDB10DF24DCC5DAA77EDEF4A358B10105AFA40AB3A1CB31EC15DAA0

Function 00E96CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00E96D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00E96D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00E96D70

Strings

Listbox, xrefs: 00E96D08

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 404a4a495aab12020a8a7b1b82e6dc4700829431c08371ce257c0c9cb74d488e
Instruction ID: ef249fd2c2204461023b2d38efd812126bf79d132987504e5bcd81f4d235bcc7
Opcode Fuzzy Hash: 404a4a495aab12020a8a7b1b82e6dc4700829431c08371ce257c0c9cb74d488e
Instruction Fuzzy Hash: 6121C232610118BFDF119F54DC45FEB3BBAEF89754F01912AF954BB1A0C6719C5187A0

Function 00E839E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00E83A66

Part of subcall function 00E17DE1: _memmove.LIBCMT ref: 00E17E22

Strings

AUTOITCALLVARIABLE%d, xrefs: 00E83A58
, $, xrefs: 00E83AA6
%, xrefs: 00E839F4

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d$%
API String ID: 3506404897-3879706725
Opcode ID: 706ce4306fa7ff5866914a4859a1d8d8ac9560ba0fffc58a56203b14d6434d1e
Instruction ID: 92cce0ecb19197c67271eb786f9700f2b70dc9bb823351c9259c8c0fc6532807
Opcode Fuzzy Hash: 706ce4306fa7ff5866914a4859a1d8d8ac9560ba0fffc58a56203b14d6434d1e
Instruction Fuzzy Hash: 22218431600219AACF14EF64CD81EEEB7F5AF44B00F502499E449B7141DB31EA42CB61

Function 00E9770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00E97772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00E97787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00E97794

Strings

msctls_trackbar32, xrefs: 00E97749

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: c020cf94720e084e04e7262cb50b5368f79ec23be8bac1aedbc38493c72c3832
Instruction ID: b6c6c8259441259c14ff514a34cdab8b4fda2caa5ea275f88054e3a689592a85
Opcode Fuzzy Hash: c020cf94720e084e04e7262cb50b5368f79ec23be8bac1aedbc38493c72c3832
Instruction Fuzzy Hash: 5B110A72254308BFEF145FA5DC05FEB77A9EF88B55F11511AF681B6090C672E851CB10

Function 00E36B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00E36B93
__calloc_crt.LIBCMT ref: 00E36BAC

Strings

@B, xrefs: 00E36BC3
, xrefs: 00E36BD1

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: __calloc_crt
String ID: $@B
API String ID: 3494438863-460053111
Opcode ID: 03dc17ac57647a3d01e2a8102eb5888317df6da85aa9ae1d4b68a15134092e4e
Instruction ID: 7eb41ad0afbf5d13533f7648027837002ee23ea63b921cc4ea9fae8d5de516ca
Opcode Fuzzy Hash: 03dc17ac57647a3d01e2a8102eb5888317df6da85aa9ae1d4b68a15134092e4e
Instruction Fuzzy Hash: 30F0A472205611EFE7248F39BD56BB26FE5E750330F10501BE100FE1A0EB308849CAC0

Function 00E39B79 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 00E39B94

Part of subcall function 00E39C0B: __mtinitlocknum.LIBCMT ref: 00E39C1D
Part of subcall function 00E39C0B: EnterCriticalSection.KERNEL32(00000000,?,00E39A7C,0000000D), ref: 00E39C36

__updatetlocinfoEx_nolock.LIBCMT ref: 00E39BA4

Part of subcall function 00E39100: ___addlocaleref.LIBCMT ref: 00E3911C
Part of subcall function 00E39100: ___removelocaleref.LIBCMT ref: 00E39127
Part of subcall function 00E39100: ___freetlocinfo.LIBCMT ref: 00E3913B

Strings

8, xrefs: 00E39B8A, 00E39B9F, 00E39BAB
8, xrefs: 00E39B85

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
String ID: 8$8
API String ID: 547918592-2648740355
Opcode ID: ad76d9e2adeedee7dd7573e9990edc96f841898cb74e058528f1c5662ac0cf2e
Instruction ID: 5443fb14c6163b2ec8f8850ce7be6f8e3fbe95edd94dd27ab6f3274caa897de7
Opcode Fuzzy Hash: ad76d9e2adeedee7dd7573e9990edc96f841898cb74e058528f1c5662ac0cf2e
Instruction Fuzzy Hash: 7EE08671543305A9D620F7A46A0FF28AED05B40725F2031ADF045753C2CEB50801C51B

Function 00E14C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00E14B83,?), ref: 00E14C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E14C56

Strings

Wow64RevertWow64FsRedirection, xrefs: 00E14C50
kernel32.dll, xrefs: 00E14C3F

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 2a405e383e134660e1fa9340097556a4a9fe09e9f1b9b67d6832c76d118e39b5
Instruction ID: 35703b4ebf7b647a27a44b48ce04236317b5044fc3dd43359b2eadf57508366f
Opcode Fuzzy Hash: 2a405e383e134660e1fa9340097556a4a9fe09e9f1b9b67d6832c76d118e39b5
Instruction Fuzzy Hash: F2D017B1611713DFEB209F32D91865AB6E4AF05355B21983FD896FA2A1E770D8C0CA90

Function 00E14C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00E14BD0,?,00E14DEF,?,00ED52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E14C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E14C23

Strings

kernel32.dll, xrefs: 00E14C0C
Wow64DisableWow64FsRedirection, xrefs: 00E14C1D

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 23814384d35e5a54fdee2820adbfa856f561442b50e3f2d7c03398769cd34550
Instruction ID: 9314aec2fc5624b16a6ed9cb50fccde8726d317e82721b69c6bab07df3f29b1e
Opcode Fuzzy Hash: 23814384d35e5a54fdee2820adbfa856f561442b50e3f2d7c03398769cd34550
Instruction Fuzzy Hash: 1ED01271511713DFD7205FB2D908A46B6D5EF09355B119C3FD485F62A1E6B0D4C0C690

Function 00E90DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00E91039), ref: 00E90DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00E90E07

Strings

RegDeleteKeyExW, xrefs: 00E90E01
advapi32.dll, xrefs: 00E90DF0

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 5ba2999693d3d4c80fb566040ce6ff711ee77ccd1773716d8585b88a69fe960d
Instruction ID: 6cd01ce9a927324d53139b53887ced362875dd08c4328d4ac390349707b28d42
Opcode Fuzzy Hash: 5ba2999693d3d4c80fb566040ce6ff711ee77ccd1773716d8585b88a69fe960d
Instruction Fuzzy Hash: CDD0C730400322CFCB208F72C808B8272E4AF00342F00AC3FD486F2162EAB1D8A0CAA0

Function 00E890E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00E88CF4,?,00E9F910), ref: 00E890EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00E89100

Strings

GetModuleHandleExW, xrefs: 00E890FA
kernel32.dll, xrefs: 00E890E9

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: e1135a7aa31c7dba79c528e8f0a00b3100af523703ae0a9fee0105e6793160f3
Instruction ID: 12d5701aea9952cf5b73bd9e27fe73dc375b0af662379c6d65b42f091eb2db90
Opcode Fuzzy Hash: e1135a7aa31c7dba79c528e8f0a00b3100af523703ae0a9fee0105e6793160f3
Instruction Fuzzy Hash: C3D01734A15723DFDB20AF32D91C65676E4AF05355B16983FD48AF65A1EB70C880CB90

Function 00E51714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00E51718
__swprintf.LIBCMT ref: 00E51749

Strings

%.3d, xrefs: 00E51723
WIN_XPe, xrefs: 00E51788

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: e0132ec4c6270b08026a1375c6c1a73cd69e7f84315756a26685e810ea8ad785
Instruction ID: 27aafb160ac15a81c3f4def88b6351f8fcdf43405778cd18626f295d7134a424
Opcode Fuzzy Hash: e0132ec4c6270b08026a1375c6c1a73cd69e7f84315756a26685e810ea8ad785
Instruction Fuzzy Hash: CDD01271845208FAC70097959889EFD777CA70E303F143893F806F2041E2218B99D621

Function 00E6717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c91d63bd60a85bcad93d78b552c94af169a77a7a25ee1f4b9a398ee0356e5321
Instruction ID: dc77b4215ff7a9b829b7e6ad7d5ab9ade53061461685b045bdb6c59939a414bc
Opcode Fuzzy Hash: c91d63bd60a85bcad93d78b552c94af169a77a7a25ee1f4b9a398ee0356e5321
Instruction Fuzzy Hash: FCC1A074A44216EFCB14CFA4D884EAEBBB5FF48348B109598E855EB351DB30ED81DB90

Function 00E8E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00E8E0BE
CharLowerBuffW.USER32(?,?), ref: 00E8E101

Part of subcall function 00E8D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00E8D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00E8E301
_memmove.LIBCMT ref: 00E8E314

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: eb48a69dbc79cb589716c47d57d1e601bffb97ac79c6797f634d1547613d65bc
Instruction ID: 9f648f0d0e393e81dba9ee86bf63c9e18afdf40fb0f5f7682035f37834fa1722
Opcode Fuzzy Hash: eb48a69dbc79cb589716c47d57d1e601bffb97ac79c6797f634d1547613d65bc
Instruction Fuzzy Hash: F0C15A716083019FC704EF28C494A6ABBE4FF89718F14996EF89DAB351D731E945CB82

Function 00E88093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00E880C3
CoUninitialize.OLE32 ref: 00E880CE

Part of subcall function 00E6D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00E6D5D4

VariantInit.OLEAUT32(?), ref: 00E880D9
VariantClear.OLEAUT32(?), ref: 00E883AA

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: f9494a575b209810b4f30bf19706dcb807610cd80949df01eba518c239503a6d
Instruction ID: 191c77dbc5e5071a54c19088ea9305b1310af0685c2d2df7c3d0ea3be9480e4e
Opcode Fuzzy Hash: f9494a575b209810b4f30bf19706dcb807610cd80949df01eba518c239503a6d
Instruction Fuzzy Hash: 64A189356047019FCB14EF64C991B6AB7E4BF89324F445419F99ABB3A2CB30ED45CB82

Function 00E6687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E6688E
SysAllocString.OLEAUT32(00000000), ref: 00E66937
VariantCopy.OLEAUT32 ref: 00E66966
VariantClear.OLEAUT32(?), ref: 00E6698D

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: d60827b50f70c7172c4522d4d0aea6eda17f07cb1836b2b7de5c65d9710b9d4c
Instruction ID: e365a84552e5ab4c9eb69a9a21e67328e99cb2afe5b49ce87ab2862ebe500f46
Opcode Fuzzy Hash: d60827b50f70c7172c4522d4d0aea6eda17f07cb1836b2b7de5c65d9710b9d4c
Instruction Fuzzy Hash: 0351D9747A43019ECF24AFA5E49166EB3E5AF45354F20F81FE596F7291DB30D8808701

Function 00E997F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0110D6F0,?), ref: 00E99863
ScreenToClient.USER32(00000002,00000002), ref: 00E99896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00E99903

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 5c105416164fcaf0cce49de4b295d917c3dd80ee88600e422a0332865ba0665a
Instruction ID: b2950fd2c8d31fa60eb6e759f25ef9def5752504ba75a8cc0956f9f8db8feefd
Opcode Fuzzy Hash: 5c105416164fcaf0cce49de4b295d917c3dd80ee88600e422a0332865ba0665a
Instruction Fuzzy Hash: BE516235A00204EFDF24CF58D980AAE7BB5FF85364F14916EF855AB2A1D730AD81CB90

Function 00E69A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00E69AD2
__itow.LIBCMT ref: 00E69B03

Part of subcall function 00E69D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00E69DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00E69B6C
__itow.LIBCMT ref: 00E69BC3

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 3625041acc38836e27bf1e4594553cc3cb6c324c817bdf4ddfef74b0bf460075
Instruction ID: fc45fb4f9a7fb4fd0f85d09bfc1cf5f427be6f9ea911e16b3f07f17e09dd3393
Opcode Fuzzy Hash: 3625041acc38836e27bf1e4594553cc3cb6c324c817bdf4ddfef74b0bf460075
Instruction Fuzzy Hash: E8419E70A40208ABDF11EF54E845FEE7BF9EF48764F001069F955B7292DB709A84CBA1

Function 00E869AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00E869D1
WSAGetLastError.WSOCK32(00000000), ref: 00E869E1

Part of subcall function 00E19837: __itow.LIBCMT ref: 00E19862
Part of subcall function 00E19837: __swprintf.LIBCMT ref: 00E198AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00E86A45
WSAGetLastError.WSOCK32(00000000), ref: 00E86A51

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 5605930966b0abda0253f9ec08ccfac16ca05472f0c854ce5c06730806bc032c
Instruction ID: b58c9406e66e5b392cd3312a22c2fbfb9e6a8fb3acd1573ad7e01a9264937252
Opcode Fuzzy Hash: 5605930966b0abda0253f9ec08ccfac16ca05472f0c854ce5c06730806bc032c
Instruction Fuzzy Hash: E041DE75740200AFEB64BF24DC96FBA37E89F04B14F049459FA19BB2C3CA709D408B91

Function 00E8641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00E9F910), ref: 00E864A7
_strlen.LIBCMT ref: 00E864D9

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 86324a30b793c17132262d70121fdaf2257a9e57e67bc76992459d2549fdba90
Instruction ID: 89897cf73e0299bbc8c32cafc948d2ba594460e3169f990e61dfa20e2c7d5d3c
Opcode Fuzzy Hash: 86324a30b793c17132262d70121fdaf2257a9e57e67bc76992459d2549fdba90
Instruction Fuzzy Hash: D441A031A00104ABCB14FBA9EC99EEEB7F9AF44314F149555F81DBB292DB30AE44CB50

Function 00E7B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00E7B89E
GetLastError.KERNEL32(?,00000000), ref: 00E7B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00E7B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00E7B915

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 86427f95ef157dec9049ac1a45dda40fe3c7dd7a2324886a1d08096fec84036e
Instruction ID: 106d88024bc32d9a20bd35c8bef235a6182f2f1996b880b1da04f00521e75aac
Opcode Fuzzy Hash: 86427f95ef157dec9049ac1a45dda40fe3c7dd7a2324886a1d08096fec84036e
Instruction Fuzzy Hash: 04412839600610DFCB14EF15C495A99BBE1EF8A314F19C099ED4AAB362CB30FD41CB91

Function 00E98851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00E988DE

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 7696cc033c1ec5fe0fa1dfdf4a6035b470ae2f7b9f9b41d513e94545a9a6177e
Instruction ID: 1a616f77cdb306d4cc34d0e3931e5622ca5633e8f9177ad89d67ad071814d2e4
Opcode Fuzzy Hash: 7696cc033c1ec5fe0fa1dfdf4a6035b470ae2f7b9f9b41d513e94545a9a6177e
Instruction Fuzzy Hash: DB31B034600208AEEF389E68DE45FF877A5EB47314F945116FA59F62B1CA3099409792

Function 00E9AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00E9AB60
GetWindowRect.USER32(?,?), ref: 00E9ABD6
PtInRect.USER32(?,?,00E9C014), ref: 00E9ABE6
MessageBeep.USER32(00000000), ref: 00E9AC57

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 96843e8b3e25916d0ca882ff1a22d62e3a59dda1133def0f02ebf0faa1aa3060
Instruction ID: 86a6106c993dd9de768059eba6bd38c7811480f6bee99040fec0357eaed3d708
Opcode Fuzzy Hash: 96843e8b3e25916d0ca882ff1a22d62e3a59dda1133def0f02ebf0faa1aa3060
Instruction Fuzzy Hash: 51418A356002099FCF15DF59D884AA9BBF6FF89304F1890BAE814EF260D730E845DB92

Function 00E70AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00E70B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00E70B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00E70BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00E70BFB

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: bc13505ea3a3672356b0e609e617859dc116ad9364931be5109a2a3d1f7e7037
Instruction ID: bb5c476e76ef22f409856819b51372c683d28ffcb74bb7ae8e0e241fda4b2302
Opcode Fuzzy Hash: bc13505ea3a3672356b0e609e617859dc116ad9364931be5109a2a3d1f7e7037
Instruction Fuzzy Hash: 1D312870A40218EEFB318B25DC09BFABBA6AB4531CF04E25BF499B21D1C3758E859751

Function 00E70C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00E70C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00E70C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00E70CE1
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00E70D33

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ca1f53fd75ad485a16989fbff5fcccda167069ea44f837ff6109e57a216345b2
Instruction ID: eb97cb5c2e3f1516b9b06cd40f67772a23fd250bbe06c8af8e1ad819eff88f76
Opcode Fuzzy Hash: ca1f53fd75ad485a16989fbff5fcccda167069ea44f837ff6109e57a216345b2
Instruction Fuzzy Hash: 5E314630A40308EFFF318A6998087FEFBA6AB45314F14E75BE588B21D1C3759D858791

Function 00E461C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00E461FB
__isleadbyte_l.LIBCMT ref: 00E46229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00E46257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00E4628D

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: c0b54b8730350cbe51489fefac6c4dd0a8183ca24b39c135e4cd1c9bd0299073
Instruction ID: 38770be24eb8385d98861afe13f41b468c09a649384a1c01b1d61b28e33ddbc4
Opcode Fuzzy Hash: c0b54b8730350cbe51489fefac6c4dd0a8183ca24b39c135e4cd1c9bd0299073
Instruction Fuzzy Hash: 8831FE30600246BFDF218F65EC48BAA7FB9FF42314F155029E824A71A1E770E850CB96

Function 00E94EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00E94F02

Part of subcall function 00E73641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00E7365B
Part of subcall function 00E73641: GetCurrentThreadId.KERNEL32 ref: 00E73662
Part of subcall function 00E73641: AttachThreadInput.USER32(00000000,?,00E75005), ref: 00E73669

GetCaretPos.USER32(?), ref: 00E94F13
ClientToScreen.USER32(00000000,?), ref: 00E94F4E
GetForegroundWindow.USER32 ref: 00E94F54

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 1f6dfa70f35415c63c64656641835fd84302e753ce6f73e9c523ee22d1d5441c
Instruction ID: bffc04bfe057bf825d901523664c480ee4659b53e03f2c53dfa1a2fb47df8558
Opcode Fuzzy Hash: 1f6dfa70f35415c63c64656641835fd84302e753ce6f73e9c523ee22d1d5441c
Instruction Fuzzy Hash: 13312DB1E00108AFDB00EFB5C8859EFB7F9EF89300F10506AE415F7241DA719E458BA0

Function 00E9C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E12612: GetWindowLongW.USER32(?,000000EB), ref: 00E12623

GetCursorPos.USER32(?), ref: 00E9C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00E4B9AB,?,?,?,?,?), ref: 00E9C4E7
GetCursorPos.USER32(?), ref: 00E9C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00E4B9AB,?,?,?), ref: 00E9C56E

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 3ea7f93d98c1537cb66d3a78a2a414347462b4aaec15a23a28b8fb211e7e9c53
Instruction ID: 4b1030852789fc8fb2c87f4d64b6cca4c5578024ef3204ae70f9e4dcd6e393c5
Opcode Fuzzy Hash: 3ea7f93d98c1537cb66d3a78a2a414347462b4aaec15a23a28b8fb211e7e9c53
Instruction Fuzzy Hash: 0C31D035600058AFCF25DF59C898EEE7BB5EB09310F15406AF905AB261C731AD60DBA4

Function 00E68656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E6810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00E68121
Part of subcall function 00E6810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00E6812B
Part of subcall function 00E6810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E6813A
Part of subcall function 00E6810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00E68141
Part of subcall function 00E6810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E68157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00E686A3
_memcmp.LIBCMT ref: 00E686C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E686FC
HeapFree.KERNEL32(00000000), ref: 00E68703

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 289c4a59e1ebb773ad225fd493611fccf1dd613bec8e6117ef279895a074c8eb
Instruction ID: f91afc917afc8dcb5a37bd044c870732b0ca1fc3bf2b67ed129265b8ad231d60
Opcode Fuzzy Hash: 289c4a59e1ebb773ad225fd493611fccf1dd613bec8e6117ef279895a074c8eb
Instruction Fuzzy Hash: 3821BD71E81108EFDB10DFA5DA48BEEB7B9EF40348F14915AE804BB241DB30AE05CB90

Function 00E3098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00E309AE

Part of subcall function 00E15A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00E77896,?,?,00000000), ref: 00E15A2C
Part of subcall function 00E15A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00E77896,?,?,00000000,?,?), ref: 00E15A50

_fprintf.LIBCMT ref: 00E309E5
OutputDebugStringW.KERNEL32(?), ref: 00E65DBB

Part of subcall function 00E34AAA: _flsall.LIBCMT ref: 00E34AC3

__setmode.LIBCMT ref: 00E30A1A

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 21423706aebaefc0a74f696a1e423c3d8ba619d4ad1161ae3edcfc9e6b8361e8
Instruction ID: 1cabd7b7867beb38d2ea8e645d650ab55a3fc49cb3edfb347c3d7daaf98cba81
Opcode Fuzzy Hash: 21423706aebaefc0a74f696a1e423c3d8ba619d4ad1161ae3edcfc9e6b8361e8
Instruction Fuzzy Hash: 891105B2944204AFDB08B7B4AC4A9FE7BE89F85360F142056F105B61D2EE306986D7A1

Function 00E81767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00E817A3

Part of subcall function 00E8182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00E8184C
Part of subcall function 00E8182D: InternetCloseHandle.WININET(00000000), ref: 00E818E9

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: f3aae3a2595a959e27fa096bff53089bb8e5f18b2a71ecb8a3d01464a52e7f79
Instruction ID: bde6036ab881cf4b4cfc335544151663eef913a8dda84d6f472f7be2114ba9ec
Opcode Fuzzy Hash: f3aae3a2595a959e27fa096bff53089bb8e5f18b2a71ecb8a3d01464a52e7f79
Instruction Fuzzy Hash: E521B031200601BFEB16AF609C01BBABBEDFF48710F10502FFA1DB6550D771981297A0

Function 00E73A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00E9FAC0), ref: 00E73A64
GetLastError.KERNEL32 ref: 00E73A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00E73A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00E9FAC0), ref: 00E73ADF

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: dbf98f2ad7def95e7f2e97a622a1bb8be20563a963da78b52d034301ac302d86
Instruction ID: aae4e982a9d9e691cd9e4125c6dd5dddbfa5847fe1d3c7b9c7e4f15d40dd435b
Opcode Fuzzy Hash: dbf98f2ad7def95e7f2e97a622a1bb8be20563a963da78b52d034301ac302d86
Instruction Fuzzy Hash: C721D6345083029F8750DF34D8828AA77E8AF55368F109A1EF4DDE72A1D731DE49DB42

Function 00E450E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E45101

Part of subcall function 00E3571C: __FF_MSGBANNER.LIBCMT ref: 00E35733
Part of subcall function 00E3571C: __NMSG_WRITE.LIBCMT ref: 00E3573A
Part of subcall function 00E3571C: RtlAllocateHeap.NTDLL(010F0000,00000000,00000001,00000000,?,?,?,00E30DD3,?), ref: 00E3575F

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ff8d4862e6db8649bc6853d422d191773bd489317a3fd59e5abaee663ef8553
Instruction ID: bee5d11eb3dbcfc1699b1a4da44ce918b33dddcd03544ea60d0f87a5c0556984
Opcode Fuzzy Hash: 9ff8d4862e6db8649bc6853d422d191773bd489317a3fd59e5abaee663ef8553
Instruction Fuzzy Hash: CB11E073902F16AFCB212F71BC49B6E3BD89B043A5F20652AF944BA352DE348940C690

Function 00E144A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E144CF

Part of subcall function 00E1407C: _memset.LIBCMT ref: 00E140FC
Part of subcall function 00E1407C: _wcscpy.LIBCMT ref: 00E14150
Part of subcall function 00E1407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E14160

KillTimer.USER32(?,00000001,?,?), ref: 00E14524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E14533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E4D4B9

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 12ba7317d00c4a3497beab2d7e21b212291ff840fea964a0b22d116961526a94
Instruction ID: 7b7467f23360a235c199b119c41b7204f4c8da71c19f2b97697ed411b8e35045
Opcode Fuzzy Hash: 12ba7317d00c4a3497beab2d7e21b212291ff840fea964a0b22d116961526a94
Instruction Fuzzy Hash: AC21D7B45087949FE7328B649C59BE6BFEC9F05318F04109EE79EB6281C3742A88CB51

Function 00E86369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00E15A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00E77896,?,?,00000000), ref: 00E15A2C
Part of subcall function 00E15A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00E77896,?,?,00000000,?,?), ref: 00E15A50

gethostbyname.WSOCK32(?,?,?), ref: 00E86399
WSAGetLastError.WSOCK32(00000000), ref: 00E863A4
_memmove.LIBCMT ref: 00E863D1
inet_ntoa.WSOCK32(?), ref: 00E863DC

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: ecea9fdd41342ab2b5980ffbca6fab9b1b344ef15963ff09a02eadb436e9a8f6
Instruction ID: 6cd4e602550546b55e7dccbf5e99f2409908eb671a57b9b4d5fe888a0a766859
Opcode Fuzzy Hash: ecea9fdd41342ab2b5980ffbca6fab9b1b344ef15963ff09a02eadb436e9a8f6
Instruction Fuzzy Hash: 8A115E32600109EFCB04FBA5DD96CEEB7F8AF44310B145065F50AB7162DB30AE54CB61

Function 00E68B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00E68B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E68B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E68B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E68BA4

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1f14572b532d84d274edfb486b1bb0b0e99aacc3eaa0f93ce140a56adb957d8e
Instruction ID: 9cd52dbe472593ba3addd51fa1caba76824e19b556d9378ba456bb8100ff3a5c
Opcode Fuzzy Hash: 1f14572b532d84d274edfb486b1bb0b0e99aacc3eaa0f93ce140a56adb957d8e
Instruction Fuzzy Hash: CF114879940218FFEB10DFA5CD84FADBBB8FB48350F2041A5EA00B7290DA716E10DB94

Function 00E11290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00E12612: GetWindowLongW.USER32(?,000000EB), ref: 00E12623

DefDlgProcW.USER32(?,00000020,?), ref: 00E112D8
GetClientRect.USER32(?,?), ref: 00E4B5FB
GetCursorPos.USER32(?), ref: 00E4B605
ScreenToClient.USER32(?,?), ref: 00E4B610

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 2f781781d36475160f219c28b4f762a27d9e584c5a0613ab9618870609dbc4c5
Instruction ID: 5b891518339e8c5b07417e07a3a6187990639d63949d74b2c0a84bd12699a653
Opcode Fuzzy Hash: 2f781781d36475160f219c28b4f762a27d9e584c5a0613ab9618870609dbc4c5
Instruction Fuzzy Hash: 07116A36A00119EFCF10EF99D8859EE77B8EB05301F5004A6FA01F3251C734BA95EBA5

Function 00E6D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00E6D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00E6D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00E6D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00E6D897

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 0c727369d8d550add82a370581d0fd491bf9fec7836fcfcdebc6559cdb8023a7
Instruction ID: a3d9ceb22b79991d502d522e158eb4a4a0b159f2b15358a9a81a685c699a2692
Opcode Fuzzy Hash: 0c727369d8d550add82a370581d0fd491bf9fec7836fcfcdebc6559cdb8023a7
Instruction Fuzzy Hash: 4F115EB5B49304EFE3248F51EC0CF92BBBCEB00B40F50856AE956E7051D7B0E9599BA1

Function 00E46FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00E46FDB

Part of subcall function 00E476C2: __fltout2.LIBCMT ref: 00E476EB

__cftog_l.LIBCMT ref: 00E47001
__cftoe_l.LIBCMT ref: 00E47033

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 0bc6ed3a73601141ba418ada21a21a700a1e5068b7d091be6b7353b7f28bc45d
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 72017B3244914ABBCF225E84EC01CEE3F62BB18354B499415FE9868030C336C9B1AB81

Function 00E9B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00E9B2E4
ScreenToClient.USER32(?,?), ref: 00E9B2FC
ScreenToClient.USER32(?,?), ref: 00E9B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E9B33B

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 0753f015acbdad7428cd24aee696d419d172f93df856f70aff1779cc6cb1462d
Instruction ID: d3fa80053765e91c2a72081a70a2bdad734e8d5ce758666a1b2176b4435f207a
Opcode Fuzzy Hash: 0753f015acbdad7428cd24aee696d419d172f93df856f70aff1779cc6cb1462d
Instruction Fuzzy Hash: 05114675D00209EFDB41CF99D5449EEBBB5FB08310F104166E915E3220D775AA558F91

Function 00E76BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00E76BE6

Part of subcall function 00E776C4: _memset.LIBCMT ref: 00E776F9

_memmove.LIBCMT ref: 00E76C09
_memset.LIBCMT ref: 00E76C16
LeaveCriticalSection.KERNEL32(?), ref: 00E76C26

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 7a10d5f62173121dab745dc954679f41e0aef505e8b7560060a9dc0a3c6a4f04
Instruction ID: ba579f7367b96660e62f06be4ae1459fae6da4bd0d37d0e975b2d248d7ba5dc2
Opcode Fuzzy Hash: 7a10d5f62173121dab745dc954679f41e0aef505e8b7560060a9dc0a3c6a4f04
Instruction Fuzzy Hash: 2FF0543A200100ABCF016F55DC89A4ABF69EF45321F04C066FE08AE227C731E811CBB4

Function 00E12218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00E12231
SetTextColor.GDI32(?,000000FF), ref: 00E1223B
SetBkMode.GDI32(?,00000001), ref: 00E12250
GetStockObject.GDI32(00000005), ref: 00E12258
GetWindowDC.USER32(?,00000000), ref: 00E4BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 00E4BE90
GetPixel.GDI32(00000000,?,00000000), ref: 00E4BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 00E4BEC2
GetPixel.GDI32(00000000,?,?), ref: 00E4BEE2
ReleaseDC.USER32(?,00000000), ref: 00E4BEED

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 43a6942115a8b1be6ce7cc4e91074642688644d2215cce28b2058cc315fc73f0
Instruction ID: e2efdcd20e4e07a74f6bb001566460d18451c7cda6c35b2631275f2fbbc870d6
Opcode Fuzzy Hash: 43a6942115a8b1be6ce7cc4e91074642688644d2215cce28b2058cc315fc73f0
Instruction Fuzzy Hash: A6E03031504144AEDB215FA6FC0D7D83B10EB05336F108367FA69A80F187714994DB51

Function 00E68712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00E6871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,00E682E6), ref: 00E68722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00E682E6), ref: 00E6872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,00E682E6), ref: 00E68736

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: fb713ed2404e8bb480a360b495b868e026f78cdb1b68e9d7f1b99a6161bd4526
Instruction ID: ebb657cbb741d637c8f1dc84f84a0b56f1d66e96a14c68a0967840519aba7bc7
Opcode Fuzzy Hash: fb713ed2404e8bb480a360b495b868e026f78cdb1b68e9d7f1b99a6161bd4526
Instruction Fuzzy Hash: 67E026326012119FD7205FB26D0CB463BACEF147D2F10482BF645E9040DA348449C710

Function 00E16240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%, xrefs: 00E1624E

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID: %
API String ID: 0-2291192146
Opcode ID: 7a11a5e82b2aa05e62b184933c7f1199dff9b255e5fca7a3db8c8ab96b376771
Instruction ID: df4c2717622aa0c7bafb962fecb7f43f0c38c0d4cc733a661fcc056b7702f3ba
Opcode Fuzzy Hash: 7a11a5e82b2aa05e62b184933c7f1199dff9b255e5fca7a3db8c8ab96b376771
Instruction Fuzzy Hash: 80B18C719041099BCF24EF98C8859FEBBB9FF84314F506026E962B7291DB349EC5CB91

Function 00E8AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 00E8AFAE

Strings

xb, xrefs: 00E8AFE4
xb, xrefs: 00E8B010

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: __itow_s
String ID: xb$xb
API String ID: 3653519197-3775679291
Opcode ID: c2b6d0b2a827d167f7537d0854023e2138dcb046a8607a1181833ad51eef8b99
Instruction ID: c5714c16c3006cbc9812005945da8c85eeb739af80650d57d29928fa3ae67631
Opcode Fuzzy Hash: c2b6d0b2a827d167f7537d0854023e2138dcb046a8607a1181833ad51eef8b99
Instruction Fuzzy Hash: 25B15D70A00209AFDB14EF54C895DEABBF9FF58304F14905AF94DAB291DB30E985CB50

Function 00E7AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00E2FC86: _wcscpy.LIBCMT ref: 00E2FCA9

Part of subcall function 00E19837: __itow.LIBCMT ref: 00E19862
Part of subcall function 00E19837: __swprintf.LIBCMT ref: 00E198AC

__wcsnicmp.LIBCMT ref: 00E7B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00E7B0F6

Strings

LPT, xrefs: 00E7B027

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 7169a82e30c9ff056cef8fed44c38f842fd8b0c6a7158381ec8fc1692fc278c6
Instruction ID: 66a905ac2c443825f75f4e9f620d8b48d69d3381804fb6120d05bfdb50f4c357
Opcode Fuzzy Hash: 7169a82e30c9ff056cef8fed44c38f842fd8b0c6a7158381ec8fc1692fc278c6
Instruction Fuzzy Hash: B7614E75A00215AFCB14EF94D895EEEB7F8AB08314F109069F91ABB251DB70AE84CB50

Function 00E22957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00E22968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00E22981

Strings

@, xrefs: 00E22975

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 09c6577ef87353f985511a6ee143778dfff98fab35d8be702fa37cbfe5e9ba01
Instruction ID: c04cd89675ca4f0ba5bb1cafd9c33e9c65110f4aacc29c738b5a8ee9db5c5b11
Opcode Fuzzy Hash: 09c6577ef87353f985511a6ee143778dfff98fab35d8be702fa37cbfe5e9ba01
Instruction Fuzzy Hash: B3513871408744ABD720EF11DC86BEBBBE8FB85344F81495DF2D8610A2DB318569CB56

Function 00E79734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00E14F0B: __fread_nolock.LIBCMT ref: 00E14F29

_wcscmp.LIBCMT ref: 00E79824
_wcscmp.LIBCMT ref: 00E79837

Strings

FILE, xrefs: 00E79770

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 3e7ac6c2810e9ea7ba55ad06d87ed00d1833ba6b2c333eacfc0da62ce0ef5818
Instruction ID: ecc680508e9f048fcae3de6470e05d14fa6e36f1eab30d9713dd511950f5f145
Opcode Fuzzy Hash: 3e7ac6c2810e9ea7ba55ad06d87ed00d1833ba6b2c333eacfc0da62ce0ef5818
Instruction Fuzzy Hash: 3D41D571A00209BADF259EA4CC45FEFBBFDDF89714F00506AF904B7281DA719A45CB61

Function 00E50574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00E5057F

Strings

Dd, xrefs: 00E1A151
Dd, xrefs: 00E1A317

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ClearVariant
String ID: Dd$Dd
API String ID: 1473721057-2413357308
Opcode ID: e1fc0a7f295be272941672937f03f9f7cc3903dd7e06b1bd917416b57ac6ad48
Instruction ID: bc11a6eac8e13822573b5e25e11842a584b7636bb6c35650b00833b8f25d1ddb
Opcode Fuzzy Hash: e1fc0a7f295be272941672937f03f9f7cc3903dd7e06b1bd917416b57ac6ad48
Instruction Fuzzy Hash: 2E5115B86063419FD754CF19C480AAABBF1FB99354F58682DF895AB321D331E885CF42

Function 00E8258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E8259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00E825D4

Strings

|, xrefs: 00E825A5

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 86f3b73cb3793a4bdde8a3e27959fc1e09fa1299a38775e03c63514c9d8578b6
Instruction ID: 1a064a0f813560e7e5c86a15dbc908edf3a7027d17686afd04c9e60ff926cdd1
Opcode Fuzzy Hash: 86f3b73cb3793a4bdde8a3e27959fc1e09fa1299a38775e03c63514c9d8578b6
Instruction Fuzzy Hash: D5310771800119EBCF01EFA0CC85EEEBFB9FF08350F10105AF959B6162EA315996DB60

Function 00E97A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00E97B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00E97B76

Strings

', xrefs: 00E97ACA

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: c5e25f23244a72868329b35b9b5deb93c747f1c5814ee3ab185ea02ca6bca997
Instruction ID: 7bc3c1528e8e8096b0110d550cc689e85a1163f54a77ae076f5f1b9514a6aa4e
Opcode Fuzzy Hash: c5e25f23244a72868329b35b9b5deb93c747f1c5814ee3ab185ea02ca6bca997
Instruction Fuzzy Hash: 3C410675A0530A9FDF14CF65C981BEABBB5FB08304F10116AE944AB391E770A955CF90

Function 00E96A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00E96B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00E96B53

Strings

static, xrefs: 00E96AB3

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 410771852221cb4f277d8cf2a5e8199cb3ae651d57c04b626f1ff08303ac5289
Instruction ID: c06eb8492418bcaf840ac0552c7a6799579b7cc3bb58ba6bf58b82127b172d5e
Opcode Fuzzy Hash: 410771852221cb4f277d8cf2a5e8199cb3ae651d57c04b626f1ff08303ac5289
Instruction Fuzzy Hash: 6031AF71200604AEDF109F64DC80BFB73B9FF48764F10A61AF9A9E7190EA70AC81C760

Function 00E728A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E72911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E7294C

Strings

0, xrefs: 00E7290A

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 334c52bb05f26ee5c96a565e6cf1d55d7c68f8b68b2dcc5a151dc7ed2401f13a
Instruction ID: ead3233a1eadcf4757068ae3a8751990e6f5531947cc34fd045f8cb71b8069f1
Opcode Fuzzy Hash: 334c52bb05f26ee5c96a565e6cf1d55d7c68f8b68b2dcc5a151dc7ed2401f13a
Instruction Fuzzy Hash: 0131C331A003059FEF28CF58C845BAEBBF8EF85354F18A02DEB89B61A0D7709944CB51

Function 00E966D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00E96761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E9676C

Strings

Combobox, xrefs: 00E9672E

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 6eeb7251b2150d6219eb52d9c05fe44fb984f424384fed4977f48aca58c7a2a5
Instruction ID: 0633b3f29fbb7752fdc589a0fd4f9e78b0fe18d87869f5babdc005396e3c1bf3
Opcode Fuzzy Hash: 6eeb7251b2150d6219eb52d9c05fe44fb984f424384fed4977f48aca58c7a2a5
Instruction Fuzzy Hash: 1A118275200208AFEF119F94DC81EFB37AAEB483A8F11512BF914A7291D6719C5187A0

Function 00E96C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00E11D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E11D73
Part of subcall function 00E11D35: GetStockObject.GDI32(00000011), ref: 00E11D87
Part of subcall function 00E11D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E11D91

GetWindowRect.USER32(00000000,?), ref: 00E96C71
GetSysColor.USER32(00000012), ref: 00E96C8B

Strings

static, xrefs: 00E96C4E

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 87d4cbcf8103fb83bf15e3f5982417b7ea06b01c042dbe8a7ae495139f3c0a6a
Instruction ID: c583fed43478557e67e0a68df449ba808d23b38b51c0c9ac19f47526fb1ffe41
Opcode Fuzzy Hash: 87d4cbcf8103fb83bf15e3f5982417b7ea06b01c042dbe8a7ae495139f3c0a6a
Instruction Fuzzy Hash: B8212972510209AFDF04DFA8DC45AEABBA8FB08314F11562AF995E2250D635E850DB60

Function 00E96920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00E969A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00E969B1

Strings

edit, xrefs: 00E96986

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 7d34b2f4fc172e0d4a837b84e3ea13e9c34514b5c73067fa680487d56233ec95
Instruction ID: 3601a0635768eb3351fc407059c26435058202298f3b3e013feb15a63db8dd90
Opcode Fuzzy Hash: 7d34b2f4fc172e0d4a837b84e3ea13e9c34514b5c73067fa680487d56233ec95
Instruction Fuzzy Hash: BD116D71500204AFEF108E64DC44EEB37A9EB45378F505726F9A5B61E0C675DC949760

Function 00E729AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E72A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00E72A41

Strings

0, xrefs: 00E72A18

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 9eae8b8004503aec6007dd47d97d93466facacbfcf41dd60010128bb8d498038
Instruction ID: 6f658c94ff3ca9bbde6bceb11dab130299a743c786e7ea682e98796db61b0671
Opcode Fuzzy Hash: 9eae8b8004503aec6007dd47d97d93466facacbfcf41dd60010128bb8d498038
Instruction Fuzzy Hash: 4311D632D01114ABCB34DA69E844BAA77A8EB45304F14A02AEA5DF7250D730AD0AD791

Function 00E821D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00E8222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00E82255

Strings

<local>, xrefs: 00E8221D

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 04030134e64278d8ae14dda91352ebaf926e59a3d2fd4bcb51c04ace0d61636a
Instruction ID: 47b673853fb48766bf7c4c8c76771310839017eac1321e78b9a58b0868dd8ccb
Opcode Fuzzy Hash: 04030134e64278d8ae14dda91352ebaf926e59a3d2fd4bcb51c04ace0d61636a
Instruction Fuzzy Hash: 5311CEB0501225BEDB24AF518C88EFAFBA8FB06355F10922EFA0CA6010E2705894D7F0

Function 00E2092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00E13C14,00ED52F8,?,?,?), ref: 00E2096E

Part of subcall function 00E17BCC: _memmove.LIBCMT ref: 00E17C06

_wcscat.LIBCMT ref: 00E54CB7

Strings

S, xrefs: 00E209AE

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: S
API String ID: 257928180-3334745618
Opcode ID: a710951481d70e9e5830306e9707ab05d83f4a5c32420e32d8e590d5a8d89cfa
Instruction ID: d4475153b708c027a483463ae7e577882e897101e86e299aad9f64cada1a6477
Opcode Fuzzy Hash: a710951481d70e9e5830306e9707ab05d83f4a5c32420e32d8e590d5a8d89cfa
Instruction Fuzzy Hash: 5811C831905218AF8B40FB64EC06EDD77F8EF88350B0064A6F985F3286EAB097C84B10

Function 00E68E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E17DE1: _memmove.LIBCMT ref: 00E17E22

Part of subcall function 00E6AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00E6AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00E68E73

Strings

ListBox, xrefs: 00E68E3D
ComboBox, xrefs: 00E68E12

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 4609c19d068f3de6f107e37e4e64c547657eae19403180390789792a12d97830
Instruction ID: 94fcbcaaae5296de5d595355541ae0754df0b5cf5450717130ccfe06a2165018
Opcode Fuzzy Hash: 4609c19d068f3de6f107e37e4e64c547657eae19403180390789792a12d97830
Instruction Fuzzy Hash: CE0128B2A81228ABCB14EBA0DD41DFE73A8EF423A0B04171AF871772D1DE325808C650

Function 00E68CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E17DE1: _memmove.LIBCMT ref: 00E17E22

Part of subcall function 00E6AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00E6AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00E68D6B

Strings

ListBox, xrefs: 00E68D35
ComboBox, xrefs: 00E68D0A

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: c1b5fdce9e1cfb6042e5f649209f877d894feb3ab83359cb104a099afc3c6888
Instruction ID: 7ccda5835cffdbaf2c335297525d90d9ff30c496e42c0d2d38a0c8f4c645470f
Opcode Fuzzy Hash: c1b5fdce9e1cfb6042e5f649209f877d894feb3ab83359cb104a099afc3c6888
Instruction Fuzzy Hash: 6C01F772A81208ABCB14EBE0DA52EFE77ECDF15380F14212AB851732D1DE215E08D671

Function 00E68D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E17DE1: _memmove.LIBCMT ref: 00E17E22

Part of subcall function 00E6AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00E6AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00E68DEE

Strings

ListBox, xrefs: 00E68DBA
ComboBox, xrefs: 00E68D8F

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 3f2d5ddbc89b755587e6111f9a4dfd537ae88fa4cd475d4d3782f41f579b6dda
Instruction ID: 0d3f4743376b7642bc4553a0ce68ef89d49d54948a8e6c698f27f40fff8e6b6f
Opcode Fuzzy Hash: 3f2d5ddbc89b755587e6111f9a4dfd537ae88fa4cd475d4d3782f41f579b6dda
Instruction Fuzzy Hash: 8B012B72A81208BBCB14E7E4DA42EFE73ECCF11380F142116B851732D2DE114E08D671

Function 00E6C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E6C534

Part of subcall function 00E6C816: _memmove.LIBCMT ref: 00E6C860
Part of subcall function 00E6C816: VariantInit.OLEAUT32(00000000), ref: 00E6C882
Part of subcall function 00E6C816: VariantCopy.OLEAUT32(00000000,?), ref: 00E6C88C

VariantClear.OLEAUT32(?), ref: 00E6C556

Strings

d}, xrefs: 00E6C517

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Variant$Init$ClearCopy_memmove
String ID: d}
API String ID: 2932060187-1207350282
Opcode ID: e79fb76f7b713bb2c79757b1a83377eba4f596714480bc2d568c99f6676f4e91
Instruction ID: 481270d9daf4122363abfcc3c0617d89a2f551914135b296fcc7bafde332992f
Opcode Fuzzy Hash: e79fb76f7b713bb2c79757b1a83377eba4f596714480bc2d568c99f6676f4e91
Instruction Fuzzy Hash: 551100719007089FC710DF9AD88499AF7F8FF08354B50852FE59AE7611D771AA49CF50

Function 00E74F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00E74F46
_wcscmp.LIBCMT ref: 00E74F58

Strings

#32770, xrefs: 00E74F52

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 37d6cd623322bd87c02c0c8ed1fffb27e4beeb00e21dca4437b9367d120b2838
Instruction ID: 2012edf655f3c750f639b47ec1cf732001a926be503bbc2a608cb30a898c3151
Opcode Fuzzy Hash: 37d6cd623322bd87c02c0c8ed1fffb27e4beeb00e21dca4437b9367d120b2838
Instruction Fuzzy Hash: 18E0D1326003282BD7109795AD49FA7F7ECDB45B70F001057FD04F3151D5609A55C7D1

Function 00E4B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00E4B314: _memset.LIBCMT ref: 00E4B321

Part of subcall function 00E30940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00E4B2F0,?,?,?,00E1100A), ref: 00E30945

IsDebuggerPresent.KERNEL32(?,?,?,00E1100A), ref: 00E4B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00E1100A), ref: 00E4B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00E4B2FE

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: a707601a19f55b0c8dc8bf9a1cf820e7c95fe43ee43eb163c0d48b6212f44890
Instruction ID: a4675dcf73cae377a4c0b5261971f2928b8a387c58e1e6c14751c1b7d8f1b375
Opcode Fuzzy Hash: a707601a19f55b0c8dc8bf9a1cf820e7c95fe43ee43eb163c0d48b6212f44890
Instruction Fuzzy Hash: B8E06D70200710CFD721DF2AE4043867BE4AF44754F00992EE486E7250EBF4E448CBA1

Function 00E51935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00E51775

Part of subcall function 00E8BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00E5195E,?), ref: 00E8BFFE
Part of subcall function 00E8BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00E8C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00E5196D

Strings

WIN_XPe, xrefs: 00E51788

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: bbc6e520955c6d5ee0b4cba1a50f6aa127092f15d589337f1c2b7327bf2d6cb1
Instruction ID: 1df631be87b3497cba83bf2fc33c72baf665190d8345a946225140c713814512
Opcode Fuzzy Hash: bbc6e520955c6d5ee0b4cba1a50f6aa127092f15d589337f1c2b7327bf2d6cb1
Instruction Fuzzy Hash: 95F01570801108EFCB15DB96C984BECBBF8AB08306F242497E106B20A1C7304E88CF60

Function 00E95998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E959AE
PostMessageW.USER32(00000000), ref: 00E959B5

Part of subcall function 00E75244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E752BC

Strings

Shell_TrayWnd, xrefs: 00E959A7

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 516fc001e7e6b3a6bc28a4af1027392369a56d7e3280a3f2d79b11c57279df92
Instruction ID: c63b5bec7cb46a6fe2f4f35517c5895854b621a50a1ba38f9a1c6a25ec1e0b52
Opcode Fuzzy Hash: 516fc001e7e6b3a6bc28a4af1027392369a56d7e3280a3f2d79b11c57279df92
Instruction Fuzzy Hash: E2D0C932780311BBE664AB719D0BF976665AB04B50F01182AB24AFA1E1C9E0A805C694

Function 00E95964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E9596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00E95981

Part of subcall function 00E75244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E752BC

Strings

Shell_TrayWnd, xrefs: 00E95967

Memory Dump Source

Source File: 00000000.00000002.2064173828.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2064093740.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000E9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064251495.0000000000EC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064335406.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064358495.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_hesaphareketi-01.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: c32a29af5fd105254fd5f44fae75c86560e1a57baa8c3ffc223b8b9a7b7f0aad
Instruction ID: f6ca2f03af0764b4a4e60bc85e9a1c4e6e70bbd4a502794018f3eb9663d8fe5e
Opcode Fuzzy Hash: c32a29af5fd105254fd5f44fae75c86560e1a57baa8c3ffc223b8b9a7b7f0aad
Instruction Fuzzy Hash: 2BD0C932784311BBE664AB719D1BFA76A65AB00B50F01182AB24AFA1E1C9E09805C694

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hesaphareketi-01.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Mazatl

C:\Users\user\AppData\Local\Temp\autAC23.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
hesaphareketi-01.pdf.exe

Function 00E13B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 00E149A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00E14E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00E79155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00E1301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00E13041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00E1708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00E13633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 00E13A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00E13766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 00E1F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Function 01184488 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00E139D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 01184268 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140
fileCOMMON

Function 00E1407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre