Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
hesaphareketi-20-12-2024-pdf.exe

Overview

General Information

Sample name:hesaphareketi-20-12-2024-pdf.exe
Analysis ID:1578873
MD5:1cb211d3d1aead7eb34777c5d76695da
SHA1:5d61854d0be9ba2360f721cb79c3b06c07e59106
SHA256:23419d1f783c90e855cd52aaa46ddc97e06f2514dbaf6abf69f1aec24c279fe6
Tags:AgentTeslaexegeoTURuser-abuse_ch
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • hesaphareketi-20-12-2024-pdf.exe (PID: 7724 cmdline: "C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exe" MD5: 1CB211D3D1AEAD7EB34777C5D76695DA)
    • MSBuild.exe (PID: 7820 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
    • WerFault.exe (PID: 7948 cmdline: C:\Windows\system32\WerFault.exe -u -p 7724 -s 1052 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.normagroup.com.tr", "Username": "admin@normagroup.com.tr", "Password": "Qb.X[.j.Yfm["}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1745623478.00000202CDB5C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      00000002.00000002.3879068717.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000002.00000002.3879068717.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000002.00000002.3881351503.00000000033EE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000002.00000002.3881351503.00000000033A1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 9 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              2.2.MSBuild.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                2.2.MSBuild.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  2.2.MSBuild.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x33019:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x3308b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x33115:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x331a7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x33211:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x33283:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x33319:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x333a9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  2.2.MSBuild.exe.400000.0.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                  • 0x304da:$s2: GetPrivateProfileString
                  • 0x2fbd1:$s3: get_OSFullName
                  • 0x31184:$s5: remove_Key
                  • 0x31311:$s5: remove_Key
                  • 0x32252:$s6: FtpWebRequest
                  • 0x32ffb:$s7: logins
                  • 0x3356d:$s7: logins
                  • 0x36250:$s7: logins
                  • 0x36330:$s7: logins
                  • 0x37c2e:$s7: logins
                  • 0x36eca:$s9: 1.85 (Hash, version 2, native byte-order)
                  0.2.hesaphareketi-20-12-2024-pdf.exe.202dd88bec0.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 15 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-20T16:01:39.647064+010020299271A Network Trojan was detected192.168.2.949707104.247.165.9921TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-20T16:01:40.777963+010028555421A Network Trojan was detected192.168.2.949709104.247.165.9952545TCP
                    2024-12-20T16:01:40.898148+010028555421A Network Trojan was detected192.168.2.949709104.247.165.9952545TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd8c6308.2.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.normagroup.com.tr", "Username": "admin@normagroup.com.tr", "Password": "Qb.X[.j.Yfm["}
                    Multi AV Scanner detection for submitted file
                    Source: hesaphareketi-20-12-2024-pdf.exeVirustotal: Detection: 13%Perma Link
                    Source: hesaphareketi-20-12-2024-pdf.exeReversingLabs: Detection: 34%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: hesaphareketi-20-12-2024-pdf.exeJoe Sandbox ML: detected

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 00000000.00000002.1745623478.00000202CDB5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: hesaphareketi-20-12-2024-pdf.exe PID: 7724, type: MEMORYSTR
                    Source: hesaphareketi-20-12-2024-pdf.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: System.pdb`w source: WER6841.tmp.dmp.5.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER6841.tmp.dmp.5.dr
                    Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1744733346.00000202CBCDF000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbE source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1744733346.00000202CBC7D000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdbRSDS source: WER6841.tmp.dmp.5.dr
                    Source: Binary string: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.PDB source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1744217513.000000A1C5D93000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb4 source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1744733346.00000202CBCDF000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER6841.tmp.dmp.5.dr
                    Source: Binary string: pC:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.PDBP source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1744217513.000000A1C5D93000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1744733346.00000202CBCDF000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER6841.tmp.dmp.5.dr
                    Source: Binary string: \??\C:\Windows\mscorlib.pdb source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1744733346.00000202CBCDF000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1744733346.00000202CBCDF000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.pdb source: WER6841.tmp.dmp.5.dr
                    Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1744733346.00000202CBC7D000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: hesaphareketi-20-12-2024-pdf.PDB source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1744217513.000000A1C5D93000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WER6841.tmp.dmp.5.dr
                    Source: Binary string: System.Core.ni.pdb source: WER6841.tmp.dmp.5.dr
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1744733346.00000202CBC7D000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.pdb source: WER6841.tmp.dmp.5.dr
                    Source: Binary string: mscorlib.ni.pdb source: WER6841.tmp.dmp.5.dr
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1744733346.00000202CBCDF000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\mscorlib.pdb source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1744733346.00000202CBCDF000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Core.pdb source: WER6841.tmp.dmp.5.dr
                    Source: Binary string: \??\C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.PDB source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1744733346.00000202CBCDF000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdb source: WER6841.tmp.dmp.5.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WER6841.tmp.dmp.5.dr

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.9:49707 -> 104.247.165.99:21
                    Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.9:49709 -> 104.247.165.99:52545
                    Source: global trafficTCP traffic: 192.168.2.9:49709 -> 104.247.165.99:52545
                    Source: Joe Sandbox ViewIP Address: 104.247.165.99 104.247.165.99
                    Source: Joe Sandbox ViewASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
                    Source: unknownFTP traffic detected: 104.247.165.99:21 -> 192.168.2.9:49707 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 18:01. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 18:01. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 18:01. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 18:01. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: global trafficDNS traffic detected: DNS query: ftp.normagroup.com.tr
                    Source: MSBuild.exe, 00000002.00000002.3881351503.0000000003487000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3881351503.000000000375E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3881351503.0000000003412000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3881351503.00000000033EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.normagroup.com.tr
                    Source: MSBuild.exe, 00000002.00000002.3881351503.00000000033EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net
                    Source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1746824194.00000202DD850000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3879068717.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49676 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd8c6308.2.raw.unpack, SKTzxzsJw.cs.Net Code: TFawXa
                    Source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd88bec0.1.raw.unpack, SKTzxzsJw.cs.Net Code: TFawXa
                    Installs a global keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd88bec0.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd88bec0.1.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd8c6308.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd8c6308.2.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd8c6308.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd8c6308.2.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd88bec0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd88bec0.1.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeCode function: 0_2_00007FF8880461100_2_00007FF888046110
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeCode function: 0_2_00007FF88804BD480_2_00007FF88804BD48
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeCode function: 0_2_00007FF888057D570_2_00007FF888057D57
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeCode function: 0_2_00007FF88804BD500_2_00007FF88804BD50
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeCode function: 0_2_00007FF8880476880_2_00007FF888047688
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeCode function: 0_2_00007FF888043EC30_2_00007FF888043EC3
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeCode function: 0_2_00007FF888051F990_2_00007FF888051F99
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeCode function: 0_2_00007FF88804E7DA0_2_00007FF88804E7DA
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeCode function: 0_2_00007FF88804F0300_2_00007FF88804F030
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeCode function: 0_2_00007FF888043AFF0_2_00007FF888043AFF
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeCode function: 0_2_00007FF888040B400_2_00007FF888040B40
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeCode function: 0_2_00007FF8880575C90_2_00007FF8880575C9
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeCode function: 0_2_00007FF88805364A0_2_00007FF88805364A
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeCode function: 0_2_00007FF888044CD10_2_00007FF888044CD1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_015841902_2_01584190
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_01589BB02_2_01589BB0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_01584A602_2_01584A60
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_0158CF202_2_0158CF20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_01583E482_2_01583E48
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_060711022_2_06071102
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_060711282_2_06071128
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_0607F1B42_2_0607F1B4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_0158D2D82_2_0158D2D8
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7724 -s 1052
                    Source: hesaphareketi-20-12-2024-pdf.exeStatic PE information: No import functions for PE file found
                    Source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1746824194.00000202DD850000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamecef57186-8600-43f5-9c05-f8d076dd51f0.exe4 vs hesaphareketi-20-12-2024-pdf.exe
                    Source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1746824194.00000202DD850000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUwemucazonixemociL vs hesaphareketi-20-12-2024-pdf.exe
                    Source: hesaphareketi-20-12-2024-pdf.exeBinary or memory string: OriginalFilenameAkekubaw: vs hesaphareketi-20-12-2024-pdf.exe
                    Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd88bec0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd88bec0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd8c6308.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd8c6308.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd8c6308.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd8c6308.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd88bec0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd88bec0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: hesaphareketi-20-12-2024-pdf.exeStatic PE information: Section: .rsrc ZLIB complexity 0.9970711624238469
                    Source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd8c6308.2.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd8c6308.2.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd8c6308.2.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd8c6308.2.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd8c6308.2.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd8c6308.2.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd8c6308.2.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd8c6308.2.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1744733346.00000202CBC7D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbE
                    Source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1744733346.00000202CBC7D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@4/5@1/1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7724
                    Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\1273fb41-c72b-4dda-8803-4c8aaf920099Jump to behavior
                    Source: hesaphareketi-20-12-2024-pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: hesaphareketi-20-12-2024-pdf.exeVirustotal: Detection: 13%
                    Source: hesaphareketi-20-12-2024-pdf.exeReversingLabs: Detection: 34%
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeFile read: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exe "C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exe"
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7724 -s 1052
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: hesaphareketi-20-12-2024-pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: hesaphareketi-20-12-2024-pdf.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                    Source: hesaphareketi-20-12-2024-pdf.exeStatic file information: File size 5277184 > 1048576
                    Source: hesaphareketi-20-12-2024-pdf.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x478a00
                    Source: hesaphareketi-20-12-2024-pdf.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: hesaphareketi-20-12-2024-pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: System.pdb`w source: WER6841.tmp.dmp.5.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER6841.tmp.dmp.5.dr
                    Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1744733346.00000202CBCDF000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbE source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1744733346.00000202CBC7D000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdbRSDS source: WER6841.tmp.dmp.5.dr
                    Source: Binary string: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.PDB source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1744217513.000000A1C5D93000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb4 source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1744733346.00000202CBCDF000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER6841.tmp.dmp.5.dr
                    Source: Binary string: pC:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.PDBP source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1744217513.000000A1C5D93000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1744733346.00000202CBCDF000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER6841.tmp.dmp.5.dr
                    Source: Binary string: \??\C:\Windows\mscorlib.pdb source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1744733346.00000202CBCDF000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1744733346.00000202CBCDF000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.pdb source: WER6841.tmp.dmp.5.dr
                    Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1744733346.00000202CBC7D000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: hesaphareketi-20-12-2024-pdf.PDB source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1744217513.000000A1C5D93000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WER6841.tmp.dmp.5.dr
                    Source: Binary string: System.Core.ni.pdb source: WER6841.tmp.dmp.5.dr
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1744733346.00000202CBC7D000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.pdb source: WER6841.tmp.dmp.5.dr
                    Source: Binary string: mscorlib.ni.pdb source: WER6841.tmp.dmp.5.dr
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1744733346.00000202CBCDF000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\mscorlib.pdb source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1744733346.00000202CBCDF000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Core.pdb source: WER6841.tmp.dmp.5.dr
                    Source: Binary string: \??\C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.PDB source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1744733346.00000202CBCDF000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdb source: WER6841.tmp.dmp.5.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WER6841.tmp.dmp.5.dr
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeCode function: 0_2_00007FF88818026B push esp; retf 4810h0_2_00007FF888180312
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_0607AA20 push es; ret 2_2_0607AA30
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: hesaphareketi-20-12-2024-pdf.exe PID: 7724, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1745623478.00000202CDB5C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                    Source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1745623478.00000202CDB5C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeMemory allocated: 202CBD50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeMemory allocated: 202E5840000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 1580000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 33A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 1790000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1200000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1199874Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1199765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1199656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1199547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1199437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1199321Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1199171Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1198967Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1198802Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1198648Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1198538Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1198437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1198328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1198218Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1198109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1197999Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1197890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1197781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1197671Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1197562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1197453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1197343Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1197234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1197125Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1197015Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1196906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1196797Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1196687Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1196578Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1196468Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1196359Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1196249Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1196140Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1196031Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1195921Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1195812Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1195703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1195593Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1195484Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1195375Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1195265Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1195156Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1195047Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1194937Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1194828Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1194718Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1194609Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1194499Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1194390Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 1535Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 8324Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -31359464925306218s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1200000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1199874s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1199765s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1199656s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1199547s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1199437s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1199321s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1199171s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1198967s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1198802s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1198648s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1198538s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1198437s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1198328s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1198218s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1198109s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1197999s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1197890s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1197781s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1197671s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1197562s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1197453s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1197343s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1197234s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1197125s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1197015s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1196906s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1196797s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1196687s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1196578s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1196468s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1196359s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1196249s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1196140s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1196031s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1195921s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1195812s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1195703s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1195593s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1195484s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1195375s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1195265s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1195156s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1195047s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1194937s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1194828s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1194718s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1194609s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1194499s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8168Thread sleep time: -1194390s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1200000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1199874Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1199765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1199656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1199547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1199437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1199321Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1199171Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1198967Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1198802Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1198648Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1198538Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1198437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1198328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1198218Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1198109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1197999Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1197890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1197781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1197671Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1197562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1197453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1197343Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1197234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1197125Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1197015Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1196906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1196797Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1196687Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1196578Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1196468Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1196359Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1196249Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1196140Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1196031Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1195921Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1195812Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1195703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1195593Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1195484Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1195375Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1195265Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1195156Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1195047Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1194937Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1194828Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1194718Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1194609Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1194499Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1194390Jump to behavior
                    Source: Amcache.hve.5.drBinary or memory string: VMware
                    Source: Amcache.hve.5.drBinary or memory string: VMware Virtual USB Mouse
                    Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin
                    Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.
                    Source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1745623478.00000202CDB5C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: Amcache.hve.5.drBinary or memory string: VMware20,1hbin@
                    Source: Amcache.hve.5.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                    Source: Amcache.hve.5.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Amcache.hve.5.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.5.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1745623478.00000202CDB5C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
                    Source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1745623478.00000202CDB5C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                    Source: Amcache.hve.5.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                    Source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1745623478.00000202CDB5C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                    Source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1745623478.00000202CDB5C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: Amcache.hve.5.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.5.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: MSBuild.exe, 00000002.00000002.3880357437.000000000166E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: Amcache.hve.5.drBinary or memory string: vmci.sys
                    Source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1745623478.00000202CDB5C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
                    Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin`
                    Source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1745623478.00000202CDB5C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: Amcache.hve.5.drBinary or memory string: \driver\vmci,\driver\pci
                    Source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1745623478.00000202CDB5C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
                    Source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1745623478.00000202CDB5C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                    Source: Amcache.hve.5.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.5.drBinary or memory string: VMware20,1
                    Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.5.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: Amcache.hve.5.drBinary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
                    Source: Amcache.hve.5.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: Amcache.hve.5.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                    Source: Amcache.hve.5.drBinary or memory string: VMware PCI VMCI Bus Device
                    Source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1745623478.00000202CDB5C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
                    Source: hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1745623478.00000202CDB5C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
                    Source: Amcache.hve.5.drBinary or memory string: VMware VMCI Bus Device
                    Source: Amcache.hve.5.drBinary or memory string: VMware Virtual RAM
                    Source: Amcache.hve.5.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: Amcache.hve.5.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43C000Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 10EE008Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeQueries volume information: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                    Source: Amcache.hve.5.drBinary or memory string: msmpeng.exe
                    Source: Amcache.hve.5.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                    Source: Amcache.hve.5.drBinary or memory string: MsMpEng.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd88bec0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd8c6308.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd8c6308.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd88bec0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.3879068717.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3881351503.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3881351503.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1746824194.00000202DD850000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: hesaphareketi-20-12-2024-pdf.exe PID: 7724, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7820, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd88bec0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd8c6308.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd8c6308.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd88bec0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.3879068717.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3881351503.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1746824194.00000202DD850000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: hesaphareketi-20-12-2024-pdf.exe PID: 7724, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7820, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd88bec0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd8c6308.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd8c6308.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi-20-12-2024-pdf.exe.202dd88bec0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.3879068717.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3881351503.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3881351503.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1746824194.00000202DD850000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: hesaphareketi-20-12-2024-pdf.exe PID: 7724, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7820, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		12
                    Encrypted Channel                    		1
                    Exfiltration Over Alternative Protocol                    		Abuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts311
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		231
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model21
                    Input Capture                    		12
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets151
                    Virtualization/Sandbox Evasion                    		SSH1
                    Clipboard Data                    		Fallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts151
                    Virtualization/Sandbox Evasion                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items311
                    Process Injection                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    hesaphareketi-20-12-2024-pdf.exe14%VirustotalBrowse
                    hesaphareketi-20-12-2024-pdf.exe34%ReversingLabsWin32.Trojan.AgentTesla
                    hesaphareketi-20-12-2024-pdf.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    ftp.normagroup.com.tr
                    		104.247.165.99
                    		truetrue
                      		unknown
                      fp2e7a.wpc.phicdn.net
                      		192.229.221.95
                      		truefalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://ftp.normagroup.com.trMSBuild.exe, 00000002.00000002.3881351503.0000000003487000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3881351503.000000000375E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3881351503.0000000003412000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3881351503.00000000033EE000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          http://upx.sf.netAmcache.hve.5.drfalse
                            		high
                            https://account.dyn.com/hesaphareketi-20-12-2024-pdf.exe, 00000000.00000002.1746824194.00000202DD850000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3879068717.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMSBuild.exe, 00000002.00000002.3881351503.00000000033EE000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                104.247.165.99
                                		ftp.normagroup.com.trUnited States
                                		8100ASN-QUADRANET-GLOBALUStrue

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1578873
                                Start date and time:2024-12-20 16:00:31 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 8m 16s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:11
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:hesaphareketi-20-12-2024-pdf.exe
                                Detection:MAL
                                Classification:mal100.troj.spyw.expl.evad.winEXE@4/5@1/1
                                EGA Information:
                                • Successful, ratio: 50%
                                HCA Information:
                                • Successful, ratio: 89%
                                • Number of executed functions: 169
                                • Number of non-executed functions: 3
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                • Excluded IPs from analysis (whitelisted): 20.190.181.23, 40.126.53.18, 40.126.53.15, 40.126.53.10, 20.190.181.6, 20.190.181.5, 20.231.128.67, 40.126.53.14, 2.20.68.210, 2.20.68.201, 4.245.163.56, 13.95.31.18, 52.182.143.212, 20.12.23.50, 192.229.221.95
                                • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, ctldl.windowsupdate.com.delivery.microsoft.com, slscr.update.microsoft.com, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, login.msa.msidentity.com, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, onedsblobprdcus15.centralus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, glb.cws.prod.dcat.dsp.trafficmanager.net, blobcollector.events.data.trafficmanager.net, ocsp.edge.digicert.com, sls.update.microsoft.com, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                • Execution Graph export aborted for target hesaphareketi-20-12-2024-pdf.exe, PID 7724 because it is empty
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                • Report size getting too big, too many NtSetInformationFile calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                10:01:40API Interceptor9722342x Sleep call for process: MSBuild.exe modified
                                10:02:02API Interceptor1x Sleep call for process: WerFault.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                104.247.165.99pE7icjUisS.exeGet hashmaliciousAgentTeslaBrowse
                                  hesaphareket.exeGet hashmaliciousAgentTeslaBrowse
                                    wKmhzHd4MC.exeGet hashmaliciousAgentTeslaBrowse
                                      hesaphareketi__20241001.exeGet hashmaliciousAgentTeslaBrowse
                                        EUR Swift Bildirimi12-08-2024.exeGet hashmaliciousAgentTeslaBrowse
                                          LisectAVT_2403002A_134.exeGet hashmaliciousAgentTeslaBrowse
                                            hesaphareketi_____.exeGet hashmaliciousAgentTeslaBrowse
                                              hesaphareketi__.exeGet hashmaliciousAgentTeslaBrowse
                                                hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
                                                  hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    fp2e7a.wpc.phicdn.netLbtytfWpvx.vbsGet hashmaliciousRemcosBrowse
                                                    • 192.229.221.95
                                                    17345937653b107659e23b9c28725ee4827d5eb205eece8b9a5c90afbbb742a9832aaefaab913.dat-decoded.dllGet hashmaliciousUnknownBrowse
                                                    • 192.229.221.95
                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                    • 192.229.221.95
                                                    Payment_Failure_Notice_Office365_sdf_[13019].htmlGet hashmaliciousHTMLPhisherBrowse
                                                    • 192.229.221.95
                                                    R4qP4YM0QX.lnkGet hashmaliciousUnknownBrowse
                                                    • 192.229.221.95
                                                    download.ps1Get hashmaliciousUnknownBrowse
                                                    • 192.229.221.95
                                                    solara-executor.exeGet hashmaliciousUnknownBrowse
                                                    • 192.229.221.95
                                                    g8ix97hz.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                    • 192.229.221.95
                                                    http://golden1-alert.net/onlineGet hashmaliciousUnknownBrowse
                                                    • 192.229.221.95
                                                    ji2xlo1f.exeGet hashmaliciousLummaCBrowse
                                                    • 192.229.221.95
                                                    ftp.normagroup.com.trpE7icjUisS.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.247.165.99
                                                    hesaphareket.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.247.165.99
                                                    wKmhzHd4MC.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.247.165.99
                                                    hesaphareketi__20241001.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.247.165.99
                                                    EUR Swift Bildirimi12-08-2024.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.247.165.99
                                                    LisectAVT_2403002A_134.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.247.165.99
                                                    hesaphareketi_____.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.247.165.99
                                                    hesaphareketi__.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.247.165.99
                                                    hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.247.165.99
                                                    hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.247.165.99

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    ASN-QUADRANET-GLOBALUSSEPTobn3BR.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                    • 185.174.103.111
                                                    la.bot.sh4.elfGet hashmaliciousMiraiBrowse
                                                    • 103.68.202.250
                                                    greatindiancompaniesgivenbestgiftforyourhealthgivengoodreturns.htaGet hashmaliciousCobalt Strike, Remcos, DBatLoaderBrowse
                                                    • 185.174.103.111
                                                    Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                    • 66.63.187.30
                                                    Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                    • 66.63.187.30
                                                    Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                    • 66.63.187.30
                                                    armv4l.elfGet hashmaliciousMiraiBrowse
                                                    • 204.44.218.122
                                                    rebirth.arm7.elfGet hashmaliciousMirai, OkiruBrowse
                                                    • 104.223.28.126
                                                    jew.arm.elfGet hashmaliciousUnknownBrowse
                                                    • 72.11.146.73
                                                    2.elfGet hashmaliciousUnknownBrowse
                                                    • 173.205.82.95

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_hesaphareketi-20_1ef6e8beb4ddac8ad848358cfdf3a7b96137db_ea211783_b95661bd-f8d0-4b5a-a9ca-e2f6ec009796\Report.wer

                                                    Download File
                                                    Process:C:\Windows\System32\WerFault.exe
                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):65536
                                                    Entropy (8bit):1.0196852812617883
                                                    Encrypted:false
                                                    SSDEEP:192:mTDbCBK2di03N/6HGdaWB2AR5zuiFrZ24lO80FY:4eBK2D3N/66am2YzuiFrY4lO8+Y
                                                    MD5:1BDDE8702B325A054C164E3D038AB542
                                                    SHA1:7E088BE11DD333BC5474103CD35FB44C5990D767
                                                    SHA-256:CED473D134291C73B92CD38A522EAB1115887D24E64E3D0639A137BC0F5C2F04
                                                    SHA-512:E1D49A1D2798B928BEC8662337A0334683D57248769A083D9626CA0934A96B5A8F63A8019922B940A1485C49AF407E11D4A0568AA9B1DD7F61C34BD9A3C3250A
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.1.8.0.4.9.3.5.9.0.3.4.9.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.1.8.0.4.9.4.2.6.2.2.2.9.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.9.5.6.6.1.b.d.-.f.8.d.0.-.4.b.5.a.-.a.9.c.a.-.e.2.f.6.e.c.0.0.9.7.9.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.5.d.7.6.1.a.f.-.f.c.1.0.-.4.4.7.0.-.a.e.f.d.-.1.1.5.a.4.8.3.b.8.b.1.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.h.e.s.a.p.h.a.r.e.k.e.t.i.-.2.0.-.1.2.-.2.0.2.4.-.p.d.f...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.A.k.e.k.u.b.a.w.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.2.c.-.0.0.0.1.-.0.0.1.4.-.1.8.5.2.-.a.0.0.d.f.0.5.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.8.5.2.3.e.b.a.c.a.f.5.3.0.0.3.2.5.0.4.4.c.2.b.c.f.f.1.e.e.e.8.0.0.0.0.0.0.0.0.!.0.0.0.0.5.d.6.1.8.5.4.d.0.b.e.9.b.a.2.3.6.0.f.7.2.1.c.b.7.9.c.3.b.0.6.c.0.7.e.5.9.1.

                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER6841.tmp.dmp

                                                    Download File
                                                    Process:C:\Windows\System32\WerFault.exe
                                                    File Type:Mini DuMP crash report, 16 streams, Fri Dec 20 15:01:33 2024, 0x1205a4 type
                                                    Category:dropped
                                                    Size (bytes):398868
                                                    Entropy (8bit):3.1737768854058652
                                                    Encrypted:false
                                                    SSDEEP:3072:VHgEynm3+v7SNluPupiURD4vlwOf2cSIHVjk0hUQ061CCqC8QjPiS:VHgEf3Q2Nl8upNa+IHVjk0hUOqj
                                                    MD5:CFCEF40376DB647A6DC94A24C174C852
                                                    SHA1:D938CCA8C920AA8DB79BEFA452C2C5835BE7B476
                                                    SHA-256:6575CE018ACA3C1267B146CC696377FFDCDE8A9CA9CB2D337730C0F20EF133C4
                                                    SHA-512:30D8CA873D826F0B504F233089DF5F7626B0EA25D852BACA8039D730AA1F11956B8845833E8F94CE50B92865F1E1227FFAC0D0297A4D6048D29B1E801821465B
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:MDMP..a..... ........eg....................................$...............(.......TI..Fu..........l.......8...........T...........x)...............8...........9..............................................................................eJ.......:......Lw......................T.......,....eg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER6A07.tmp.WERInternalMetadata.xml

                                                    Download File
                                                    Process:C:\Windows\System32\WerFault.exe
                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):8896
                                                    Entropy (8bit):3.705974745963288
                                                    Encrypted:false
                                                    SSDEEP:192:R6l7wVeJjugN6YcDTeugmfZ2/prr89b964faFfm:R6lXJFN6Y0vgmf0e9lfv
                                                    MD5:09DB45D24CDD76CFEBCB0B26A3B1CC4D
                                                    SHA1:BCE0F3C81D41EF392BE091D88AD7C78FA54CC4A3
                                                    SHA-256:119D78882D3BBAEB2279A148C11249F65885778518C16B7430FC477A8E453BC6
                                                    SHA-512:E70AF6B6D9CD826CC5D19DAFCC94F61DC18BD430EEEDA15A0BDA8A464FFF80317B765166E81321FCDC6128E8F1616E9AF2C609E59CF2E958A8BFDD9C381CD1E4
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.2.4.<./.P.i.

                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER6A56.tmp.xml

                                                    Download File
                                                    Process:C:\Windows\System32\WerFault.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):4905
                                                    Entropy (8bit):4.529845063083068
                                                    Encrypted:false
                                                    SSDEEP:48:cvIwWl8zs3Jg771I97kjWpW8VYlIYm8M4JYE6FDqyq8vdE2HTCzK4d:uIjfZI7OkS7VmlJ1EqW22HTCzK4d
                                                    MD5:E01B9304FADBF6C1E679740FFD956944
                                                    SHA1:95B819BA269C03FF8727C4C9A4014C8C6627E9DB
                                                    SHA-256:18BC13524597DA656C20AB13EFB25D4B62939DA8CE7626C4F3076DABBFE9AC12
                                                    SHA-512:7F0A9E7E301D72210E13168AB66F760D9614A8AF40E5D0595DF917AB5025791DDB87D8454ABCFABDDA3C22F5243FBBF1B08899BDB02D06915B0EECBB6F9097F1
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="639724" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                    C:\Windows\appcompat\Programs\Amcache.hve

                                                    Download File
                                                    Process:C:\Windows\System32\WerFault.exe
                                                    File Type:MS Windows registry file, NT/2000 or above
                                                    Category:dropped
                                                    Size (bytes):1835008
                                                    Entropy (8bit):4.39433437716433
                                                    Encrypted:false
                                                    SSDEEP:6144:Tl4fiJoH0ncNXiUjt10q1G/gaocYGBoaUMMhA2NX4WABlBuNAGOBSqa:R4vF1MYQUMM6VFYSGU
                                                    MD5:AB2CB9037122FD16E9A54428ABDE34EE
                                                    SHA1:FAD9BE2980046F364E72931BA3FF109B721651A1
                                                    SHA-256:41C8B34D92DDCC99D6A05227A96CDEB8EE010DBC1959ABDB6A655ADD52161169
                                                    SHA-512:11EFDCAC1C5824E0965B2C6D599F90FA0FD4FC3254CFB2BB9C81E5C1F3D15AD9261667DC3F7DE0C21FFBFF515A0B4C2EC4DF18FD19563BAB1F2B72247CEFEEB9
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.G...R.................................................................................................................................................................................................................................................................................................................................................;........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    Static File Info

                                                    General

                                                    File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):6.564800643034274
                                                    TrID:
                                                    • Win64 Executable GUI (202006/5) 92.65%
                                                    • Win64 Executable (generic) (12005/4) 5.51%
                                                    • Generic Win/DOS Executable (2004/3) 0.92%
                                                    • DOS Executable Generic (2002/1) 0.92%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:hesaphareketi-20-12-2024-pdf.exe
                                                    File size:5'277'184 bytes
                                                    MD5:1cb211d3d1aead7eb34777c5d76695da
                                                    SHA1:5d61854d0be9ba2360f721cb79c3b06c07e59106
                                                    SHA256:23419d1f783c90e855cd52aaa46ddc97e06f2514dbaf6abf69f1aec24c279fe6
                                                    SHA512:907dc967e6c94d530d42029ee0e18f2ae154a16c45d7d184c78ebc1be8c8213fa9326ec8f8d9f428c46d4b99fef229ee976e1bebb8dfa9d84d980d60d09df23b
                                                    SSDEEP:49152:P1oF4Lbr1B1q3SlFQE/6L6hkOITCygj4FITzZGtQprMpyZxE6MKd1rxgwcqyssdN:P1Fr1Ba5LJ2zZN31UQ2pgPK+g
                                                    TLSH:A9365BD493F8530DE07E867159F068D949DEB01626ABD39EF6C204BB0662FC12685EF3
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..../dg.........."...0.7.G.............. ....@...... ........................P...........`................................

                                                    File Icon

                                                    Icon Hash:00928e8e8686b000

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x400000
                                                    Entrypoint Section:
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x67642F1D [Thu Dec 19 14:35:09 2024 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:

                                                    Entrypoint Preview

                                                    Instruction
                                                    dec ebp
                                                    pop edx
                                                    nop
                                                    add byte ptr [ebx], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax+eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x47c0000x8f954.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x47a7c00x1c.text
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000x4788370x478a001f32e72cfa9f0d5a0c7847dfe93dbfdbunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rsrc0x47c0000x8f9540x8fa0065a5751131ea2c6cfbd7d179420f6ee0False0.9970711624238469data7.998736124571015IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    PROTECTEDBYOMNIP0TENT0x47c3180x10data1.5
                                                    PROTECTEDBYOMNIP0TENT0x47c3280x8ec10data1.000318100971405
                                                    PROTECTEDBYOMNIP0TENT0x50af380x10data1.5625
                                                    PROTECTEDBYOMNIP0TENT0x50af480x180data1.0286458333333333
                                                    PROTECTEDBYOMNIP0TENT0x50b0c80x20data1.34375
                                                    PROTECTEDBYOMNIP0TENT0x50b0e80x10Non-ISO extended-ASCII text, with no line terminators1.5625
                                                    RT_VERSION0x50b0f80x338data0.49271844660194175
                                                    RT_VERSION0x50b4300x338dataEnglishUnited States0.49514563106796117
                                                    RT_MANIFEST0x50b7680x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                    Possible Origin

                                                    Language of compilation systemCountry where language is spokenMap
                                                    EnglishUnited States

                                                    Network Behavior

                                                    Suricata IDS Alerts

                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                    2024-12-20T16:01:39.647064+01002029927ET MALWARE AgentTesla Exfil via FTP1192.168.2.949707104.247.165.9921TCP
                                                    2024-12-20T16:01:40.777963+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.949709104.247.165.9952545TCP
                                                    2024-12-20T16:01:40.898148+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.949709104.247.165.9952545TCP

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Dec 20, 2024 16:01:25.632096052 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:25.632164955 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:25.632292032 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:25.635091066 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:25.635193110 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:25.637000084 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:25.637099981 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:25.637284994 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:25.637345076 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:25.640111923 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:25.640202045 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:25.715255976 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:25.755012035 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:25.759649038 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:25.759949923 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:25.909989119 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:25.912913084 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:25.950932980 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:25.951037884 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:25.951134920 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:25.951196909 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:25.954396009 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:25.955225945 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:25.956598997 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:25.956659079 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:25.956749916 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:25.956805944 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:25.958458900 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:25.960009098 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:26.032440901 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:26.074409008 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:26.075826883 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:26.078025103 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:26.079715967 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:26.228106976 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:26.230818033 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:26.270363092 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:26.270543098 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:26.272063017 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:26.272150040 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:26.272910118 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:26.274595022 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:26.278575897 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:26.278625011 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:26.279128075 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:26.279182911 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:26.281507969 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:26.282272100 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:26.352616072 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:26.392496109 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:26.394366980 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:26.401062012 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:26.401807070 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:26.499188900 CET49673443192.168.2.9204.79.197.203
                                                    Dec 20, 2024 16:01:26.556066036 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:26.559274912 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:26.598788023 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:26.598938942 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:26.602272987 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:26.612840891 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:26.612905025 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:26.613116026 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:26.613116026 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:26.615658045 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:26.616050959 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:26.680613041 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:26.722965002 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:26.736262083 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:26.748846054 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:26.790743113 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:26.915260077 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:26.928632975 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:26.928750038 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:26.932086945 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:26.932251930 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:26.932306051 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:26.935549974 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:26.950381994 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:26.966253996 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:26.980808973 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:27.070043087 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:27.100438118 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:27.109675884 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:27.128865957 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:27.293577909 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:27.325052023 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:27.336745024 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:27.343641043 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:27.343717098 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:27.344135046 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:27.344214916 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:27.375751972 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:27.402442932 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:27.457659960 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:27.495253086 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:27.500792980 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:27.527954102 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:27.556833982 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:27.556849957 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:27.556972980 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:27.576713085 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:27.687824011 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:27.694385052 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:27.694519043 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:27.729994059 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:27.741863966 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:27.745209932 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:27.793807030 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:27.793819904 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:27.793942928 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:27.849989891 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:27.856791973 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:27.861740112 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:27.880445957 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:27.898169994 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:28.017390966 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:28.018321037 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:28.030582905 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:28.057455063 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:28.057544947 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:28.075540066 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:28.076265097 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:28.086519003 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:28.117763042 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:28.206007004 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:28.210503101 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:28.210594893 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:28.213891029 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:28.221410036 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:28.224109888 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:28.297183990 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:28.333643913 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:28.344162941 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:28.389830112 CET49675443192.168.2.923.206.229.209
                                                    Dec 20, 2024 16:01:28.398189068 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:28.401266098 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:28.402580976 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:28.405054092 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:28.405407906 CET49676443192.168.2.923.206.229.209
                                                    Dec 20, 2024 16:01:28.521008015 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:28.525115967 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:28.525882006 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:28.529189110 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:28.530406952 CET49674443192.168.2.923.206.229.209
                                                    Dec 20, 2024 16:01:28.536402941 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:28.539679050 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:28.594630003 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:28.594717979 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:28.598248959 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:28.659537077 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:28.717447996 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:28.722100019 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:28.731076956 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:28.731178045 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:28.734884977 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:28.855186939 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:28.889774084 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:28.890067101 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:28.890144110 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:28.892848969 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:28.892987013 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:28.965683937 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:28.969737053 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:29.012516022 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:29.047468901 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:29.047569036 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:29.050718069 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:29.082211971 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:29.085464954 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:29.133348942 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:29.170288086 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:29.205090046 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:29.210958958 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:29.211049080 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:29.211126089 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:29.214078903 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:29.214250088 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:29.334022999 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:29.362593889 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:29.365957975 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:29.398890972 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:29.399013996 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:29.401576042 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:29.401674032 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:29.401870966 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:29.404103041 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:29.521415949 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:29.533571959 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:29.534987926 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:29.535062075 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:29.537671089 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:29.537962914 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:29.657568932 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:29.720568895 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:29.723426104 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:29.726301908 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:29.726385117 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:29.728542089 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:29.848340034 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:29.849689960 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:29.852713108 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:29.855155945 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:29.855262041 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:29.855273962 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:29.855326891 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:29.863137960 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:29.865747929 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:29.983127117 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:30.033241987 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:30.040740967 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:30.045053005 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:30.048821926 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:30.051769018 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:30.164906025 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:30.171619892 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:30.175663948 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:30.178950071 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:30.181720018 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:30.181783915 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:30.182147980 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:30.182199001 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:30.184715986 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:30.184870958 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:30.304620981 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:30.345299959 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:30.363858938 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:30.367047071 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:30.367286921 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:30.369733095 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:30.486711025 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:30.489389896 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:30.497963905 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:30.501770020 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:30.502391100 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:30.502444029 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:30.502720118 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:30.502768040 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:30.505158901 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:30.505227089 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:30.624942064 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:30.682069063 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:30.685467005 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:30.688632011 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:30.693437099 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:30.813642025 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:30.817173958 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:30.820049047 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:30.820118904 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:30.820175886 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:30.823678017 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:30.825351000 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:30.826128960 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:30.946162939 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:31.005908966 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:31.008861065 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:31.010004997 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:31.011980057 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:31.131594896 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:31.141695976 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:31.141891003 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:31.141993046 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:31.150681973 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:31.150741100 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:31.197838068 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:31.199857950 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:31.270375013 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:31.323811054 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:31.326558113 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:31.333735943 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:31.335853100 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:31.456855059 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:31.467839003 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:31.468023062 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:31.468123913 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:31.525800943 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:31.577306986 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:31.637002945 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:31.638093948 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:31.638446093 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:31.649385929 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:31.649476051 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:31.651869059 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:31.660309076 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:31.662714005 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:31.759118080 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:31.782640934 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:31.951663971 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:31.954977989 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:31.955030918 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:31.955104113 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:31.955425978 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:31.958470106 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:31.958590031 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:31.974584103 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:31.974638939 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:31.977044106 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:32.078067064 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:32.096913099 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:32.145761013 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:32.180522919 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:32.270781994 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:32.270840883 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:32.274130106 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:32.281143904 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:32.281205893 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:32.281297922 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:32.281342983 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:32.286043882 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:32.287153959 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:32.336194038 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:32.336283922 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:32.338498116 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:32.405783892 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:32.529284954 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:32.529314995 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:32.691047907 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:32.691072941 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:32.691101074 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:32.691157103 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:32.691363096 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:32.691425085 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:32.702025890 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:32.707995892 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:32.709114075 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:32.709168911 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:32.811379910 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:32.822067976 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:32.824744940 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:32.827605963 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:32.828704119 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:32.828927040 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:32.944427013 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:33.025063038 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:33.028980017 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:33.029046059 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:33.029058933 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:33.061851025 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:33.078387022 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:33.138273954 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:33.138333082 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:33.153455019 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:33.153486967 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:33.182642937 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:33.200372934 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:33.236888885 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:33.273183107 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:33.280344009 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:33.400473118 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:33.430488110 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:33.433608055 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:33.469856024 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:33.470010996 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:33.470089912 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:33.493596077 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:33.653258085 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:33.657227039 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:33.692544937 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:33.693716049 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:33.695066929 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:33.776820898 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:33.808285952 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:33.814224958 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:33.834430933 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:33.861249924 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:33.954041004 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:34.004338980 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:34.009849072 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:34.009895086 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:34.010080099 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:34.017374039 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:34.018341064 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:34.021755934 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:34.137033939 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:34.138014078 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:34.141422987 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:34.146343946 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:34.161799908 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:34.202357054 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:34.233148098 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:34.325567007 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:34.333576918 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:34.333622932 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:34.337091923 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:34.337106943 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:34.337131023 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:34.352833986 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:34.356884956 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:34.358058929 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:34.372756958 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:34.476587057 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:34.477580070 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:34.492841959 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:34.525854111 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:34.577203035 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:34.595031023 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:34.669625998 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:34.674065113 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:34.674113035 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:34.674220085 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:34.687542915 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:34.698889017 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:34.699558020 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:34.761382103 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:34.761447906 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:34.761503935 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:34.764276028 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:34.809628010 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:34.819585085 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:34.820894003 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:34.884614944 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:34.905363083 CET49677443192.168.2.920.189.173.11
                                                    Dec 20, 2024 16:01:34.954010010 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:34.965848923 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:35.053399086 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:35.053457975 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:35.053595066 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:35.053751945 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:35.056324959 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:35.056404114 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:35.076666117 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:35.076760054 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:35.080219030 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:35.085464001 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:35.145421982 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:35.147871017 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:35.175966978 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:35.200611115 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:35.267501116 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:35.368419886 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:35.371088982 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:35.371860027 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:35.371913910 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:35.372167110 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:35.372221947 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:35.374718904 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:35.374929905 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:35.460022926 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:35.460083961 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:35.462776899 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:35.475819111 CET4970721192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:01:35.491099119 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:35.494527102 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:35.494726896 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:35.563697100 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:35.568300009 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:35.592992067 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:35.595350981 CET2149707104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:01:35.595438957 CET4970721192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:01:35.686528921 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:35.686619043 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:35.688502073 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:35.689462900 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:35.691148043 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:35.691199064 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:35.691205978 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:35.691277981 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:35.693550110 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:35.693566084 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:35.813196898 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:35.884517908 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:35.887778997 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:36.008593082 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:36.012162924 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:36.012229919 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:36.012242079 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:36.012839079 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:36.016014099 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:36.016197920 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:36.018198967 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:36.019018888 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:36.135746956 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:36.138653040 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:36.204283953 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:36.206701994 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:36.328587055 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:36.330733061 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:36.332133055 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:36.335942984 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:36.336205959 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:36.336270094 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:36.375602961 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:36.391851902 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:36.398998976 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:36.406821966 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:36.511435032 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:36.522783995 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:36.552598000 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:36.569331884 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:36.672657967 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:36.706322908 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:36.714716911 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:36.719191074 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:36.725307941 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:36.725435972 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:36.725491047 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:36.730565071 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:36.739447117 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:36.761723042 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:36.841474056 CET2149707104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:01:36.841689110 CET4970721192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:01:36.850162029 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:36.882802963 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:36.911654949 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:36.914539099 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:36.961419106 CET2149707104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:01:37.042896986 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:37.046869993 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:37.051837921 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:37.056039095 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:37.075764894 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:37.075833082 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:37.078224897 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:37.148835897 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:37.153373957 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:37.179508924 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:37.234610081 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:37.234675884 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:37.237206936 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:37.274986982 CET2149707104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:01:37.275109053 CET4970721192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:01:37.321214914 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:37.356794119 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:37.373505116 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:37.377681017 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:37.390232086 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:37.390289068 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:37.393251896 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:37.394628048 CET2149707104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:01:37.465194941 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:37.467569113 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:37.512821913 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:37.549077988 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:37.549141884 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:37.551462889 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:37.596937895 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:37.599026918 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:37.705069065 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:37.705137014 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:37.708472967 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:37.740660906 CET2149707104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:01:37.740796089 CET4970721192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:01:37.765356064 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:37.774920940 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:37.778182983 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:37.828402996 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:37.860749006 CET2149707104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:01:37.864135027 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:37.864196062 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:37.866951942 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:37.941387892 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:37.986660957 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:37.999087095 CET49675443192.168.2.923.206.229.209
                                                    Dec 20, 2024 16:01:38.014720917 CET49676443192.168.2.923.206.229.209
                                                    Dec 20, 2024 16:01:38.139728069 CET49674443192.168.2.923.206.229.209
                                                    Dec 20, 2024 16:01:38.174664021 CET2149707104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:01:38.174858093 CET4970721192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:01:38.294423103 CET2149707104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:01:38.322412014 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:38.322536945 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:38.322621107 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:38.325218916 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:38.325421095 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:38.325474024 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:38.331698895 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:38.341937065 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:38.344768047 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:38.345325947 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:38.345619917 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:38.451370955 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:38.461734056 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:38.464296103 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:38.464986086 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:38.465140104 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:38.608226061 CET2149707104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:01:38.610105991 CET4970721192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:01:38.648161888 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:38.651487112 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:38.663167000 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:38.663239002 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:38.663245916 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:38.663326025 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:38.665617943 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:38.666335106 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:38.668611050 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:38.729701996 CET2149707104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:01:38.771053076 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:38.785387039 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:38.788414955 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:38.853146076 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:38.856926918 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:38.858002901 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:38.976644039 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:38.977533102 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:38.977771044 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:38.981107950 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:39.017630100 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:39.017684937 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:39.017757893 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:39.017802000 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:39.024575949 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:39.026242018 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:39.045360088 CET2149707104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:01:39.045490980 CET4970721192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:01:39.137571096 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:39.146425009 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:39.166699886 CET2149707104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:01:39.173943996 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:39.174482107 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:39.174535990 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:39.336076975 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:39.338835001 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:39.342885017 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:39.342945099 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:39.343048096 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:39.389750004 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:39.480547905 CET2149707104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:01:39.497273922 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:39.526916981 CET4970952545192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:01:39.530330896 CET4970721192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:01:39.576329947 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:39.586893082 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:39.594655037 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:39.602190971 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:39.646863937 CET5254549709104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:01:39.646974087 CET4970952545192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:01:39.647063971 CET4970721192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:01:39.651844978 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:39.651963949 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:39.667223930 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:39.696573019 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:39.706520081 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:39.714227915 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:39.721697092 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:39.766602039 CET2149707104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:01:39.786848068 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:39.891592026 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:39.894727945 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:39.909708023 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:39.909764051 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:39.909832954 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:39.909878016 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:39.912524939 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:39.912969112 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:39.979120016 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:39.979191065 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:39.982641935 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:40.014413118 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:40.032219887 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:40.032450914 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:40.084167004 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:40.087337971 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:40.102683067 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:40.207798004 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:40.224490881 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:40.227988958 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:40.234297037 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:40.234349012 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:40.234575987 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:40.234627008 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:40.237600088 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:40.237844944 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:40.357347965 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:40.400048971 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:40.403605938 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:40.426110029 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:40.429436922 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:40.549084902 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:40.549526930 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:40.552872896 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:40.555438995 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:40.555543900 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:40.555552959 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:40.555618048 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:40.558043957 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:40.558095932 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:40.677938938 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:40.741518021 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:40.743952036 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:40.744080067 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:40.744194984 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:40.744241953 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:40.747255087 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:40.777719975 CET2149707104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:01:40.777962923 CET4970952545192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:01:40.778028011 CET4970952545192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:01:40.827198029 CET4970721192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:01:40.866997957 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:40.867971897 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:40.868240118 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:40.870014906 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:40.873502970 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:40.873856068 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:40.873986006 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:40.874813080 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:40.879082918 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:40.879725933 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:40.880135059 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:40.882759094 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:40.897634983 CET5254549709104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:01:40.898020029 CET5254549709104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:01:40.898148060 CET4970952545192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:01:41.000015020 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:41.049459934 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:41.068228006 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:41.068411112 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:41.068468094 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:41.077656031 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:41.177891970 CET4434970423.206.229.209192.168.2.9
                                                    Dec 20, 2024 16:01:41.177997112 CET49704443192.168.2.923.206.229.209
                                                    Dec 20, 2024 16:01:41.192332983 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:41.195336103 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:41.195389986 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:41.195585012 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:41.199337006 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:41.203115940 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:41.210095882 CET2149707104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:01:41.219187975 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:41.220053911 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:41.264703989 CET4970721192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:01:41.301466942 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:41.305228949 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:41.308423042 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:41.322741985 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:41.339430094 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:41.340394974 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:41.428040028 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:41.515033007 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:41.520123959 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:41.531855106 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:41.531958103 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:41.536828995 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:41.537014961 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:41.537035942 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:41.592847109 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:41.639765024 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:41.723758936 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:41.780328035 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:01:41.979361057 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:01:42.030302048 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:03:09.436614990 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:03:09.557540894 CET4434970513.107.246.63192.168.2.9
                                                    Dec 20, 2024 16:03:09.557629108 CET49705443192.168.2.913.107.246.63
                                                    Dec 20, 2024 16:03:17.493372917 CET4972521192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:03:17.613066912 CET2149725104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:03:17.613148928 CET4972521192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:03:17.613523960 CET4972521192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:03:17.733582020 CET2149725104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:03:17.733656883 CET4972521192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:03:34.614198923 CET4972621192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:03:34.734103918 CET2149726104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:03:34.737519979 CET4972621192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:03:34.741472006 CET4972621192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:03:34.861155033 CET2149726104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:03:34.861249924 CET4972621192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:03:39.444813967 CET4972721192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:03:39.565241098 CET2149727104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:03:39.565335035 CET4972721192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:03:39.565610886 CET4972721192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:03:39.686537981 CET2149727104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:03:39.687828064 CET2149727104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:03:39.687885046 CET4972721192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:03:41.695652008 CET4972821192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:03:41.820768118 CET2149728104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:03:41.820861101 CET4972821192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:03:41.821086884 CET4972821192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:03:41.942234993 CET2149728104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:03:41.944951057 CET2149728104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:03:41.945080996 CET4972821192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:03:55.521393061 CET4972921192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:03:55.641654968 CET2149729104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:03:55.641736984 CET4972921192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:03:55.642002106 CET4972921192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:03:55.766237974 CET2149729104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:03:55.782001019 CET2149729104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:03:55.782099009 CET4972921192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:04:05.476097107 CET4973021192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:04:05.596268892 CET2149730104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:04:05.596359015 CET4973021192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:04:05.596646070 CET4973021192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:04:05.716964006 CET2149730104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:04:05.717031002 CET4973021192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:04:08.850752115 CET4973121192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:04:08.970305920 CET2149731104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:04:08.970396996 CET4973121192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:04:08.970634937 CET4973121192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:04:09.090217113 CET2149731104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:04:09.090329885 CET2149731104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:04:09.090439081 CET4973121192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:04:16.162337065 CET4973221192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:04:16.282752991 CET2149732104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:04:16.282891989 CET4973221192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:04:16.283349991 CET4973221192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:04:16.403139114 CET2149732104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:04:16.403239965 CET4973221192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:04:20.106682062 CET4973321192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:04:20.226533890 CET2149733104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:04:20.226659060 CET4973321192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:04:20.227165937 CET4973321192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:04:20.347105980 CET2149733104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:04:20.347172976 CET4973321192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:04:38.465903997 CET4973421192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:04:38.585885048 CET2149734104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:04:38.585963964 CET4973421192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:04:38.586484909 CET4973421192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:04:38.706410885 CET2149734104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:04:38.706604004 CET4973421192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:05:01.929085970 CET4973521192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:05:02.048950911 CET2149735104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:05:02.049068928 CET4973521192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:05:02.049325943 CET4973521192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:05:02.170614004 CET2149735104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:05:02.171016932 CET2149735104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:05:02.171068907 CET4973521192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:05:03.599814892 CET4973621192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:05:03.720099926 CET2149736104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:05:03.720242977 CET4973621192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:05:03.720494032 CET4973621192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:05:03.840243101 CET2149736104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:05:03.840384960 CET4973621192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:05:13.987945080 CET4973721192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:05:14.107839108 CET2149737104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:05:14.111704111 CET4973721192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:05:14.111979008 CET4973721192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:05:14.232942104 CET2149737104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:05:14.233001947 CET4973721192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:05:25.660419941 CET4973821192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:05:25.780262947 CET2149738104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:05:25.780359983 CET4973821192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:05:25.780806065 CET4973821192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:05:25.900830030 CET2149738104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:05:25.901393890 CET4973821192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:05:31.928997993 CET4973921192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:05:32.049230099 CET2149739104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:05:32.049369097 CET4973921192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:05:32.049633026 CET4973921192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:05:32.170780897 CET2149739104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:05:32.172456980 CET4973921192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:05:32.965821028 CET4974021192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:05:33.085685015 CET2149740104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:05:33.085764885 CET4974021192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:05:33.086085081 CET4974021192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:05:33.206315041 CET2149740104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:05:33.206383944 CET4974021192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:05:38.785290003 CET4974121192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:05:38.905145884 CET2149741104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:05:38.905225992 CET4974121192.168.2.9104.247.165.99
                                                    Dec 20, 2024 16:05:40.153183937 CET2149741104.247.165.99192.168.2.9
                                                    Dec 20, 2024 16:05:40.201387882 CET4974121192.168.2.9104.247.165.99

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Dec 20, 2024 16:01:35.020147085 CET5439253192.168.2.91.1.1.1
                                                    Dec 20, 2024 16:01:35.470870018 CET53543921.1.1.1192.168.2.9

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Dec 20, 2024 16:01:35.020147085 CET192.168.2.91.1.1.10x7f38Standard query (0)ftp.normagroup.com.trA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Dec 20, 2024 16:01:35.470870018 CET1.1.1.1192.168.2.90x7f38No error (0)ftp.normagroup.com.tr104.247.165.99A (IP address)IN (0x0001)false
                                                    Dec 20, 2024 16:02:39.338812113 CET1.1.1.1192.168.2.90xeef5No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                    Dec 20, 2024 16:02:39.338812113 CET1.1.1.1192.168.2.90xeef5No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false

                                                    FTP Packets

                                                    TimestampSource PortDest PortSource IPDest IPCommands
                                                    Dec 20, 2024 16:01:36.841474056 CET2149707104.247.165.99192.168.2.9220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                                    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.
                                                    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 18:01. Server port: 21.
                                                    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 18:01. Server port: 21.220-This is a private system - No anonymous login
                                                    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 18:01. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                                    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 18:01. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                                    Dec 20, 2024 16:01:36.841689110 CET4970721192.168.2.9104.247.165.99USER admin@normagroup.com.tr
                                                    Dec 20, 2024 16:01:37.274986982 CET2149707104.247.165.99192.168.2.9331 User admin@normagroup.com.tr OK. Password required
                                                    Dec 20, 2024 16:01:37.275109053 CET4970721192.168.2.9104.247.165.99PASS Qb.X[.j.Yfm[
                                                    Dec 20, 2024 16:01:37.740660906 CET2149707104.247.165.99192.168.2.9230 OK. Current restricted directory is /
                                                    Dec 20, 2024 16:01:38.174664021 CET2149707104.247.165.99192.168.2.9504 Unknown command
                                                    Dec 20, 2024 16:01:38.174858093 CET4970721192.168.2.9104.247.165.99PWD
                                                    Dec 20, 2024 16:01:38.608226061 CET2149707104.247.165.99192.168.2.9257 "/" is your current location
                                                    Dec 20, 2024 16:01:38.610105991 CET4970721192.168.2.9104.247.165.99TYPE I
                                                    Dec 20, 2024 16:01:39.045360088 CET2149707104.247.165.99192.168.2.9200 TYPE is now 8-bit binary
                                                    Dec 20, 2024 16:01:39.045490980 CET4970721192.168.2.9104.247.165.99PASV
                                                    Dec 20, 2024 16:01:39.480547905 CET2149707104.247.165.99192.168.2.9227 Entering Passive Mode (104,247,165,99,205,65)
                                                    Dec 20, 2024 16:01:39.647063971 CET4970721192.168.2.9104.247.165.99STOR PW_user-210979_2024_12_20_10_01_34.html
                                                    Dec 20, 2024 16:01:40.777719975 CET2149707104.247.165.99192.168.2.9150 Accepted data connection
                                                    Dec 20, 2024 16:01:41.210095882 CET2149707104.247.165.99192.168.2.9226-File successfully transferred
                                                    226-File successfully transferred226 0.433 seconds (measured here), 0.72 Kbytes per second
                                                    Dec 20, 2024 16:05:40.153183937 CET2149741104.247.165.99192.168.2.9220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                                    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 50 allowed.
                                                    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 50 allowed.220-Local time is now 18:05. Server port: 21.
                                                    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 50 allowed.220-Local time is now 18:05. Server port: 21.220-This is a private system - No anonymous login
                                                    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 50 allowed.220-Local time is now 18:05. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                                    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 50 allowed.220-Local time is now 18:05. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:10:01:31
                                                    Start date:20/12/2024
                                                    Path:C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Users\user\Desktop\hesaphareketi-20-12-2024-pdf.exe"
                                                    Imagebase:0x202cb510000
                                                    File size:5'277'184 bytes
                                                    MD5 hash:1CB211D3D1AEAD7EB34777C5D76695DA
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1745623478.00000202CDB5C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1746824194.00000202DD850000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1746824194.00000202DD850000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:2
                                                    Start time:10:01:32
                                                    Start date:20/12/2024
                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
                                                    Imagebase:0xec0000
                                                    File size:262'432 bytes
                                                    MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3879068717.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3879068717.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3881351503.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3881351503.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3881351503.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:5
                                                    Start time:10:01:33
                                                    Start date:20/12/2024
                                                    Path:C:\Windows\System32\WerFault.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\WerFault.exe -u -p 7724 -s 1052
                                                    Imagebase:0x7ff61cbd0000
                                                    File size:570'736 bytes
                                                    MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Executed Functions

                                                      Function 00007FF888046110 Relevance: 2.0, Strings: 1, Instructions: 721COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: d
                                                      • API String ID: 0-2564639436
                                                      • Opcode ID: e203e59e1f42b6aa2a319cc59e2d3e108ae77453cce1ef7bd1426315167c38c8
                                                      • Instruction ID: e0c43937d0835c5552c511e20afb1729000a9f7475d328e5eaf2c2192deec18b
                                                      • Opcode Fuzzy Hash: e203e59e1f42b6aa2a319cc59e2d3e108ae77453cce1ef7bd1426315167c38c8
                                                      • Instruction Fuzzy Hash: 95222130A98A4A4FEB59DB2898816B177E0FF45358F1446B9C88EC71D7DE38E843C785
                                                      Function 00007FF888047688 Relevance: 1.7, Strings: 1, Instructions: 496COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: fish
                                                      • API String ID: 0-1064584243
                                                      • Opcode ID: 1bcd9805932e06c47f387b1447eecbba65b124576373e79b335cb80b766242c0
                                                      • Instruction ID: 65ae446cd576db3065b150ccb37595b2e4b4a636eb4d0e937259bfcd784dffdf
                                                      • Opcode Fuzzy Hash: 1bcd9805932e06c47f387b1447eecbba65b124576373e79b335cb80b766242c0
                                                      • Instruction Fuzzy Hash: 8FD14B31A8CA4E0FEB59AA7C98151B977E1FF96354F0441BED48AC31D7DE28AC06C781
                                                      Function 00007FF888051F99 Relevance: 1.7, Instructions: 1664COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bf8ab148a3e15f9e925ac29480ba287821687d7255414bf2b406d33d3bcec67a
                                                      • Instruction ID: 98dbe9b8dd130c74682da8a04b0a924a06f308833b792efa21b57babc57a6041
                                                      • Opcode Fuzzy Hash: bf8ab148a3e15f9e925ac29480ba287821687d7255414bf2b406d33d3bcec67a
                                                      • Instruction Fuzzy Hash: B9B23431A0CB894FEB19DB28C4914B5B7E2FF95341F1445BED48AC72A6DF38A846C781
                                                      Function 00007FF88804BD50 Relevance: 1.6, Instructions: 1642COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 33f32a4647c9518136f2ac4ed86402815116d7a13bda2078b9b2ac68f0007e08
                                                      • Instruction ID: da1d9f74f701f4e8ed87cdabee213c15b0bb37975cf785b48eb90bf2386eaa12
                                                      • Opcode Fuzzy Hash: 33f32a4647c9518136f2ac4ed86402815116d7a13bda2078b9b2ac68f0007e08
                                                      • Instruction Fuzzy Hash: A1B2E171A48A4A8FEB98DB28C4956B877E1FF55340F1401B9D04EDB2E2DF38AC42CB55
                                                      Function 00007FF88805364A Relevance: 1.1, Instructions: 1119COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0a84f7a02d0c197e4473d46495e22033f4cd51e1aa3674d395f638ec508f1f41
                                                      • Instruction ID: 1ad3a92c2cebcb6126c6b6c3e50992dd6b65dabee10226e3361b110cef08dea2
                                                      • Opcode Fuzzy Hash: 0a84f7a02d0c197e4473d46495e22033f4cd51e1aa3674d395f638ec508f1f41
                                                      • Instruction Fuzzy Hash: 5F727531A0CB8A4FEB58DB2884815B577E2FF95344F1006BED48AC72D6DF38A846C795
                                                      Function 00007FF88804BD48 Relevance: .9, Instructions: 933COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f5ee6b86f3789ab1e1d229e0f6416c358cd222ff1ecb002ea52605357ba25220
                                                      • Instruction ID: 00b2d2b2ca1862d82b1c3175335d95a5a5b8d9b33eb631cbf121b62454bf861c
                                                      • Opcode Fuzzy Hash: f5ee6b86f3789ab1e1d229e0f6416c358cd222ff1ecb002ea52605357ba25220
                                                      • Instruction Fuzzy Hash: E652C330A08A098FEB68DA28D855A7977E1FF59740F2401BDE48ED72D2DF34AC42CB55
                                                      Function 00007FF88804E7DA Relevance: .7, Instructions: 737COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d5f484fe59f51e2422a3714eda08212fea9d9bbbf87547fbb51cc8fdca0f0fff
                                                      • Instruction ID: 1cce48b6c74b5aa996d24602749fb3717132db98b8dcf39dc34ead4f562906ca
                                                      • Opcode Fuzzy Hash: d5f484fe59f51e2422a3714eda08212fea9d9bbbf87547fbb51cc8fdca0f0fff
                                                      • Instruction Fuzzy Hash: 9D329831A8CB864FEB59DB2884511B577D2FF81358F0445BED48AC72E6DF38A886C385
                                                      Function 00007FF88804F030 Relevance: .4, Instructions: 438COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f7a3808a0225c66537123fe601f3c75650672061659c7402167610e75dde2ffa
                                                      • Instruction ID: 03c7576293ba3be6378eb6ee649f5540fb67b5beeae7107e00374d7b5efcc592
                                                      • Opcode Fuzzy Hash: f7a3808a0225c66537123fe601f3c75650672061659c7402167610e75dde2ffa
                                                      • Instruction Fuzzy Hash: 95D1343598CB854FE719CB298492175B7E2FFD4305F1486BED4CAC32E5DA38A842C781
                                                      Function 00007FF888043EC3 Relevance: .4, Instructions: 372COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9816519c469534dac1bb068c53c83c6cf2dad7e910f70843a9df960c52ffef48
                                                      • Instruction ID: 78e218ff05418bf7d08bac8fd1a544a7156ea67225e1729aae23af4935d3bd17
                                                      • Opcode Fuzzy Hash: 9816519c469534dac1bb068c53c83c6cf2dad7e910f70843a9df960c52ffef48
                                                      • Instruction Fuzzy Hash: 2DC1E170AD96058FEB18EF288045179B7E1FF85348F6444BED08A8B1D2DB35E883CB85
                                                      Function 00007FF888057D57 Relevance: .2, Instructions: 204COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 34af765dcd53a85ce4124e61c00a51d0de6667f39890cf9c2826d33b22519f10
                                                      • Instruction ID: d5524ebb262200c2c7dfa686b8c8ff315fbaaa0fd2dfc488b7cd66b593311f44
                                                      • Opcode Fuzzy Hash: 34af765dcd53a85ce4124e61c00a51d0de6667f39890cf9c2826d33b22519f10
                                                      • Instruction Fuzzy Hash: 39511C31A0C7891FD71E9A3898661753BA5EB87210F1582BFD4CBC71E7DD286C078396
                                                      Function 00007FF888180A94 Relevance: 4.5, Strings: 3, Instructions: 774COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1749302951.00007FF888180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888180000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888180000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 3!$3!$3!
                                                      • API String ID: 0-2817880198
                                                      • Opcode ID: 566bef2baa235c522bd1d5d14750a82b9a7339763f61e9e00418923c4f9f038d
                                                      • Instruction ID: 6bef37ec4a7db0c62ab69bad41cdec0f63550dbd85fd08bb67da0ea8954cf0ea
                                                      • Opcode Fuzzy Hash: 566bef2baa235c522bd1d5d14750a82b9a7339763f61e9e00418923c4f9f038d
                                                      • Instruction Fuzzy Hash: DC324B3A80D6CA8FE765DB2888565A87FE0FF56740F1805FEC08DCB192DF24684AC795
                                                      Function 00007FF88804C880 Relevance: 1.7, Strings: 1, Instructions: 494COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ZN_H
                                                      • API String ID: 0-3134461993
                                                      • Opcode ID: d60a0f19cfe9a99880775c9f7bae589cde9bd2d5d7cecef1bcd20bdfe0c870fd
                                                      • Instruction ID: 6e568632bcc796fdea7a4c838146dd7e718dabf39643e1696df8a0865a1fb9ff
                                                      • Opcode Fuzzy Hash: d60a0f19cfe9a99880775c9f7bae589cde9bd2d5d7cecef1bcd20bdfe0c870fd
                                                      • Instruction Fuzzy Hash: 8BE11031A8CA468FE729DB28D8555B577E0FF41394B1845BAD08AC71D3DE38B847C782
                                                      Function 00007FF888040658 Relevance: 1.6, Strings: 1, Instructions: 381COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: d
                                                      • API String ID: 0-2564639436
                                                      • Opcode ID: eb5b82e5043a0a7d1914284674872dd9c1a7f2ec7afdd7a835f361937f40f32c
                                                      • Instruction ID: 6cd51c2783c56f070e8a54b58be16a28c71b6478697e58ec4b4aca8d2976a513
                                                      • Opcode Fuzzy Hash: eb5b82e5043a0a7d1914284674872dd9c1a7f2ec7afdd7a835f361937f40f32c
                                                      • Instruction Fuzzy Hash: 4DC11F30A98A0A4FD768EB28C8815B1B3E1FF56358B5445BAC09EC3597DE39F843C784
                                                      Function 00007FF888049FE6 Relevance: 1.5, Strings: 1, Instructions: 253COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: [3
                                                      • API String ID: 0-44986645
                                                      • Opcode ID: fec07c459e6d15242a37a520644d3bb1ff31e1ef354e6432b468bceb5d2710b4
                                                      • Instruction ID: 5ac2b11047be5f60a5dea2f78e68d008bb5e2f3201446eb445ce5237ab808b28
                                                      • Opcode Fuzzy Hash: fec07c459e6d15242a37a520644d3bb1ff31e1ef354e6432b468bceb5d2710b4
                                                      • Instruction Fuzzy Hash: 0D81CE3598C95A4FEF88DF188590AF873A1FF54348F1006B9D41ADB1E6DB35E842CB84
                                                      Function 00007FF888047680 Relevance: 1.5, Strings: 1, Instructions: 244COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: fish
                                                      • API String ID: 0-1064584243
                                                      • Opcode ID: f98ab453eb9f06f7be3aed32061e4a317cbd909fe9ad2a27e2ff67488ba8d4ff
                                                      • Instruction ID: da3a8bed678d188db8f0624fce6bdb817e591818d6b55f2953d33f4dbd921566
                                                      • Opcode Fuzzy Hash: f98ab453eb9f06f7be3aed32061e4a317cbd909fe9ad2a27e2ff67488ba8d4ff
                                                      • Instruction Fuzzy Hash: 05515921F8DA4E1FFA58A67C68152B977D2FF552A8F44407FD04EC71DBED28A8068381
                                                      Function 00007FF888046318 Relevance: 1.5, Strings: 1, Instructions: 226COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: d
                                                      • API String ID: 0-2564639436
                                                      • Opcode ID: c6e87b2c6184042d1321a9e7ab8ddc3f2bf659d1b6ee8fc85b55f467e07c5ee9
                                                      • Instruction ID: 1daa66d3dcb9f03df52bb49d1cf3b64edfefb5e38ecd7141582d631232ae3783
                                                      • Opcode Fuzzy Hash: c6e87b2c6184042d1321a9e7ab8ddc3f2bf659d1b6ee8fc85b55f467e07c5ee9
                                                      • Instruction Fuzzy Hash: 5961AD70AA8A094BEB58DE18D481A7173D0FF49348F5441B8D94EC729BDA35FC53C689
                                                      Function 00007FF888041BE8 Relevance: 1.5, Strings: 1, Instructions: 211COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: d
                                                      • API String ID: 0-2564639436
                                                      • Opcode ID: 24be785994878f0ef98a60e80ee4abb4f0fde28a53c157f2e38c735deb06074a
                                                      • Instruction ID: a68ea6deaed1992151434086a92de21bf2191f721a6f0995cb14a6cedef475f9
                                                      • Opcode Fuzzy Hash: 24be785994878f0ef98a60e80ee4abb4f0fde28a53c157f2e38c735deb06074a
                                                      • Instruction Fuzzy Hash: 5751FD30998B098BEB69EA18C8815B1B7E0FF56349F5441BDC49FC3592DE35B813C684
                                                      Function 00007FF888045F11 Relevance: 1.5, Strings: 1, Instructions: 206COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: N_
                                                      • API String ID: 0-1327875137
                                                      • Opcode ID: 9c8fe52ea45f9634aa05f2b353d2ddbfa7db5901955258f52a81656203c69327
                                                      • Instruction ID: b3b4e17d874a8843ed2e34098504e9c07e424d99c9a4b5c0ab878a564f1e92f8
                                                      • Opcode Fuzzy Hash: 9c8fe52ea45f9634aa05f2b353d2ddbfa7db5901955258f52a81656203c69327
                                                      • Instruction Fuzzy Hash: AC516821E9C6C60FE76A567868661F93BD1FF46298B1401FAD0CAC71C7EE1CA847C346
                                                      Function 00007FF88818026B Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1749302951.00007FF888180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888180000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888180000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A
                                                      • API String ID: 0-3554254475
                                                      • Opcode ID: 8636682ea5eaa01c008eb4fe6e91fe3874681a180072a0cd520e4b5634a90763
                                                      • Instruction ID: 8530d738d7798c175709a6e917e121ef79aaed139df5449170da935f89419e3a
                                                      • Opcode Fuzzy Hash: 8636682ea5eaa01c008eb4fe6e91fe3874681a180072a0cd520e4b5634a90763
                                                      • Instruction Fuzzy Hash: 44511535808A4E8FDB69DB18C892AE87BA1FF55744F1845ADD04ECB186CF74A886CB44
                                                      Function 00007FF88804C5B8 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: OM_H
                                                      • API String ID: 0-3746890205
                                                      • Opcode ID: 46acb9524aa64a7af5f4ded11c3fe2cebd522da94f74ce09348fc0067f6a1533
                                                      • Instruction ID: 29ef7a42ad2ce1bf6d06c32850031adacdb7d922e41c1eb43e1d75375fdf8b23
                                                      • Opcode Fuzzy Hash: 46acb9524aa64a7af5f4ded11c3fe2cebd522da94f74ce09348fc0067f6a1533
                                                      • Instruction Fuzzy Hash: 27012612F5DC5B07A9A8912C385A27811C3FFD8A50B1842BAE44CE32DDEE2C5C8283D4
                                                      Function 00007FF88804F411 Relevance: .9, Instructions: 851COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c4c29a851f09f5d375aa6b1b330b43885f75eb5cf847854b67e4ffbb1ce2b922
                                                      • Instruction ID: b7b15d8403d5881863139671099e8fc15b860795a2ec4c78dfb944842ad6e028
                                                      • Opcode Fuzzy Hash: c4c29a851f09f5d375aa6b1b330b43885f75eb5cf847854b67e4ffbb1ce2b922
                                                      • Instruction Fuzzy Hash: 7452363195CA4A8FEB59DB28C4945B47BE1FF95348F1441BED08ACB2E2DF38A846C744
                                                      Function 00007FF888046C88 Relevance: .7, Instructions: 748COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2404544e967399e2443bb7647d2eb3849144394a540042b70ec1331443378c8b
                                                      • Instruction ID: 7f36adef751926374aa77f8bd2af7698963545f19da31200bfb28a62adf73838
                                                      • Opcode Fuzzy Hash: 2404544e967399e2443bb7647d2eb3849144394a540042b70ec1331443378c8b
                                                      • Instruction Fuzzy Hash: 48126A2699E7CA4FE3135B745C351A07FB0AE53654B1E01EBC8D9CB1E3DA1C684AC722
                                                      Function 00007FF888050E10 Relevance: .7, Instructions: 660COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a0684165342bf330e244d6c7b64c18a9bda9a1ac503e43c8e291f3af6b4baa92
                                                      • Instruction ID: 5def796c21bcf82d485f726b46f20a086fa1f81107166bff3cfc5cf8901f22be
                                                      • Opcode Fuzzy Hash: a0684165342bf330e244d6c7b64c18a9bda9a1ac503e43c8e291f3af6b4baa92
                                                      • Instruction Fuzzy Hash: 1F123532E0CA4A4FEB99DA28945617537D1FF94392F4401BED44ED72D2EE28E806C395
                                                      Function 00007FF88804B938 Relevance: .6, Instructions: 634COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1e50346c2e11b6f193e3e9a301a7f14b0679a71056d8d36638272715a066518f
                                                      • Instruction ID: 5c4540ca16eb2538c958c222f5ee97fc4092e5263300b013a896de19aaec3b01
                                                      • Opcode Fuzzy Hash: 1e50346c2e11b6f193e3e9a301a7f14b0679a71056d8d36638272715a066518f
                                                      • Instruction Fuzzy Hash: 2612E431E0CA4A8FEB94DB6C88567B87BE1FF9A350F0501B9D04CD7692DE38A846C751
                                                      Function 00007FF88804CD25 Relevance: .6, Instructions: 610COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7813d93a5540ac6d512d5e4244558043984529ccbe1bd39cc7c30c39cbc876bd
                                                      • Instruction ID: 41e11f93eb637eaea46a991aa872e45868df6c27301f6f4f57efed2652f6f3d5
                                                      • Opcode Fuzzy Hash: 7813d93a5540ac6d512d5e4244558043984529ccbe1bd39cc7c30c39cbc876bd
                                                      • Instruction Fuzzy Hash: FFB12936A8D7864FE7129B2898551F47FA0FF52354B0801FBC899C70E3DE28A806C756
                                                      Function 00007FF88804CD7F Relevance: .6, Instructions: 592COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 324cba8c4c5dcf43df9c7e41c43d972ada355ac7e2e469f354b82ee5c60d66d3
                                                      • Instruction ID: 0b3fd49538545058f1d6595d01ac40a08b43d9a3d668993cf4e0e13fa51480dc
                                                      • Opcode Fuzzy Hash: 324cba8c4c5dcf43df9c7e41c43d972ada355ac7e2e469f354b82ee5c60d66d3
                                                      • Instruction Fuzzy Hash: C1B1293298D7865FE7129B6898551F57BA0FF52364B0801FBC899C70E3DE28A806C756
                                                      Function 00007FF888046CF2 Relevance: .6, Instructions: 587COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2f0de5bbefbb8f9853d2aa176f302779de025994e68b24fbe8ff863ffd44bfdc
                                                      • Instruction ID: 9554341ff2fca9b0f24873f217de56dbc377c987167aa46a2b9ecad1eaef9cb5
                                                      • Opcode Fuzzy Hash: 2f0de5bbefbb8f9853d2aa176f302779de025994e68b24fbe8ff863ffd44bfdc
                                                      • Instruction Fuzzy Hash: 61F18921E8CA564FFB19966998901B977D1FF81398F18417EC08BC71D7EF38B846C285
                                                      Function 00007FF888056CA9 Relevance: .6, Instructions: 584COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 93c0a59ed2558296a4b6083affe798cc2d366418d963ed7f68f8e18fb4a4101d
                                                      • Instruction ID: 88439af248a0764b03377125bd5d16fcbd84046eb1253fd18b2ce976970f6f0c
                                                      • Opcode Fuzzy Hash: 93c0a59ed2558296a4b6083affe798cc2d366418d963ed7f68f8e18fb4a4101d
                                                      • Instruction Fuzzy Hash: 6D02F631D1D9894FEBA8DA1C88165A477E1FF89350F0406B9D49DCB2D2DB387C0AC7A5
                                                      Function 00007FF88804CD5D Relevance: .6, Instructions: 576COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d793b619c5b8f3c56e5fd9416f44ef572903108a9dde6ad8bcc2686ca18b0835
                                                      • Instruction ID: c653458d507c5a8f4852a4c76964da01375fc496c3423a157ee7d6daa47789e1
                                                      • Opcode Fuzzy Hash: d793b619c5b8f3c56e5fd9416f44ef572903108a9dde6ad8bcc2686ca18b0835
                                                      • Instruction Fuzzy Hash: BCA1373299DBCA4FE7169A2898551F57FA0FF52354B0801FBC8DAC70E3DE28A806C755
                                                      Function 00007FF88804C5D1 Relevance: .5, Instructions: 512COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 871af91bb43ff7cfd93226b966afaa2c9893e31be6dfca181d73d64894fa19f8
                                                      • Instruction ID: 4c9b6669be9ba627a0efe4b9d2c9caafbe29b0ef16b2761b49015fbfad3e6c2a
                                                      • Opcode Fuzzy Hash: 871af91bb43ff7cfd93226b966afaa2c9893e31be6dfca181d73d64894fa19f8
                                                      • Instruction Fuzzy Hash: CFE10735D4D7815FEB16AA6898651F53BE0EF41398B0841BAD09DCB0E3DE3CB847C296
                                                      Function 00007FF888046118 Relevance: .5, Instructions: 505COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 100769904c64c04c681cd8e72e4fb2fa4131eb1642e7d45e7d5228ba13e3016e
                                                      • Instruction ID: c8867646c83bad8d0e4c74a58cd6bb10635ec708c5f7b821dabfeeb10a8a399e
                                                      • Opcode Fuzzy Hash: 100769904c64c04c681cd8e72e4fb2fa4131eb1642e7d45e7d5228ba13e3016e
                                                      • Instruction Fuzzy Hash: FDE14431A8CA064FEF5C9A2894902B973E1FF94358F2441BDD04FC75D6DE28B886C789
                                                      Function 00007FF888049DA0 Relevance: .5, Instructions: 466COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 31487c7329b5390338ac6b2c60f29d52f1642fb5190c5e08daac7edae5ff9997
                                                      • Instruction ID: 3366e16e90ece58874d21209b1b16f4b2942ffab7a03a21ef2df1af91d221dc0
                                                      • Opcode Fuzzy Hash: 31487c7329b5390338ac6b2c60f29d52f1642fb5190c5e08daac7edae5ff9997
                                                      • Instruction Fuzzy Hash: 05E1C13598CA5A4FEF98EF288881AB973A1FF55348F1005B9D41ADB1D6CB34F842C784
                                                      Function 00007FF88804C6FB Relevance: .4, Instructions: 416COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 36dbe888274916cccddc76ac0822447e18ada632ec22d596fc1fc16934ac60bd
                                                      • Instruction ID: 652762fdd11f481c45e89aac7a2b07d20fd43af6868531ec89bfddc589422495
                                                      • Opcode Fuzzy Hash: 36dbe888274916cccddc76ac0822447e18ada632ec22d596fc1fc16934ac60bd
                                                      • Instruction Fuzzy Hash: 53C1F731D4D7815FE716AB6898651F57BE0EF02398B1841BAD0DA8B0D3DE38B847C786
                                                      Function 00007FF88804B0F2 Relevance: .4, Instructions: 412COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 63f2fcb1ad0f6d6576af0a64791c0adc5629ecc7b4cb8e257589ecbfcc4db32c
                                                      • Instruction ID: 8446b6f6ad61abcb2736838db511e7c56a4559cfea22c1d03b8423e62740dc48
                                                      • Opcode Fuzzy Hash: 63f2fcb1ad0f6d6576af0a64791c0adc5629ecc7b4cb8e257589ecbfcc4db32c
                                                      • Instruction Fuzzy Hash: 97D10331D4D6899FEB46EBA8D8656EC7BB0FF56354F0800BAD048CB1E3CE286846C755
                                                      Function 00007FF888052FE9 Relevance: .4, Instructions: 402COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5ebf991b600996ad958b0ff0b5cdfac1d556dc118def91421c4ae38f6c5ddb91
                                                      • Instruction ID: 1cb22c906c66a89ec57251d5569e1269e64d4a5a5b5f7101eb547f80154b528c
                                                      • Opcode Fuzzy Hash: 5ebf991b600996ad958b0ff0b5cdfac1d556dc118def91421c4ae38f6c5ddb91
                                                      • Instruction Fuzzy Hash: 78C1D231A0CA4A4FEBA8DA1C885677477D2FFAA351F0505B9D04CD76D2DE28AC0AC395
                                                      Function 00007FF88805032A Relevance: .4, Instructions: 398COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4941618504b9a3d038a6acc347bf623f84b8d4d953d0f8aa36b8989823f6658a
                                                      • Instruction ID: cd350ff232a67bdd43b1551a935b4dc9eb886bde7f9ac41621e1c68e7d437b71
                                                      • Opcode Fuzzy Hash: 4941618504b9a3d038a6acc347bf623f84b8d4d953d0f8aa36b8989823f6658a
                                                      • Instruction Fuzzy Hash: 37C1F631A0994A8FEFA8DA2CD4556B977D1FF98341F2400BED08ED7292DE34AC42C795
                                                      Function 00007FF888040C6D Relevance: .4, Instructions: 382COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6e3bc5361f154f048af5f080d168c7daa300871dff254a7a2910798212643fc0
                                                      • Instruction ID: 289455c4a8ffe9c4eee2e4fd916e0336525906e283bd229b6fb4f42167b275f7
                                                      • Opcode Fuzzy Hash: 6e3bc5361f154f048af5f080d168c7daa300871dff254a7a2910798212643fc0
                                                      • Instruction Fuzzy Hash: 23B1D620B4C9490FEB89A72C982937977D2FF8A394F1404B9D44ED72D3DD286C828355
                                                      Function 00007FF888040B5D Relevance: .4, Instructions: 381COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c34d25103a6b0834cc9792cfad68c2c670f60d60e7a5e8a267ba3bdceba16b4e
                                                      • Instruction ID: 36e07571be9feb6979f101855910edf50b35dedb14a5686b08bdbec7c15a9ade
                                                      • Opcode Fuzzy Hash: c34d25103a6b0834cc9792cfad68c2c670f60d60e7a5e8a267ba3bdceba16b4e
                                                      • Instruction Fuzzy Hash: A8B17921B8CE460FEB59AA2C94522B977D1FF84354F14427AD04ECB6D7DE28A847C3C9
                                                      Function 00007FF888053CF8 Relevance: .4, Instructions: 351COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d483168f6c88da3f9b540f66f4b9e79e272486675a60928062b9bf530707111e
                                                      • Instruction ID: d6a534d247856a56fd227a9e6588d7c4d32421caffe4182fee385682fda8bf37
                                                      • Opcode Fuzzy Hash: d483168f6c88da3f9b540f66f4b9e79e272486675a60928062b9bf530707111e
                                                      • Instruction Fuzzy Hash: F2B16B7190CE8A4FEB68DA1894426B437E1FF95340F1001BAD48EDB2D6EF38AC46C795
                                                      Function 00007FF8880434A8 Relevance: .3, Instructions: 333COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 383f84f515faeca8430dc9d4feaef1370d07476d5f3112decb2c9d718c1d8428
                                                      • Instruction ID: 506d3290d3f6896a6f4d61e35b8ef940c180e483f1863a6abc5ff225317f5696
                                                      • Opcode Fuzzy Hash: 383f84f515faeca8430dc9d4feaef1370d07476d5f3112decb2c9d718c1d8428
                                                      • Instruction Fuzzy Hash: ECB1C430A48A4A8FDB88DF1CC89567977E1FFA9704F1405ADD48EC7296DB34E802CB85
                                                      Function 00007FF888055F45 Relevance: .3, Instructions: 264COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f764643d8feca4db6a1bedb534f1da224813e4a69c9c77477fd2f4327f76a338
                                                      • Instruction ID: c39c738431687270d5bd1078b42300df76b1c7ea299e9aeac322425d2195554c
                                                      • Opcode Fuzzy Hash: f764643d8feca4db6a1bedb534f1da224813e4a69c9c77477fd2f4327f76a338
                                                      • Instruction Fuzzy Hash: BF71D231A0CE8D4FDB58EB58D854AB8BBE1FF59350F0402AAD04ED7296DE38AC46C741
                                                      Function 00007FF88804B930 Relevance: .3, Instructions: 251COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 353abf06c766f6c2e993a56b7417afed29bb845560dae6c72130a91e15f72bf1
                                                      • Instruction ID: e26c0b1c945015cfb0c08965c5a4bff1f6f5f9e01928a2da55c9d9890267b7b8
                                                      • Opcode Fuzzy Hash: 353abf06c766f6c2e993a56b7417afed29bb845560dae6c72130a91e15f72bf1
                                                      • Instruction Fuzzy Hash: 2671C231A089498FEF59EF18D895AF877E1FF59340F04016AE44ED7296DE38AC46C742
                                                      Function 00007FF888055F60 Relevance: .3, Instructions: 251COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 376ed4fa6860a4025ef61547ce599a9fc8eda728bb334c8148de77de1cdbbb33
                                                      • Instruction ID: 71af0d8611e3adefc18ac44d67a377a7deeb28ef8631c289fe96c648f5fc27b7
                                                      • Opcode Fuzzy Hash: 376ed4fa6860a4025ef61547ce599a9fc8eda728bb334c8148de77de1cdbbb33
                                                      • Instruction Fuzzy Hash: 7771B031A08D4D8FEB88EB5CD855AB9B7E1FF69350F0402AAD01ED7296DE34AC46C741
                                                      Function 00007FF888046C00 Relevance: .2, Instructions: 248COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fbfa1d457c05f2a7a937145cfddc21aab1a85518230cc81da5d2ffbb3ac674c9
                                                      • Instruction ID: 223d9eab3f39cee20406be81e3bd3d2a7190d0208d0f4af168de0b8464084462
                                                      • Opcode Fuzzy Hash: fbfa1d457c05f2a7a937145cfddc21aab1a85518230cc81da5d2ffbb3ac674c9
                                                      • Instruction Fuzzy Hash: C971FE70A98A058BEB28DA28C8455B1B3E0FF54788F1445BDD09BC36D2DE39B843C786
                                                      Function 00007FF88804E09C Relevance: .2, Instructions: 248COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: da2d370acd0a3c6f85c2c9574f484df438d8b02d9ee46c9e6c7af915a80d2ab9
                                                      • Instruction ID: 2a92bde039c745f01c326ab4c3222ee77d310ba791e0c9482c5370a93269973b
                                                      • Opcode Fuzzy Hash: da2d370acd0a3c6f85c2c9574f484df438d8b02d9ee46c9e6c7af915a80d2ab9
                                                      • Instruction Fuzzy Hash: 25519C269CE3C64FE74356744C750A07FB0AE532A4B1E41EBC4D98F1E3DA1C188AD726
                                                      Function 00007FF8880446E8 Relevance: .2, Instructions: 240COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 42a86f8739c13a9f208dabad15ca4898c7591afc3a0b9bb6dfef10e055dcebcc
                                                      • Instruction ID: 7776ace2c6e448cbb70a5c335086eba80aa01c2718b2ef58794c0be256049dd6
                                                      • Opcode Fuzzy Hash: 42a86f8739c13a9f208dabad15ca4898c7591afc3a0b9bb6dfef10e055dcebcc
                                                      • Instruction Fuzzy Hash: E0611231A4DB884FD359CA2CD8965757BE1FF8A714B1401BED08AC72A3DE34A803C785
                                                      Function 00007FF88804A940 Relevance: .2, Instructions: 236COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c23eeb4b30764b34a23da29e2e206cbab563a1228beb73f0c0c0dd5d20d9642a
                                                      • Instruction ID: 4cd6933d5e499e4e349e4a84a985dc1b7f649d5419bb346bd22255e300cf4af9
                                                      • Opcode Fuzzy Hash: c23eeb4b30764b34a23da29e2e206cbab563a1228beb73f0c0c0dd5d20d9642a
                                                      • Instruction Fuzzy Hash: E171D130A5CA4E8FEF49DF18C5905BE77A2FF84344F1041B9D009C7296DB39A892CB84
                                                      Function 00007FF8880571AB Relevance: .2, Instructions: 236COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 07e7edb4d1846d3c03c8fdf3e5152fd9a51de6bb4309859a6367817654974dd4
                                                      • Instruction ID: 92b18a814b5a8db1c841a2ace2495b1a36e9c8a2563158a0ebd0e2cdff012c16
                                                      • Opcode Fuzzy Hash: 07e7edb4d1846d3c03c8fdf3e5152fd9a51de6bb4309859a6367817654974dd4
                                                      • Instruction Fuzzy Hash: 5971F621E5CBC65FEB49AB7888216A5B7E1FF51250F4446BAC08EC31EBDE2CA405C752
                                                      Function 00007FF8880426AD Relevance: .2, Instructions: 235COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 92897e104030965a651d6f9e66b0c0910b36eb06e37defe551992a55e0056144
                                                      • Instruction ID: 5e2659a66a748b6217931ec2d34dc5cac9a465553490583cecc95b6579c2e30e
                                                      • Opcode Fuzzy Hash: 92897e104030965a651d6f9e66b0c0910b36eb06e37defe551992a55e0056144
                                                      • Instruction Fuzzy Hash: 9C613822F4C7926BE745B67CAC561F93BD1EF452A8B0801BBD09DC72E3DD2C6846C285
                                                      Function 00007FF888041558 Relevance: .2, Instructions: 208COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a421b70d9eea2d9fdb1d3633f85b1935ba7b632fb1f3ea78805d5561aadd59c0
                                                      • Instruction ID: 45af7d92e06cc48218929ab6969e7ae7164b305397f9080b197617b2914993eb
                                                      • Opcode Fuzzy Hash: a421b70d9eea2d9fdb1d3633f85b1935ba7b632fb1f3ea78805d5561aadd59c0
                                                      • Instruction Fuzzy Hash: 9951F130A4CA4D4FDB99EBA884496B97BE1FF59355F18427BD00DC32A2DF28A805C781
                                                      Function 00007FF8880423F8 Relevance: .2, Instructions: 207COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6d81f3ea82b981bcfbd90441ca728171b9b59c9cfa0e68f329e490b45966a730
                                                      • Instruction ID: 41f69b9d672e05d075e1f483352e2bd4cbc97af4d18daae3a8b948cb23a00c49
                                                      • Opcode Fuzzy Hash: 6d81f3ea82b981bcfbd90441ca728171b9b59c9cfa0e68f329e490b45966a730
                                                      • Instruction Fuzzy Hash: 1A515831B9CA454FDB69CA2CE85667137D1FB89754B1501BEE08EC72A2DE24EC43C386
                                                      Function 00007FF88804FFDD Relevance: .2, Instructions: 196COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 958f8c0853d7c539e4acdb8f488a31e7c1985ccf763d736c15eb718c4ad0c1a3
                                                      • Instruction ID: 3721e821c3e1fa44e2a87c9137ee791f581a1c377171022ab06071575a095e7b
                                                      • Opcode Fuzzy Hash: 958f8c0853d7c539e4acdb8f488a31e7c1985ccf763d736c15eb718c4ad0c1a3
                                                      • Instruction Fuzzy Hash: A7513630A0D7888FD759DA2C845157A7BE0FF86750F1406BEE0CAC76D2DE39A806C396
                                                      Function 00007FF888056A65 Relevance: .2, Instructions: 190COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 80b72c3eb8ea084fc137291767ad772aa9f1e24f3071562788be103f21b9fb0c
                                                      • Instruction ID: 90d0b325b971173f7d641859c2cecde18e4a0abb206c9daae6b4a0c54b7eebc6
                                                      • Opcode Fuzzy Hash: 80b72c3eb8ea084fc137291767ad772aa9f1e24f3071562788be103f21b9fb0c
                                                      • Instruction Fuzzy Hash: 45517631908A8D8FDF95DB28C4646A97BF1FF5A341F0901EAD04DE72E2CA35AC45C791
                                                      Function 00007FF88804650D Relevance: .2, Instructions: 175COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 617f82dee20fa2e4676b25c7a49fb365548545fc457f645563df7022982af0d1
                                                      • Instruction ID: ce3b5236d38236fbd7db0f36f26c5a378bd95b50f79a51fd4eb1f6524de31e07
                                                      • Opcode Fuzzy Hash: 617f82dee20fa2e4676b25c7a49fb365548545fc457f645563df7022982af0d1
                                                      • Instruction Fuzzy Hash: 1B51B631E489495FEB88EB7898657B8B7E2FF49394F0401BED40ED72D6DE28A805C741
                                                      Function 00007FF888046530 Relevance: .2, Instructions: 160COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 608ea7108a2f01cb4c544473f1bb2ea87aa469b0c112fae55aa3349a93c2f4bb
                                                      • Instruction ID: 84f881788e876b0cd9afc6e78c59c310e1289af4dba796fd66765ed1495dabce
                                                      • Opcode Fuzzy Hash: 608ea7108a2f01cb4c544473f1bb2ea87aa469b0c112fae55aa3349a93c2f4bb
                                                      • Instruction Fuzzy Hash: A441C431E489494FEB88EB7898653B8B7E2FF49394F04007ED00ED72D6DE28A805C741
                                                      Function 00007FF88804C5C8 Relevance: .2, Instructions: 152COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2bf0272ee50c2434eed5165af81eb3f89be02c9d4517f511eaadfe9eebede35e
                                                      • Instruction ID: 78bbe9658d6dc9c841248348b95176b7cb464eb18e1cddd09202d648375f41bb
                                                      • Opcode Fuzzy Hash: 2bf0272ee50c2434eed5165af81eb3f89be02c9d4517f511eaadfe9eebede35e
                                                      • Instruction Fuzzy Hash: C7414F30A0495D8FDF95EF18D494AA97BF1FF59351F0401AAD40AE72A1CA35AC81CB91
                                                      Function 00007FF888047658 Relevance: .1, Instructions: 135COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0bf86b249f329b8d0914c6afd5e793976a3f621af6a6e140532d9b2bdcd7dbee
                                                      • Instruction ID: e42ee69a1ff6d2453fb81704864e29fe660481931678dafb44d454376033f159
                                                      • Opcode Fuzzy Hash: 0bf86b249f329b8d0914c6afd5e793976a3f621af6a6e140532d9b2bdcd7dbee
                                                      • Instruction Fuzzy Hash: E741353064DA954FE74AAB3888255797BE0FF96345F0801FED08ACB2E3DA2CE545C345
                                                      Function 00007FF8880449C9 Relevance: .1, Instructions: 133COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ad600604f5fd3bb0ce66163b4c793a623edb2599b9399ef844f52f86729b8b6d
                                                      • Instruction ID: cabd8255338ca375dda744d76f93cd4215a72ee3e60dfe0a166355f94a42c03f
                                                      • Opcode Fuzzy Hash: ad600604f5fd3bb0ce66163b4c793a623edb2599b9399ef844f52f86729b8b6d
                                                      • Instruction Fuzzy Hash: A3314830A5CF460BEB0C9E188852475B7E1FB95314B00067ED4DA87696EE34F85387C9
                                                      Function 00007FF888040480 Relevance: .1, Instructions: 132COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 19c24daa0f1552d6f32eeba641285394be2f1d34ad2b43532df01f09ec85b2a9
                                                      • Instruction ID: 4a36351497bfca4d020d2f046f29b72e86022c920e981ef8ca6e0244be659b25
                                                      • Opcode Fuzzy Hash: 19c24daa0f1552d6f32eeba641285394be2f1d34ad2b43532df01f09ec85b2a9
                                                      • Instruction Fuzzy Hash: 6831EA62F9CE1557AA6CA56C784A1BD73D2FBD87B4F04027EE00ED32D6DE286C0242C4
                                                      Function 00007FF88804C5C0 Relevance: .1, Instructions: 129COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c34a874438eaf5f6a796b2cb013da88900a743d98efafaa33f57115deb87fbdb
                                                      • Instruction ID: 4b7d16fc47263ed76d0f21a5b2ebcea0485adaf2057d4104ac1c9c0f46d8964b
                                                      • Opcode Fuzzy Hash: c34a874438eaf5f6a796b2cb013da88900a743d98efafaa33f57115deb87fbdb
                                                      • Instruction Fuzzy Hash: DA416D34A0895E8FDB85EB2CD894AB97BE0FF19345F0405AAD409D72A6DB74AD40CB81
                                                      Function 00007FF8880468D9 Relevance: .1, Instructions: 127COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 718a797e655f024b1b4fc1003166de6f1c6623d57a8f8a32abfc6ccd1464e362
                                                      • Instruction ID: b70a24c056501a64e4ea7d586c5e50d8b5fda0082e904f4bd8cad5199ae8c47b
                                                      • Opcode Fuzzy Hash: 718a797e655f024b1b4fc1003166de6f1c6623d57a8f8a32abfc6ccd1464e362
                                                      • Instruction Fuzzy Hash: 5C413821E8D6864FFB95976898952B83BE1FF05694F0400BAD05EC71E3DE2C6C45C742
                                                      Function 00007FF88818110C Relevance: .1, Instructions: 126COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1749302951.00007FF888180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888180000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888180000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4af93a218f20c2309d6e84033f6b8619decffc5a7ea8322a546e0e26c5557895
                                                      • Instruction ID: 59e987ff359f6b22f18630bdcf4f1f5cca090e8577e830745dd4843dc1b2d299
                                                      • Opcode Fuzzy Hash: 4af93a218f20c2309d6e84033f6b8619decffc5a7ea8322a546e0e26c5557895
                                                      • Instruction Fuzzy Hash: 5441023A918A8D8FEB65DF28D8955E8BBE1FF59340F1401BAC44ED7195DF24A841C780
                                                      Function 00007FF8880444FC Relevance: .1, Instructions: 124COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6520721f232cdc539b31af07eeaaf23760dbab140fbf6edb9e5734f3ca3f7aba
                                                      • Instruction ID: 3694c7b59e571450e802e3cd1865fc51cd50ae5c7557a144c5ee51274e05783d
                                                      • Opcode Fuzzy Hash: 6520721f232cdc539b31af07eeaaf23760dbab140fbf6edb9e5734f3ca3f7aba
                                                      • Instruction Fuzzy Hash: B731F532FCCE494FDB698A2C682117477D1FB85694B5501BBD04EC72D6DE24AC028386
                                                      Function 00007FF888044545 Relevance: .1, Instructions: 116COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0a99a1a71074b4b73d8c81af562fe2cd7b474b8447ba5f8cbeae1b4cb9b452d6
                                                      • Instruction ID: 0e4af39115d474e0f605fef401514586948d3bcae7e4fb099f6cfa0bcd72ef2b
                                                      • Opcode Fuzzy Hash: 0a99a1a71074b4b73d8c81af562fe2cd7b474b8447ba5f8cbeae1b4cb9b452d6
                                                      • Instruction Fuzzy Hash: 91213431B9CE550FDB688A1CA85553577D1FBC97A471901BEE04EC72A6EE20EC028385
                                                      Function 00007FF888058C08 Relevance: .1, Instructions: 112COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2270189c73450f5f060fe1669954bd1ea2a0c60d349e7c59f20624a31efffb66
                                                      • Instruction ID: 73b8993e8425aa345d3a9cc89875fe1efb0e5699f9c9fa50d8d7ffecdbba08a0
                                                      • Opcode Fuzzy Hash: 2270189c73450f5f060fe1669954bd1ea2a0c60d349e7c59f20624a31efffb66
                                                      • Instruction Fuzzy Hash: 8F419A2144E3C64FD3179B7488655A17FF1AF13224B0A45EBC4D6CF0E3E62CA84AC722
                                                      Function 00007FF888057C52 Relevance: .1, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8cff75f9e3217d4834a448cf727274607e519b000dc6191c558841d1b88aa90c
                                                      • Instruction ID: d2de1f81b9040fa2d5d97e131d822d03d7018de8b046cf8791283060ea9704a4
                                                      • Opcode Fuzzy Hash: 8cff75f9e3217d4834a448cf727274607e519b000dc6191c558841d1b88aa90c
                                                      • Instruction Fuzzy Hash: B831593160D7850FD72E96349C650B57FA2EB87220B5942FFC086CB2E7D9296806C394
                                                      Function 00007FF888057E20 Relevance: .1, Instructions: 106COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cc486a69d44b72061720decb045f3c30ed1c897859e2259276fb711fb5ecd991
                                                      • Instruction ID: a5dc9a81617ede68aff10f529862cc6c9e196188bf4778a2ec7a353127c1b9e2
                                                      • Opcode Fuzzy Hash: cc486a69d44b72061720decb045f3c30ed1c897859e2259276fb711fb5ecd991
                                                      • Instruction Fuzzy Hash: 5F21A03564E3C41FD72E8A744C261767F6ADB87214B0A82AFD4C6CA1E7DD185C0783A6
                                                      Function 00007FF88804AC09 Relevance: .1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 32f12c8ab544d26cfc0ba8365363ab957552ed6db1047352788fb9ca27581f7b
                                                      • Instruction ID: de8f317bf03a819f31878bf2751a493cedf218fd48d2e915792e81a7a9174c28
                                                      • Opcode Fuzzy Hash: 32f12c8ab544d26cfc0ba8365363ab957552ed6db1047352788fb9ca27581f7b
                                                      • Instruction Fuzzy Hash: A821883198C6960FE785972098154F53BE0FF8A359F0801BAE08CCB1D2CB2CE682C359
                                                      Function 00007FF88804F8E9 Relevance: .1, Instructions: 91COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 214571ae82e0998cbbc2931287619634a1bfbe24e41640472742f803e4414413
                                                      • Instruction ID: e6f3985e3aaf4ce78beee19d603f82594e5c8c75e95ff54a70a927ed03faf075
                                                      • Opcode Fuzzy Hash: 214571ae82e0998cbbc2931287619634a1bfbe24e41640472742f803e4414413
                                                      • Instruction Fuzzy Hash: D621353165DB954FE346DB3888940A07BE1FF99218B1846FFD499C72E7DA39A882C740
                                                      Function 00007FF888058920 Relevance: .1, Instructions: 87COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 779aab70f7df8d709d7ae35aa8b5247abd5c7d6e82a6930cbe21100bb33d86b5
                                                      • Instruction ID: 79a862d8f8e7e1948ce575f35a32d89fd8b34171bc69709b2f612aed88831d19
                                                      • Opcode Fuzzy Hash: 779aab70f7df8d709d7ae35aa8b5247abd5c7d6e82a6930cbe21100bb33d86b5
                                                      • Instruction Fuzzy Hash: E021573290D6054FE32CDAA998564E17B91FB42364B1542BED4C6C71F3EE34AC0BC794
                                                      Function 00007FF888053554 Relevance: .1, Instructions: 87COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 563bbca8ea51ea6224b4fcfeab3885892e2dbef5f8dcade682b068b182969fa5
                                                      • Instruction ID: d486d5cddf67ddb38fd1dd210722f814179d9c0a0f011fa63e8a5976a042e32e
                                                      • Opcode Fuzzy Hash: 563bbca8ea51ea6224b4fcfeab3885892e2dbef5f8dcade682b068b182969fa5
                                                      • Instruction Fuzzy Hash: F0214830A18A0D8FDB94EB6CD894BA8B7F2FF59740F5001E9D00DEB256CE34A881CB01
                                                      Function 00007FF888040FED Relevance: .1, Instructions: 87COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 96f694b5fd9f4fcd4ed85fd3e0ae8e86c05e38ce0f944f6696108c016b532493
                                                      • Instruction ID: 6e7ad9fa1135d5078978dc334c5e687e23dff6c1dda640732af95a4025d69512
                                                      • Opcode Fuzzy Hash: 96f694b5fd9f4fcd4ed85fd3e0ae8e86c05e38ce0f944f6696108c016b532493
                                                      • Instruction Fuzzy Hash: 902126128CCACA0FEB56977848216E43FA1FF86285F0841FAD48CC70D3DE6CA80AC355
                                                      Function 00007FF888048175 Relevance: .1, Instructions: 82COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4d45508de1d259927334f8931e3e6519b826ed5334c70ce2c6688f6a7a30f094
                                                      • Instruction ID: eaf2c8a7b0a5f0a15938334f4af8c471af58f99a8a6fbbc23b565adc9745cd9f
                                                      • Opcode Fuzzy Hash: 4d45508de1d259927334f8931e3e6519b826ed5334c70ce2c6688f6a7a30f094
                                                      • Instruction Fuzzy Hash: 1E215B31A4DB885FD795DB2C98105767FE1FF8A264F0806BFD48DC72A3CA28A841C742
                                                      Function 00007FF8880569B9 Relevance: .1, Instructions: 80COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 774fc55625ec411509daca75029abba9246f4eed29559e575bc96fac2ef5bd34
                                                      • Instruction ID: 02df564bf3e12fa9acdd91eb2e37b25ccc9e78a51126e83ac3486781b8cd40d1
                                                      • Opcode Fuzzy Hash: 774fc55625ec411509daca75029abba9246f4eed29559e575bc96fac2ef5bd34
                                                      • Instruction Fuzzy Hash: B021D431A0CA894FF740EB6884582BA77D0FF98354F18057AD48CE71E2DE29A982C755
                                                      Function 00007FF8880580D8 Relevance: .1, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 191dab3ec11ed6d4e762fc9ef4c84713caabf8e59f21e0f29b8f05a8784cd5db
                                                      • Instruction ID: 3e64918a6aa07ad03719c45185a592d1b2063f42d167a5cd75e34c97f87657a3
                                                      • Opcode Fuzzy Hash: 191dab3ec11ed6d4e762fc9ef4c84713caabf8e59f21e0f29b8f05a8784cd5db
                                                      • Instruction Fuzzy Hash: E821AC2141E3C10FDB178B2098621A67FB0BF43244F1A45FFD4C68B4E3DA286919C3A3
                                                      Function 00007FF8880466C2 Relevance: .1, Instructions: 69COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: add34ef5d7c4a31fd599292a700f6ec277a3d425311f0ad6fdde3e56c0d44f7b
                                                      • Instruction ID: 44822ff53f815024c6349a8f635dc88bc54cdf6c36b512c57fc85a7f8c570d48
                                                      • Opcode Fuzzy Hash: add34ef5d7c4a31fd599292a700f6ec277a3d425311f0ad6fdde3e56c0d44f7b
                                                      • Instruction Fuzzy Hash: AF21E161C8D6CA1FE7879BB888641F97FF0EF46240F0901E6C598CB1A7D92C198AC702
                                                      Function 00007FF8880570A7 Relevance: .1, Instructions: 64COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4490317453e5ca795fd4016b03645a2ad87d238d764b028b51cf5e8b5353dc03
                                                      • Instruction ID: d5c22efb1eba8b2b373cf10e9e74702ee2278c5f782547e6a2f77adb6dd2e47c
                                                      • Opcode Fuzzy Hash: 4490317453e5ca795fd4016b03645a2ad87d238d764b028b51cf5e8b5353dc03
                                                      • Instruction Fuzzy Hash: 43114C32E5C9128BE61DA6284C2727973D6F7957B0F0083BEC44A976D7EE2C1C16C6C6
                                                      Function 00007FF88804BD28 Relevance: .1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c2efee840dfea260a1f2dd798508f2e6f81331e041b29ec6029b7e5283a8ef2e
                                                      • Instruction ID: 5b5bfe97950a2a9e954e3af855265145ad80e34a41534177b38362e0cbed223f
                                                      • Opcode Fuzzy Hash: c2efee840dfea260a1f2dd798508f2e6f81331e041b29ec6029b7e5283a8ef2e
                                                      • Instruction Fuzzy Hash: 8511A730508A098FEB68DA28D49497A73E1FF94359F64053DE44FC3191DF38A441C745
                                                      Function 00007FF88805174E Relevance: .1, Instructions: 60COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4ce68db67d72a91cd2fca7f3b5b16fef54c3a0ffbf59d3a8fd42a33fe270097e
                                                      • Instruction ID: 6aa1a94031998577a9d474fd4887aa7d52139a6162af9eba15acca880bc14e53
                                                      • Opcode Fuzzy Hash: 4ce68db67d72a91cd2fca7f3b5b16fef54c3a0ffbf59d3a8fd42a33fe270097e
                                                      • Instruction Fuzzy Hash: 9C01F721F08E0E4FE784EBAC6C593B8A2C2FF98691F1405BAD40CC7297DD2C5C858742
                                                      Function 00007FF888046048 Relevance: .1, Instructions: 60COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 920982287ceea556519609b1d63f6653744621d058a702c8bfaabe5ece22941d
                                                      • Instruction ID: fa118f9bd53c428abcd61c6766940212cc5bc3e1ad5a10fe33bd4d2bb8ab028a
                                                      • Opcode Fuzzy Hash: 920982287ceea556519609b1d63f6653744621d058a702c8bfaabe5ece22941d
                                                      • Instruction Fuzzy Hash: A401FC21E4D2991BE704667C7C925F63B94EF472A8B040276E0CCC6193D9295847C345
                                                      Function 00007FF888057131 Relevance: .1, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3075b884b1940a74e7f67b551016206ad1d8e239099c5b14464a30b42c2c4cb3
                                                      • Instruction ID: 636deca54ee4be267a56178049aec95b07d0845a11bfdd23bfde6734bd6c25f3
                                                      • Opcode Fuzzy Hash: 3075b884b1940a74e7f67b551016206ad1d8e239099c5b14464a30b42c2c4cb3
                                                      • Instruction Fuzzy Hash: 2A01A772F4CE150FA76C551C74561B463D1F7C9670B0403BED04EC22DBDE25581346C9
                                                      Function 00007FF888047650 Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 078fab82bd3e1fb04300b1330df090e2a024c30f901a3322e735d393d0aee932
                                                      • Instruction ID: 07257db130bc719f21b08c07ecbd23f6d53c00014375832a40f93858fe5a75e5
                                                      • Opcode Fuzzy Hash: 078fab82bd3e1fb04300b1330df090e2a024c30f901a3322e735d393d0aee932
                                                      • Instruction Fuzzy Hash: 9111F731E8C50E8BEF68DB5896526FEB6B6FB48344F10003AE519E2281CB746955CBD8
                                                      Function 00007FF8880517FC Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9ef651b3a788cee5082677f8833ba56c7c73cfae125f50e2d8605b27125c3050
                                                      • Instruction ID: 217dede637e8c5dbd828ad6213c6f56670172fcc2f0f49ec81f2588aaf6d696f
                                                      • Opcode Fuzzy Hash: 9ef651b3a788cee5082677f8833ba56c7c73cfae125f50e2d8605b27125c3050
                                                      • Instruction Fuzzy Hash: 17F0F652E0CD5B4BE7B5406D28951F117D2FF94662F0940FAC48CD22DADD6D4C874395
                                                      Function 00007FF888050191 Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d2a84558eb2c0b15554df42210352eb8b97dd8d300e561aec4c5d1fd91b78ea1
                                                      • Instruction ID: 33b9462ce9ee1ce40da87b1b1b32ad0227afc8c7e234c1d3c7d0df6138e1deb7
                                                      • Opcode Fuzzy Hash: d2a84558eb2c0b15554df42210352eb8b97dd8d300e561aec4c5d1fd91b78ea1
                                                      • Instruction Fuzzy Hash: 02F0C23560CE898FC7A6D76C88545657BE1FBA526030902AAC48AC75A6DE28E846C341
                                                      Function 00007FF888057F03 Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 192b2be903c05861c0bf91fd5a2ff0236eff53413388f0552287a124b5b77745
                                                      • Instruction ID: 43db5061950fa3e8488aa3c322e01f0fc01adc6b44de7567b59f55f056bc9fea
                                                      • Opcode Fuzzy Hash: 192b2be903c05861c0bf91fd5a2ff0236eff53413388f0552287a124b5b77745
                                                      • Instruction Fuzzy Hash: F1F0C2347986454F8B0C9919886643973ABE7C7315764D23ED487C63D6CD34A8078A89
                                                      Function 00007FF888058EF4 Relevance: .0, Instructions: 48COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2826004d4f5e3ae4af26f6d593eb91e9ed186c7b239e0647c0e5622339bbe4da
                                                      • Instruction ID: 0b237c95cfcd822a4adb3261724696f443c26cd098579faad458688282510cad
                                                      • Opcode Fuzzy Hash: 2826004d4f5e3ae4af26f6d593eb91e9ed186c7b239e0647c0e5622339bbe4da
                                                      • Instruction Fuzzy Hash: 0101262150DBC54FD7669B344838172BFE2AF9A310B0946EFC0C5CB1E3CA245914C365
                                                      Function 00007FF88804BB28 Relevance: .0, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 03b28b31bf4bd56ceb8ef821dcca78cecc06ccc2f57139ea366ddf4e9c38cb5d
                                                      • Instruction ID: 53e53226e9119ad47cbe1e5182d4a8b33942bdba850f5bb66c33fbc7c84eac5b
                                                      • Opcode Fuzzy Hash: 03b28b31bf4bd56ceb8ef821dcca78cecc06ccc2f57139ea366ddf4e9c38cb5d
                                                      • Instruction Fuzzy Hash: E7F08912F4CD1B57B7B4406D38552B502C1FF94A92F1540F7D44CD22DDDE295C8242D9
                                                      Function 00007FF88805705C Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e5665a092c0773a82b77c9366e2b02194de736a82774e75c99aa0e797a6ba6d6
                                                      • Instruction ID: 6d19cab3c4ec08c771325357068526d5476b12982606efdd63c6092145b39071
                                                      • Opcode Fuzzy Hash: e5665a092c0773a82b77c9366e2b02194de736a82774e75c99aa0e797a6ba6d6
                                                      • Instruction Fuzzy Hash: FDF0CD31B5C8154BD61CAA289C1257A7297E7C5360F1083BED44A872EBDE389C1782C5
                                                      Function 00007FF888057113 Relevance: .0, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e450b015a8ec2a12c47628bf2e155a1b13dd566939f4a73a2d070501e610d22b
                                                      • Instruction ID: 5be27b849da6f76dd7f4ad0fb4968be85b2ef3742a872cecf1846943aa275464
                                                      • Opcode Fuzzy Hash: e450b015a8ec2a12c47628bf2e155a1b13dd566939f4a73a2d070501e610d22b
                                                      • Instruction Fuzzy Hash: 14F05431B9D9154FE718561C78121B8A3D1FB88330B5041BEE04EC36D7CE29680281C9
                                                      Function 00007FF888049C50 Relevance: .0, Instructions: 39COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3be05209b2f98b8c1f42980f926007089d3a1ba394c2242d636989755f475563
                                                      • Instruction ID: bf26daf2e64ac8bd6bfc3283ed1a9461a56cf94bcf68215106145d42548b966c
                                                      • Opcode Fuzzy Hash: 3be05209b2f98b8c1f42980f926007089d3a1ba394c2242d636989755f475563
                                                      • Instruction Fuzzy Hash: 23F02B31A088561BE728F6788C541FF7BD7EF84320B14463AD05AD72E6DE386D05C384
                                                      Function 00007FF888049C60 Relevance: .0, Instructions: 39COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0db140f73a5608d4477d722a12a350bfe0f8fb78e33b2ab3e85324e434ce9e4e
                                                      • Instruction ID: 5a0891d6ae7725a2ff644d3c3b726fcee74bcc1b9e4109b27bfc86e0857ac322
                                                      • Opcode Fuzzy Hash: 0db140f73a5608d4477d722a12a350bfe0f8fb78e33b2ab3e85324e434ce9e4e
                                                      • Instruction Fuzzy Hash: AFF09E326048150BDB6CE528CC041BB77D7EBD4330B10073AC407D72E4CE745901C384
                                                      Function 00007FF888046210 Relevance: .0, Instructions: 38COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: acf4813cb169f5218c7f671c88046c60630e7b3ee2d4cf496872e9e1df164af7
                                                      • Instruction ID: 833ce5ed4c9e4a55fa57234db034892ed21847308779b57bd6f228ddece509d8
                                                      • Opcode Fuzzy Hash: acf4813cb169f5218c7f671c88046c60630e7b3ee2d4cf496872e9e1df164af7
                                                      • Instruction Fuzzy Hash: 9EF0A735618D0D8F8AB5EA2CD444A6A73E1FB98310715067AD45ED3668DF24FC42C780
                                                      Function 00007FF888181ED0 Relevance: .0, Instructions: 37COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1749302951.00007FF888180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888180000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888180000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 41bdbfe4a6bab9378b8d8e1038df31c09a831b4c1b923cd9f686d15b08a14395
                                                      • Instruction ID: 03e8eb8f095429f467c8b80b04db02be62153b188609b8f7340f47cd9730fda8
                                                      • Opcode Fuzzy Hash: 41bdbfe4a6bab9378b8d8e1038df31c09a831b4c1b923cd9f686d15b08a14395
                                                      • Instruction Fuzzy Hash: 8EF0EC35E0892D8FDFA5DA48D880BE9B7B1FBA8350F0085E6C44DE3241DB30AAC58F50
                                                      Function 00007FF88805791D Relevance: .0, Instructions: 37COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7d5e3f71836120bda1efd57119dc5cd38d6a55bb9c734de4928cbaecdbcbfead
                                                      • Instruction ID: 49f27be135ebc620921c98ed3a4bd53e57b2153099c2b685fa8b833f0df074d2
                                                      • Opcode Fuzzy Hash: 7d5e3f71836120bda1efd57119dc5cd38d6a55bb9c734de4928cbaecdbcbfead
                                                      • Instruction Fuzzy Hash: 1CF0B421F1D91E4BDB18ED78A8A09767386EB94350B14437EC107D77D6DE29F9028684
                                                      Function 00007FF8880589AA Relevance: .0, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 954b988a5173ff64870f9443fcdf60bb602dbf36abadac682064308013f7b7ed
                                                      • Instruction ID: 3a23b5f8e9e3dfdf6b63ec997cabaabd1bbb6a10bacac962137b655a243d9fa5
                                                      • Opcode Fuzzy Hash: 954b988a5173ff64870f9443fcdf60bb602dbf36abadac682064308013f7b7ed
                                                      • Instruction Fuzzy Hash: 1EF0EC316482054FEB1DD91948574397286F741304B74923EDC83D76F6EE34ED2285CA
                                                      Function 00007FF888057705 Relevance: .0, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 075af807f427d7dc9ed129497a7a625e35bd48db9b48bebf6b6ea904c938bbb0
                                                      • Instruction ID: 50462992ea3e4aeee6a5c3a4b8943744d31e7d5d0e72859b84faf8354b68be6a
                                                      • Opcode Fuzzy Hash: 075af807f427d7dc9ed129497a7a625e35bd48db9b48bebf6b6ea904c938bbb0
                                                      • Instruction Fuzzy Hash: A4F02B7174860E8FCB0DEA14C4610763382F749700F20827EC247D62E3DF38A406E1C8
                                                      Function 00007FF8880464D0 Relevance: .0, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 27fef27e2f10611d61adf0bce4190a2f5c8f3b4d88c87e418625ad3fadfbd7a8
                                                      • Instruction ID: 7565700e70588f60d1c3104412c3a3166929e1e2b99dde930db47609d23291fb
                                                      • Opcode Fuzzy Hash: 27fef27e2f10611d61adf0bce4190a2f5c8f3b4d88c87e418625ad3fadfbd7a8
                                                      • Instruction Fuzzy Hash: 1AE0DF30B548088FEB58B37CA80966932D1EFC9361B4405B9E00DC73A6ED38EC418380
                                                      Function 00007FF8880471D9 Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d26a43c096d460002c4224e6a847c633d540b9f067e2b2987f220823e383a376
                                                      • Instruction ID: 2dc39426e448db228170e9005815e6023f12fd3228e194e2dc6dbb42a6c1f753
                                                      • Opcode Fuzzy Hash: d26a43c096d460002c4224e6a847c633d540b9f067e2b2987f220823e383a376
                                                      • Instruction Fuzzy Hash: C5E0CD11F198091BA694A1ED1C9D5F551C0DB9C575B080176F41DC3256DC185C87C341
                                                      Function 00007FF8880576E4 Relevance: .0, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 85e033b2cc198772211d05d58c1cf0fb00a78c487f9ed74429c4b21ecc7fad33
                                                      • Instruction ID: f980b1c660ae94c645d24425ba3f6407bd89582d51fc546465347357cce2548a
                                                      • Opcode Fuzzy Hash: 85e033b2cc198772211d05d58c1cf0fb00a78c487f9ed74429c4b21ecc7fad33
                                                      • Instruction Fuzzy Hash: DFE0D87275C50E4BCE0CE95880650BA3287E785310F10923EC647D21D7EF289506658C
                                                      Function 00007FF888180A04 Relevance: .0, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1749302951.00007FF888180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888180000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888180000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ffe9ac2f08f02f0252f21e26a3533e7005167ea878b14d79cddcda49879bb444
                                                      • Instruction ID: 752a976c1ea19cb072e5a8df3d774ba5b350b89d8e2dbaaedcf17f6e5282e621
                                                      • Opcode Fuzzy Hash: ffe9ac2f08f02f0252f21e26a3533e7005167ea878b14d79cddcda49879bb444
                                                      • Instruction Fuzzy Hash: B0E01231A0462C8EEF60EB48DC81BEDB3B2FB88340F0041E6D54DA3281CB306A84CF42
                                                      Function 00007FF8880432C8 Relevance: .0, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7992e73c4b05e5c0b662e4f986fa9795aa7db9d61ccc1f45110dbe83380b25fe
                                                      • Instruction ID: cf33c70f3d392092093754581df758099fad9a3fd8cfc45aa6be30b9beee6bab
                                                      • Opcode Fuzzy Hash: 7992e73c4b05e5c0b662e4f986fa9795aa7db9d61ccc1f45110dbe83380b25fe
                                                      • Instruction Fuzzy Hash: CED05E016689064EAA91A3EEA4255AE63C0EB99A607A0453AD49FD21C9DD1CA8838386
                                                      Function 00007FF8880586AE Relevance: .0, Instructions: 18COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 575f24e0b01c32696cc28503cc70f9d6c9297721ebc0af437dc0ac207b66b98d
                                                      • Instruction ID: 077c3598cec19062c0136481e16e3f0ca3b7f5cceb27ddb54cbfa8f6b2af10f0
                                                      • Opcode Fuzzy Hash: 575f24e0b01c32696cc28503cc70f9d6c9297721ebc0af437dc0ac207b66b98d
                                                      • Instruction Fuzzy Hash: EEE08C341587004B870CFA18C5A2439B3E2FBA9204B10553DD18347292CA30B801CA82
                                                      Function 00007FF888049AB0 Relevance: .0, Instructions: 18COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d5fa486787463ac365fe2a733f1657ccda25e62ea2903d2f7bdab00e044ad769
                                                      • Instruction ID: 5e0d919f1c07155b476ebcb78fc7a1fdcbc4ac4f9ff400cae10f0e3a27e1af4c
                                                      • Opcode Fuzzy Hash: d5fa486787463ac365fe2a733f1657ccda25e62ea2903d2f7bdab00e044ad769
                                                      • Instruction Fuzzy Hash: AED02B3088A6854FD7499B2444C042577A1FF86344FC009A9E484CA3D5D63954C9C342
                                                      Function 00007FF888058668 Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2be5f995d76ed55246065a978dc647b44ff4e4a2db4a8a7e3d88dffd1f6e98b9
                                                      • Instruction ID: 1125a169c3233a89c42b4eb1f8f15664148e632e78a0a93c19627442d19eac32
                                                      • Opcode Fuzzy Hash: 2be5f995d76ed55246065a978dc647b44ff4e4a2db4a8a7e3d88dffd1f6e98b9
                                                      • Instruction Fuzzy Hash: A7E08C72448B058BEB14E620C0446A673E2FF95345F110438D08BC33A2DF34FD09CB49
                                                      Function 00007FF8880580A0 Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 777231282afff7ff4d19e6106a03fa82bb6046376e80f7d9b6fae48b7591b9a9
                                                      • Instruction ID: d6da5f34390fec5b3431111dac8aa1d6fd2a9b5d2a48ebf4fc9ecb066b628fd5
                                                      • Opcode Fuzzy Hash: 777231282afff7ff4d19e6106a03fa82bb6046376e80f7d9b6fae48b7591b9a9
                                                      • Instruction Fuzzy Hash: DAE08C3115C3028FC74DEA14C06257ABBE1FB4A304F20547EA097860E2CA34A505CF56
                                                      Function 00007FF888058ABB Relevance: .0, Instructions: 15COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3eeaf999e3fb90455b9396c159d850e3bec4cc5331b2059e177464b3abdf7c5b
                                                      • Instruction ID: e5f199affe1aaed5bf60373fa2b0dc4ff3d337e6a2357bb666c8e0419a650daf
                                                      • Opcode Fuzzy Hash: 3eeaf999e3fb90455b9396c159d850e3bec4cc5331b2059e177464b3abdf7c5b
                                                      • Instruction Fuzzy Hash: 5BD0A7318584118BDF083675484A0A47128FF41715B201075C497B7055EE39D4539AC8
                                                      Function 00007FF888050170 Relevance: .0, Instructions: 14COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cb52478cd108f0e93a2b3638d42da9c0779f524f0f5abf2c00ba58ac36d45579
                                                      • Instruction ID: e98aa7da6d7c9baf0f66fd2e5d49a0712769dac759c7d9812be5532be6a15f91
                                                      • Opcode Fuzzy Hash: cb52478cd108f0e93a2b3638d42da9c0779f524f0f5abf2c00ba58ac36d45579
                                                      • Instruction Fuzzy Hash: F2C012309969198FD649B73484511947152BF49308BD008BCD00DC6282EE3F98C2C701
                                                      Function 00007FF888058764 Relevance: .0, Instructions: 14COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c161e2e9ffe40a2e327b16ae56289ab9b156525fcc7f9d8c3f23d017ebeb242a
                                                      • Instruction ID: c116bce8002ccac781a0abfae27414b2b10db01cdd51e2c5f28fe62c817b68a9
                                                      • Opcode Fuzzy Hash: c161e2e9ffe40a2e327b16ae56289ab9b156525fcc7f9d8c3f23d017ebeb242a
                                                      • Instruction Fuzzy Hash: 54D022300482048A832876594807064B311FF80350B200278A05F022A3CF399A03D2C4

                                                      Non-executed Functions

                                                      Function 00007FF888040B40 Relevance: 1.6, Instructions: 1615COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0b6843b79f1670028db2c10011469db78bc448970111ec5cae728130444017fb
                                                      • Instruction ID: 1301f95453b35698fe7bd77ea83309f1d9e72377a03b9bd62497bf19f4362769
                                                      • Opcode Fuzzy Hash: 0b6843b79f1670028db2c10011469db78bc448970111ec5cae728130444017fb
                                                      • Instruction Fuzzy Hash: A0A2E23499CB4A4BD71C9E188482535B3E1FB85708F6456BDCEDB83283DA34BC5386CA
                                                      Function 00007FF8880575C9 Relevance: 1.4, Strings: 1, Instructions: 187COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: gfff
                                                      • API String ID: 0-1553575800
                                                      • Opcode ID: c340528099b7b0acebb130a21ca0a8d4ad574db6c040c5cfb37624f29b486da1
                                                      • Instruction ID: dc8428e9c001bab509a3580cf172a54cb9dd3c49d1dfe84930bd063dcd709fb7
                                                      • Opcode Fuzzy Hash: c340528099b7b0acebb130a21ca0a8d4ad574db6c040c5cfb37624f29b486da1
                                                      • Instruction Fuzzy Hash: 3051252260D7890FD31E96785C164A17FE5EB87220B0982FFD486CB1E7E9185C07C392
                                                      Function 00007FF888043AFF Relevance: .5, Instructions: 469COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1748709286.00007FF888040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff888040000_hesaphareketi-20-12-2024-pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 811ac0ee81478af5bb9fc1321eb69094cb179d12f19fc60deda54c8a517f537f
                                                      • Instruction ID: dea269855c3d1213ab3183bc98c375889e400fefe7f64b7234ae12737454175f
                                                      • Opcode Fuzzy Hash: 811ac0ee81478af5bb9fc1321eb69094cb179d12f19fc60deda54c8a517f537f
                                                      • Instruction Fuzzy Hash: E5F1CF70AD8A058FE718EF288545175B7E1FF85349F2584BEC08A8B1D2DB35E983CB85

                                                      Execution Graph

                                                      Execution Coverage:8.7%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:93
                                                      Total number of Limit Nodes:13
                                                      execution_graph 24147 14fd01c 24148 14fd034 24147->24148 24149 14fd08e 24148->24149 24152 60766f0 24148->24152 24160 6076710 24148->24160 24155 60766f5 24152->24155 24153 6076771 24157 607676f 24153->24157 24180 6076300 24153->24180 24155->24153 24156 6076761 24155->24156 24168 6076888 24156->24168 24174 6076898 24156->24174 24157->24157 24163 607673d 24160->24163 24161 6076771 24162 6076300 CallWindowProcW 24161->24162 24165 607676f 24161->24165 24162->24165 24163->24161 24164 6076761 24163->24164 24166 6076888 2 API calls 24164->24166 24167 6076898 2 API calls 24164->24167 24165->24165 24166->24165 24167->24165 24171 607688c 24168->24171 24169 6076300 CallWindowProcW 24169->24171 24170 6076982 24170->24157 24171->24169 24171->24170 24184 6076d68 24171->24184 24189 6076d78 24171->24189 24177 60768a6 24174->24177 24175 6076300 CallWindowProcW 24175->24177 24176 6076982 24176->24157 24177->24175 24177->24176 24178 6076d68 OleGetClipboard 24177->24178 24179 6076d78 OleGetClipboard 24177->24179 24178->24177 24179->24177 24181 607630b 24180->24181 24182 6076a32 CallWindowProcW 24181->24182 24183 60769e1 24181->24183 24182->24183 24183->24157 24185 6076d6c 24184->24185 24186 6076d5e 24185->24186 24194 6076f30 24185->24194 24200 6076f1f 24185->24200 24186->24171 24190 6076d7a 24189->24190 24191 6076d5e 24190->24191 24192 6076f30 OleGetClipboard 24190->24192 24193 6076f1f OleGetClipboard 24190->24193 24191->24171 24192->24190 24193->24190 24195 6076f38 24194->24195 24196 6076f4c 24195->24196 24206 6076f6b 24195->24206 24217 6076f78 24195->24217 24196->24185 24197 6076f61 24197->24185 24201 6076f2a 24200->24201 24202 6076f4c 24201->24202 24204 6076f6b OleGetClipboard 24201->24204 24205 6076f78 OleGetClipboard 24201->24205 24202->24185 24203 6076f61 24203->24185 24204->24203 24205->24203 24207 6076f72 24206->24207 24208 6076fa5 24207->24208 24210 6076fe9 24207->24210 24213 6076f6b OleGetClipboard 24208->24213 24214 6076f78 OleGetClipboard 24208->24214 24209 6076fab 24209->24197 24212 6077069 24210->24212 24228 6077230 24210->24228 24232 6077240 24210->24232 24211 6077087 24211->24197 24212->24197 24213->24209 24214->24209 24218 6076f8a 24217->24218 24219 6076fa5 24218->24219 24221 6076fe9 24218->24221 24224 6076f6b OleGetClipboard 24219->24224 24225 6076f78 OleGetClipboard 24219->24225 24220 6076fab 24220->24197 24223 6077069 24221->24223 24226 6077230 OleGetClipboard 24221->24226 24227 6077240 OleGetClipboard 24221->24227 24222 6077087 24222->24197 24223->24197 24224->24220 24225->24220 24226->24222 24227->24222 24230 607723c 24228->24230 24231 607727b 24230->24231 24236 60766a0 24230->24236 24231->24211 24234 6077255 24232->24234 24233 60766a0 OleGetClipboard 24233->24234 24234->24233 24235 607727b 24234->24235 24235->24211 24237 60772e8 OleGetClipboard 24236->24237 24239 6077382 24237->24239 24240 6077150 24241 607715b 24240->24241 24242 607716b 24241->24242 24244 607658c 24241->24244 24245 60771a0 OleInitialize 24244->24245 24246 6077204 24245->24246 24246->24242 24247 60790b0 24250 60790f4 SetWindowsHookExA 24247->24250 24249 607913a 24250->24249 24251 6076c98 24254 6076ca0 24251->24254 24253 6076cc3 24254->24253 24255 6076354 24254->24255 24256 6076cd8 KiUserCallbackDispatcher 24255->24256 24258 6076d46 24256->24258 24258->24254

                                                      Executed Functions

                                                      Function 01589BB0 Relevance: 2.9, Instructions: 2857COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2249057b7e0ca8367abd11db8963a4645f3a4dd359516e582cb1d0338220946a
                                                      • Instruction ID: 39cc32d32f70c09ad52583c3747bbf27b5e42c6712521e7d9d41ecd7dca0c209
                                                      • Opcode Fuzzy Hash: 2249057b7e0ca8367abd11db8963a4645f3a4dd359516e582cb1d0338220946a
                                                      • Instruction Fuzzy Hash: 0263F931D10B1A8ADB11EF68C8945A9F7B1FF99300F55C79AE4587B121EB70AAC4CF81
                                                      Function 01584190 Relevance: 2.8, Strings: 2, Instructions: 281COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 618 1584190-15841f6 620 15841f8-1584203 618->620 621 1584240-1584242 618->621 620->621 622 1584205-1584211 620->622 623 1584244-158425d 621->623 624 1584213-158421d 622->624 625 1584234-158423e 622->625 630 15842a9-15842ab 623->630 631 158425f-158426b 623->631 626 158421f 624->626 627 1584221-1584230 624->627 625->623 626->627 627->627 629 1584232 627->629 629->625 632 15842ad-1584305 630->632 631->630 633 158426d-1584279 631->633 642 158434f-1584351 632->642 643 1584307-1584312 632->643 634 158427b-1584285 633->634 635 158429c-15842a7 633->635 636 1584289-1584298 634->636 637 1584287 634->637 635->632 636->636 639 158429a 636->639 637->636 639->635 644 1584353-158436b 642->644 643->642 645 1584314-1584320 643->645 652 158436d-1584378 644->652 653 15843b5-15843b7 644->653 646 1584322-158432c 645->646 647 1584343-158434d 645->647 648 158432e 646->648 649 1584330-158433f 646->649 647->644 648->649 649->649 651 1584341 649->651 651->647 652->653 655 158437a-1584386 652->655 654 15843b9-158440a 653->654 663 1584410-158441e 654->663 656 1584388-1584392 655->656 657 15843a9-15843b3 655->657 659 1584394 656->659 660 1584396-15843a5 656->660 657->654 659->660 660->660 661 15843a7 660->661 661->657 664 1584420-1584426 663->664 665 1584427-1584487 663->665 664->665 672 1584489-158448d 665->672 673 1584497-158449b 665->673 672->673 674 158448f 672->674 675 15844ab-15844af 673->675 676 158449d-15844a1 673->676 674->673 678 15844bf-15844c3 675->678 679 15844b1-15844b5 675->679 676->675 677 15844a3 676->677 677->675 680 15844d3-15844d7 678->680 681 15844c5-15844c9 678->681 679->678 682 15844b7-15844ba call 1580ab8 679->682 684 15844d9-15844dd 680->684 685 15844e7-15844eb 680->685 681->680 683 15844cb-15844ce call 1580ab8 681->683 682->678 683->680 684->685 688 15844df-15844e2 call 1580ab8 684->688 689 15844fb-15844ff 685->689 690 15844ed-15844f1 685->690 688->685 693 158450f 689->693 694 1584501-1584505 689->694 690->689 692 15844f3 690->692 692->689 696 1584510 693->696 694->693 695 1584507 694->695 695->693 696->696
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: _^L1$_^L1
                                                      • API String ID: 0-2346460481
                                                      • Opcode ID: 740ae6395c9d852d4fe49f00fae7e3cef7e236a84cefef194caa85c643a58954
                                                      • Instruction ID: e9af4c25bcb9db38c3a8ebfab4cdd740e18eed2f97a90d1463bf5aaa161db951
                                                      • Opcode Fuzzy Hash: 740ae6395c9d852d4fe49f00fae7e3cef7e236a84cefef194caa85c643a58954
                                                      • Instruction Fuzzy Hash: 26B11070E0420ACFDB14DFA9D8857AEBBF2BF88314F148529D815FB254EB749885CB91
                                                      Function 01584A60 Relevance: 2.8, Strings: 2, Instructions: 266COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 776 1584a60-1584ac6 778 1584ac8-1584ad3 776->778 779 1584b10-1584b12 776->779 778->779 780 1584ad5-1584ae1 778->780 781 1584b14-1584b2d 779->781 782 1584ae3-1584aed 780->782 783 1584b04-1584b0e 780->783 788 1584b79-1584b7b 781->788 789 1584b2f-1584b3b 781->789 784 1584aef 782->784 785 1584af1-1584b00 782->785 783->781 784->785 785->785 787 1584b02 785->787 787->783 790 1584b7d-1584b95 788->790 789->788 791 1584b3d-1584b49 789->791 798 1584bdf-1584be1 790->798 799 1584b97-1584ba2 790->799 792 1584b4b-1584b55 791->792 793 1584b6c-1584b77 791->793 794 1584b59-1584b68 792->794 795 1584b57 792->795 793->790 794->794 797 1584b6a 794->797 795->794 797->793 800 1584be3-1584bfb 798->800 799->798 801 1584ba4-1584bb0 799->801 807 1584bfd-1584c08 800->807 808 1584c45-1584c47 800->808 802 1584bb2-1584bbc 801->802 803 1584bd3-1584bdd 801->803 805 1584bbe 802->805 806 1584bc0-1584bcf 802->806 803->800 805->806 806->806 809 1584bd1 806->809 807->808 810 1584c0a-1584c16 807->810 811 1584c49-1584cbc 808->811 809->803 812 1584c18-1584c22 810->812 813 1584c39-1584c43 810->813 820 1584cc2-1584cd0 811->820 814 1584c24 812->814 815 1584c26-1584c35 812->815 813->811 814->815 815->815 817 1584c37 815->817 817->813 821 1584cd9-1584d39 820->821 822 1584cd2-1584cd8 820->822 829 1584d49-1584d4d 821->829 830 1584d3b-1584d3f 821->830 822->821 831 1584d5d-1584d61 829->831 832 1584d4f-1584d53 829->832 830->829 833 1584d41 830->833 835 1584d71-1584d75 831->835 836 1584d63-1584d67 831->836 832->831 834 1584d55 832->834 833->829 834->831 838 1584d85-1584d89 835->838 839 1584d77-1584d7b 835->839 836->835 837 1584d69 836->837 837->835 841 1584d99-1584d9d 838->841 842 1584d8b-1584d8f 838->842 839->838 840 1584d7d 839->840 840->838 843 1584dad 841->843 844 1584d9f-1584da3 841->844 842->841 845 1584d91-1584d94 call 1580ab8 842->845 849 1584dae 843->849 844->843 847 1584da5-1584da8 call 1580ab8 844->847 845->841 847->843 849->849
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: _^L1$_^L1
                                                      • API String ID: 0-2346460481
                                                      • Opcode ID: 22d890d52eaa4a5a104664564b0637b4702438ae633b73dfc2bf99cb2bc827c3
                                                      • Instruction ID: 3621140d7c3cc5f9ee1ef707b288b6095d893f97513db48ae627c96a17527250
                                                      • Opcode Fuzzy Hash: 22d890d52eaa4a5a104664564b0637b4702438ae633b73dfc2bf99cb2bc827c3
                                                      • Instruction Fuzzy Hash: 6BB12D70E0020ACFDF14DFA9D8957AEBBF2BF88314F148529D815BB294EB749845CB81
                                                      Function 01583E48 Relevance: 2.7, Strings: 2, Instructions: 238COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 925 1583e48-1583eae 927 1583ef8-1583efa 925->927 928 1583eb0-1583ebb 925->928 930 1583efc-1583f54 927->930 928->927 929 1583ebd-1583ec9 928->929 931 1583ecb-1583ed5 929->931 932 1583eec-1583ef6 929->932 939 1583f9e-1583fa0 930->939 940 1583f56-1583f61 930->940 933 1583ed9-1583ee8 931->933 934 1583ed7 931->934 932->930 933->933 936 1583eea 933->936 934->933 936->932 942 1583fa2-1583fba 939->942 940->939 941 1583f63-1583f6f 940->941 943 1583f71-1583f7b 941->943 944 1583f92-1583f9c 941->944 949 1583fbc-1583fc7 942->949 950 1584004-1584006 942->950 945 1583f7d 943->945 946 1583f7f-1583f8e 943->946 944->942 945->946 946->946 948 1583f90 946->948 948->944 949->950 952 1583fc9-1583fd5 949->952 951 1584008-1584056 950->951 960 158405c-158406a 951->960 953 1583ff8-1584002 952->953 954 1583fd7-1583fe1 952->954 953->951 955 1583fe3 954->955 956 1583fe5-1583ff4 954->956 955->956 956->956 958 1583ff6 956->958 958->953 961 158406c-1584072 960->961 962 1584073-15840d3 960->962 961->962 969 15840e3-15840e7 962->969 970 15840d5-15840d9 962->970 972 15840e9-15840ed 969->972 973 15840f7-15840fb 969->973 970->969 971 15840db 970->971 971->969 972->973 974 15840ef-15840f2 call 1580ab8 972->974 975 158410b-158410f 973->975 976 15840fd-1584101 973->976 974->973 979 158411f-1584123 975->979 980 1584111-1584115 975->980 976->975 978 1584103-1584106 call 1580ab8 976->978 978->975 981 1584133-1584137 979->981 982 1584125-1584129 979->982 980->979 984 1584117-158411a call 1580ab8 980->984 986 1584139-158413d 981->986 987 1584147 981->987 982->981 985 158412b 982->985 984->979 985->981 986->987 989 158413f 986->989 990 1584148 987->990 989->987 990->990
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: _^L1$_^L1
                                                      • API String ID: 0-2346460481
                                                      • Opcode ID: e24dd33b425dc2f87196e00d1693ca1a43b18ec3792547fcc38ce7e7c46db832
                                                      • Instruction ID: a8d12c8ba614b551f36e6e636b2cde60acc381425b6699e140b73a18dc691dd1
                                                      • Opcode Fuzzy Hash: e24dd33b425dc2f87196e00d1693ca1a43b18ec3792547fcc38ce7e7c46db832
                                                      • Instruction Fuzzy Hash: 79915070E00309DFDB10DFA9C88579EBBF2BF88714F148529E855BB294EB759845CB81
                                                      Function 0158CF20 Relevance: 2.3, Instructions: 2313COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cc3bcbfe72d911573818683712b0bb78a6b335e4486795971b6e4859bb8db054
                                                      • Instruction ID: 7b20cadefef997376a4856bdca1da07a958c1d50d84390abcc7334c7694d76b2
                                                      • Opcode Fuzzy Hash: cc3bcbfe72d911573818683712b0bb78a6b335e4486795971b6e4859bb8db054
                                                      • Instruction Fuzzy Hash: 41332E31D107198EDB11EF68C8946ADF7B1FF99300F14C69AE449BB251EB70AAC5CB81
                                                      Function 06076300 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 6076300-60769d4 3 6076a84-6076aa4 0->3 4 60769da-60769df 0->4 10 6076aa7-6076ab4 3->10 5 6076a32-6076a6a CallWindowProcW 4->5 6 60769e1-6076a18 4->6 8 6076a73-6076a82 5->8 9 6076a6c-6076a72 5->9 12 6076a21-6076a30 6->12 13 6076a1a-6076a20 6->13 8->10 9->8 12->10 13->12
                                                      APIs
                                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 06076A59
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3888548842.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_6070000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID: CallProcWindow
                                                      • String ID: _^L1
                                                      • API String ID: 2714655100-3642409825
                                                      • Opcode ID: ccde4fd7e928e303f9f22c9e6e9e03dac21a3092e6122be034411a8847fc25e2
                                                      • Instruction ID: 5764df03f049b95f9bba879ef6ebbd73f632531518d8d909ca7143e02848c360
                                                      • Opcode Fuzzy Hash: ccde4fd7e928e303f9f22c9e6e9e03dac21a3092e6122be034411a8847fc25e2
                                                      • Instruction Fuzzy Hash: 224165B4D10709DFDB44DF99C888AAABBF5FB88314F24C459D41AAB321C371A840CFA4
                                                      Function 060772DD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 77comclipboardCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 16 60772dd-6077338 18 6077342-6077380 OleGetClipboard 16->18 19 6077382-6077388 18->19 20 6077389-60773d7 18->20 19->20 25 60773e7 20->25 26 60773d9-60773dd 20->26 28 60773e8 25->28 26->25 27 60773df 26->27 27->25 28->28
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3888548842.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_6070000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID: Clipboard
                                                      • String ID: _^L1
                                                      • API String ID: 220874293-3642409825
                                                      • Opcode ID: 4be7f33cc3b5534728d5bbc57ca6b2e80180265b194285b1104a3a52faa6a351
                                                      • Instruction ID: d0ee26bf0cce6cce2c7c47ecf217e70c5604fd8e2af280ae0bb9f35acf805242
                                                      • Opcode Fuzzy Hash: 4be7f33cc3b5534728d5bbc57ca6b2e80180265b194285b1104a3a52faa6a351
                                                      • Instruction Fuzzy Hash: D23104B0D01349EFDB54DF99C984BDEBBF5AF48704F248019E404BB290DBB5A885CBA5
                                                      Function 060766A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74comclipboardCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 29 60766a0-6077380 OleGetClipboard 32 6077382-6077388 29->32 33 6077389-60773d7 29->33 32->33 38 60773e7 33->38 39 60773d9-60773dd 33->39 41 60773e8 38->41 39->38 40 60773df 39->40 40->38 41->41
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3888548842.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_6070000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID: Clipboard
                                                      • String ID: _^L1
                                                      • API String ID: 220874293-3642409825
                                                      • Opcode ID: 594881ae26d4541834baa81479333acef80155b2a665dac94d978b5d2261a541
                                                      • Instruction ID: a4bdb44b43701062b57dbba8e124f52c7b64a58c9bf7f5cc8745e50b901c9166
                                                      • Opcode Fuzzy Hash: 594881ae26d4541834baa81479333acef80155b2a665dac94d978b5d2261a541
                                                      • Instruction Fuzzy Hash: 5F31E2B0D45348DFDB54DF99C984B9EBBF5AB48304F248029E404BB390DBB5A885CBA5
                                                      Function 060790AB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 42 60790ab-60790ac 43 60790ae-60790fa 42->43 44 6079078-607907e 42->44 49 6079106-6079138 SetWindowsHookExA 43->49 50 60790fc-6079104 43->50 47 607907f 44->47 47->47 51 6079141-6079161 49->51 52 607913a-6079140 49->52 50->49 52->51
                                                      APIs
                                                      • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 0607912B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3888548842.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_6070000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID: HookWindows
                                                      • String ID: _^L1
                                                      • API String ID: 2559412058-3642409825
                                                      • Opcode ID: 1a000719eca62020b6f4b57dfe986eee5a9fa4fc75533712d1d62164271ce584
                                                      • Instruction ID: 25a1becfceac5a4871a15d698b9ca05be8e3b39f111f0b450d4c0e2c92d1653e
                                                      • Opcode Fuzzy Hash: 1a000719eca62020b6f4b57dfe986eee5a9fa4fc75533712d1d62164271ce584
                                                      • Instruction Fuzzy Hash: 24216DB5D002099FDB50CFA9D844BEEBFF5FB48320F20841AD455A7250C7755944CFA1
                                                      Function 06076334 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 56 6076334-6076d11 60 6076d19-6076d44 KiUserCallbackDispatcher 56->60 61 6076d46-6076d4c 60->61 62 6076d4d-6076d61 60->62 61->62
                                                      APIs
                                                      • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,06076CAD), ref: 06076D37
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3888548842.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_6070000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID: CallbackDispatcherUser
                                                      • String ID: _^L1
                                                      • API String ID: 2492992576-3642409825
                                                      • Opcode ID: 898beaeac0e0598e132f3973dea0215fe2dde307a3bcd3d3342010c21ac439b9
                                                      • Instruction ID: 88850c6d0b1f5eb26d311a7d4f640e706a3cc8bdd76b9ddac3d06d777ff96f0d
                                                      • Opcode Fuzzy Hash: 898beaeac0e0598e132f3973dea0215fe2dde307a3bcd3d3342010c21ac439b9
                                                      • Instruction Fuzzy Hash: 0F2186B0808788CFDB10DF99C844BDEBFF4AB49320F20805AD459AB251C7756944CBAA
                                                      Function 060790B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 65 60790b0-60790fa 67 6079106-6079138 SetWindowsHookExA 65->67 68 60790fc-6079104 65->68 69 6079141-6079161 67->69 70 607913a-6079140 67->70 68->67 70->69
                                                      APIs
                                                      • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 0607912B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3888548842.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_6070000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID: HookWindows
                                                      • String ID: _^L1
                                                      • API String ID: 2559412058-3642409825
                                                      • Opcode ID: 7b9fc481d2486a7c4e052846ab498552a0c4d4577fc87b154750baba32c25036
                                                      • Instruction ID: 59d76e4428d1c0313f0cb1bcea8dcde994171323d66d523a20be4ba82dafd12d
                                                      • Opcode Fuzzy Hash: 7b9fc481d2486a7c4e052846ab498552a0c4d4577fc87b154750baba32c25036
                                                      • Instruction Fuzzy Hash: 2E2136B5D002099FCB54DF9AD844BEEFBF5FB88310F10842AD459A7250C775A944CFA4
                                                      Function 0607658C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46comCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 81 607658c-6077202 OleInitialize 83 6077204-607720a 81->83 84 607720b-6077228 81->84 83->84
                                                      APIs
                                                      • OleInitialize.OLE32(00000000), ref: 060771F5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3888548842.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_6070000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID: Initialize
                                                      • String ID: _^L1
                                                      • API String ID: 2538663250-3642409825
                                                      • Opcode ID: 6a7cfc763a0f53fc3b6d54ee482197188fa8ecee6b8d3ae0629a6e63caf82441
                                                      • Instruction ID: 37e60b2c5ee70e105fb4acc0ca6d54fdca7bb10d34faa429fa765cab8017c365
                                                      • Opcode Fuzzy Hash: 6a7cfc763a0f53fc3b6d54ee482197188fa8ecee6b8d3ae0629a6e63caf82441
                                                      • Instruction Fuzzy Hash: 7D1115B5D047488FDB60DF9AC844BDEBBF4EB48320F148469E559A7201D378A944CFA5
                                                      Function 06076354 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 74 6076354-6076d44 KiUserCallbackDispatcher 77 6076d46-6076d4c 74->77 78 6076d4d-6076d61 74->78 77->78
                                                      APIs
                                                      • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,06076CAD), ref: 06076D37
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3888548842.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_6070000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID: CallbackDispatcherUser
                                                      • String ID: _^L1
                                                      • API String ID: 2492992576-3642409825
                                                      • Opcode ID: 7bfc6b23a1d4cf95371f3495aa8e46791680d8d3dcc38cadfcc4d86afb73c8c5
                                                      • Instruction ID: 0820c68e3012dcc2d1fcf65806e46d8cde3b35d86b3da4e3cf1e29927fa2686d
                                                      • Opcode Fuzzy Hash: 7bfc6b23a1d4cf95371f3495aa8e46791680d8d3dcc38cadfcc4d86afb73c8c5
                                                      • Instruction Fuzzy Hash: 091122B4C00748CFCB50DF9AD844B9EBBF4EB49320F20842AD919A7240C3B5A944CFA9
                                                      Function 06076CD0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 87 6076cd0-6076d11 89 6076d19-6076d44 KiUserCallbackDispatcher 87->89 90 6076d46-6076d4c 89->90 91 6076d4d-6076d61 89->91 90->91
                                                      APIs
                                                      • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,06076CAD), ref: 06076D37
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3888548842.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_6070000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID: CallbackDispatcherUser
                                                      • String ID: _^L1
                                                      • API String ID: 2492992576-3642409825
                                                      • Opcode ID: 56a359fd0a591284acb6ffcfe47c646fcf982c61a6f603cbac22f4142251f14c
                                                      • Instruction ID: d866a1362b45ebccf001ffb6d93c0ac334ccd9d1e1f38ca8ce6a6d15662b0220
                                                      • Opcode Fuzzy Hash: 56a359fd0a591284acb6ffcfe47c646fcf982c61a6f603cbac22f4142251f14c
                                                      • Instruction Fuzzy Hash: 6D1122B4C00748CFCB60CF9AD844BDEBBF4AB48324F20842AD859A7240C775A944CFA5
                                                      Function 06077199 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42comCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 94 6077199-6077202 OleInitialize 95 6077204-607720a 94->95 96 607720b-6077228 94->96 95->96
                                                      APIs
                                                      • OleInitialize.OLE32(00000000), ref: 060771F5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3888548842.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_6070000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID: Initialize
                                                      • String ID: _^L1
                                                      • API String ID: 2538663250-3642409825
                                                      • Opcode ID: a93e58560527b819ab3192fdd405e75b35dc0e5189e93326228243f062d64738
                                                      • Instruction ID: 7476d8d2d5ab2e86456e0cad7a5b29368eb50cd471120cb51579078c67e2014b
                                                      • Opcode Fuzzy Hash: a93e58560527b819ab3192fdd405e75b35dc0e5189e93326228243f062d64738
                                                      • Instruction Fuzzy Hash: C41130B49006898FDB20CFAAC444BDEFBF4AB48320F24845AE469A7641C378A544CFA4
                                                      Function 01584184 Relevance: 2.8, Strings: 2, Instructions: 277COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 697 1584184-15841f6 699 15841f8-1584203 697->699 700 1584240-1584242 697->700 699->700 701 1584205-1584211 699->701 702 1584244-158425d 700->702 703 1584213-158421d 701->703 704 1584234-158423e 701->704 709 15842a9-15842ab 702->709 710 158425f-158426b 702->710 705 158421f 703->705 706 1584221-1584230 703->706 704->702 705->706 706->706 708 1584232 706->708 708->704 711 15842ad-1584305 709->711 710->709 712 158426d-1584279 710->712 721 158434f-1584351 711->721 722 1584307-1584312 711->722 713 158427b-1584285 712->713 714 158429c-15842a7 712->714 715 1584289-1584298 713->715 716 1584287 713->716 714->711 715->715 718 158429a 715->718 716->715 718->714 723 1584353-158436b 721->723 722->721 724 1584314-1584320 722->724 731 158436d-1584378 723->731 732 15843b5-15843b7 723->732 725 1584322-158432c 724->725 726 1584343-158434d 724->726 727 158432e 725->727 728 1584330-158433f 725->728 726->723 727->728 728->728 730 1584341 728->730 730->726 731->732 734 158437a-1584386 731->734 733 15843b9-15843cb 732->733 741 15843d2-158440a 733->741 735 1584388-1584392 734->735 736 15843a9-15843b3 734->736 738 1584394 735->738 739 1584396-15843a5 735->739 736->733 738->739 739->739 740 15843a7 739->740 740->736 742 1584410-158441e 741->742 743 1584420-1584426 742->743 744 1584427-1584487 742->744 743->744 751 1584489-158448d 744->751 752 1584497-158449b 744->752 751->752 753 158448f 751->753 754 15844ab-15844af 752->754 755 158449d-15844a1 752->755 753->752 757 15844bf-15844c3 754->757 758 15844b1-15844b5 754->758 755->754 756 15844a3 755->756 756->754 759 15844d3-15844d7 757->759 760 15844c5-15844c9 757->760 758->757 761 15844b7-15844ba call 1580ab8 758->761 763 15844d9-15844dd 759->763 764 15844e7-15844eb 759->764 760->759 762 15844cb-15844ce call 1580ab8 760->762 761->757 762->759 763->764 767 15844df-15844e2 call 1580ab8 763->767 768 15844fb-15844ff 764->768 769 15844ed-15844f1 764->769 767->764 772 158450f 768->772 773 1584501-1584505 768->773 769->768 771 15844f3 769->771 771->768 775 1584510 772->775 773->772 774 1584507 773->774 774->772 775->775
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: _^L1$_^L1
                                                      • API String ID: 0-2346460481
                                                      • Opcode ID: 0896f8df43e11ee2108f7d11dcb609c46c0f7569b5610a5b220a3fc0ae86d378
                                                      • Instruction ID: 84b7d34824d96094defe6bee83a28b5c78ec1024691e7aa2e278ab479bc86184
                                                      • Opcode Fuzzy Hash: 0896f8df43e11ee2108f7d11dcb609c46c0f7569b5610a5b220a3fc0ae86d378
                                                      • Instruction Fuzzy Hash: DAB11D70E0421ACFDB10EFA9D88579EBBF1BF48314F148529D815FB254EB749885CB91
                                                      Function 01584A57 Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 850 1584a57-1584ac6 853 1584ac8-1584ad3 850->853 854 1584b10-1584b12 850->854 853->854 855 1584ad5-1584ae1 853->855 856 1584b14-1584b2d 854->856 857 1584ae3-1584aed 855->857 858 1584b04-1584b0e 855->858 863 1584b79-1584b7b 856->863 864 1584b2f-1584b3b 856->864 859 1584aef 857->859 860 1584af1-1584b00 857->860 858->856 859->860 860->860 862 1584b02 860->862 862->858 865 1584b7d-1584b95 863->865 864->863 866 1584b3d-1584b49 864->866 873 1584bdf-1584be1 865->873 874 1584b97-1584ba2 865->874 867 1584b4b-1584b55 866->867 868 1584b6c-1584b77 866->868 869 1584b59-1584b68 867->869 870 1584b57 867->870 868->865 869->869 872 1584b6a 869->872 870->869 872->868 875 1584be3-1584bfb 873->875 874->873 876 1584ba4-1584bb0 874->876 882 1584bfd-1584c08 875->882 883 1584c45-1584c47 875->883 877 1584bb2-1584bbc 876->877 878 1584bd3-1584bdd 876->878 880 1584bbe 877->880 881 1584bc0-1584bcf 877->881 878->875 880->881 881->881 884 1584bd1 881->884 882->883 885 1584c0a-1584c16 882->885 886 1584c49-1584c7f 883->886 884->878 887 1584c18-1584c22 885->887 888 1584c39-1584c43 885->888 894 1584c87-1584cbc 886->894 889 1584c24 887->889 890 1584c26-1584c35 887->890 888->886 889->890 890->890 892 1584c37 890->892 892->888 895 1584cc2-1584cd0 894->895 896 1584cd9-1584d39 895->896 897 1584cd2-1584cd8 895->897 904 1584d49-1584d4d 896->904 905 1584d3b-1584d3f 896->905 897->896 906 1584d5d-1584d61 904->906 907 1584d4f-1584d53 904->907 905->904 908 1584d41 905->908 910 1584d71-1584d75 906->910 911 1584d63-1584d67 906->911 907->906 909 1584d55 907->909 908->904 909->906 913 1584d85-1584d89 910->913 914 1584d77-1584d7b 910->914 911->910 912 1584d69 911->912 912->910 916 1584d99-1584d9d 913->916 917 1584d8b-1584d8f 913->917 914->913 915 1584d7d 914->915 915->913 918 1584dad 916->918 919 1584d9f-1584da3 916->919 917->916 920 1584d91-1584d94 call 1580ab8 917->920 924 1584dae 918->924 919->918 922 1584da5-1584da8 call 1580ab8 919->922 920->916 922->918 924->924
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: _^L1$_^L1
                                                      • API String ID: 0-2346460481
                                                      • Opcode ID: 2e435b0c3dedb01d0ef0feda3896ffd2e52c743058662a73037410fa2b1706bb
                                                      • Instruction ID: 4f703aa3d830625d96d030b87db33d877fbeae196b2094a34da2d05bf8009f53
                                                      • Opcode Fuzzy Hash: 2e435b0c3dedb01d0ef0feda3896ffd2e52c743058662a73037410fa2b1706bb
                                                      • Instruction Fuzzy Hash: A8B12B70E0020ACFDF10EFA9D88579EBBF2BF48715F148529D815BB294EB759885CB81
                                                      Function 01583E3F Relevance: 2.7, Strings: 2, Instructions: 234COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: _^L1$_^L1
                                                      • API String ID: 0-2346460481
                                                      • Opcode ID: 123a6677318ad34f8892379ff3476ea57be7255c8d9f5e1937c61e55486d89a4
                                                      • Instruction ID: 6bd85112de88c27dbc3646b65e79e718418edb518047024a8f4c6160ea9faf16
                                                      • Opcode Fuzzy Hash: 123a6677318ad34f8892379ff3476ea57be7255c8d9f5e1937c61e55486d89a4
                                                      • Instruction Fuzzy Hash: 52915E70E0030ADFDB10EFA9C88579EBBF1BF48714F148529E855BB294EB759885CB81
                                                      Function 01586CA4 Relevance: 2.6, Strings: 2, Instructions: 134COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: _^L1$_^L1
                                                      • API String ID: 0-2346460481
                                                      • Opcode ID: 56b4f20f939ac4e4a9c47af73654c0e3a1257406f24f191baa45d9237d3026e9
                                                      • Instruction ID: 61c7411d31593853fd2410ce08ea3eba69bc88ba6539bee26c4a5681c64b3838
                                                      • Opcode Fuzzy Hash: 56b4f20f939ac4e4a9c47af73654c0e3a1257406f24f191baa45d9237d3026e9
                                                      • Instruction Fuzzy Hash: 8951F3B4D00218CFEB14DFA9C884B9EBBB1BF48710F148529E819BB391D774A844CF95
                                                      Function 01586CB0 Relevance: 2.6, Strings: 2, Instructions: 132COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: _^L1$_^L1
                                                      • API String ID: 0-2346460481
                                                      • Opcode ID: a393e0e50bd102c5af5d3945891e27cf4a3ccd13097d8464bc05e6a803a8feaa
                                                      • Instruction ID: 5480ae3909c9025305d1d8ac94e931c1842630da747f17cd15cc596ce99ab23d
                                                      • Opcode Fuzzy Hash: a393e0e50bd102c5af5d3945891e27cf4a3ccd13097d8464bc05e6a803a8feaa
                                                      • Instruction Fuzzy Hash: 2551F3B4D00218CFEB14DFA9C884B9EBBB1BF48710F148529E819BB391DB74A844CF95
                                                      Function 015826A7 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: _^L1
                                                      • API String ID: 0-3642409825
                                                      • Opcode ID: aa49475f54f589a6e47df693acbc0d2f29f0fa9eb977cfc32a975402d62e66a6
                                                      • Instruction ID: 190daf09c277049c8d162a3827faea8dbdc39366f010b7885e6e04085826f71a
                                                      • Opcode Fuzzy Hash: aa49475f54f589a6e47df693acbc0d2f29f0fa9eb977cfc32a975402d62e66a6
                                                      • Instruction Fuzzy Hash: 9441EFB09003499FDB10EFAAC484A9EBFF5BF48310F148429E819AB254DB75A985CB90
                                                      Function 015826B0 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: _^L1
                                                      • API String ID: 0-3642409825
                                                      • Opcode ID: 21d42e89e119dcdef890bf241f74645f16ec2ccd482a2aecab519e82843b75d6
                                                      • Instruction ID: 578e21b3a5b8dcd06d3485b4eafeb010c7f60f755e7b2d1690e90a8b9e64fa11
                                                      • Opcode Fuzzy Hash: 21d42e89e119dcdef890bf241f74645f16ec2ccd482a2aecab519e82843b75d6
                                                      • Instruction Fuzzy Hash: 3F41C0B0D00349DFDB14EFAAC484ADEBFF5BF48314F148429E819AB254DB75A985CB90
                                                      Function 0158798B Relevance: .6, Instructions: 554COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 91f4130537d7f5b496b1a3eca4969766de9fdd904d54350797a1b8fc5067219a
                                                      • Instruction ID: b4b37287f532a38c8a23befe04201f85768f1c9003a8813f768f5ba1694833d6
                                                      • Opcode Fuzzy Hash: 91f4130537d7f5b496b1a3eca4969766de9fdd904d54350797a1b8fc5067219a
                                                      • Instruction Fuzzy Hash: 28127070B002068BDB1AEB38E55462D33A7FB9D301F208A69D005DB3A5CF75EC978B95
                                                      Function 01589760 Relevance: .4, Instructions: 362COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ac743c17ab7a0514d87889418ff9583182a603a0a327262daa4c1e79a673bfd5
                                                      • Instruction ID: 859562d3cd6efe7fd39af8cde232ddbd8c6aba18cdd673a7e2e3372c86ba6404
                                                      • Opcode Fuzzy Hash: ac743c17ab7a0514d87889418ff9583182a603a0a327262daa4c1e79a673bfd5
                                                      • Instruction Fuzzy Hash: 39D19D71A00206CFEB15EFA9D8807AEBBB1FB84314F24856AE509EF395D771D841CB91
                                                      Function 015893E4 Relevance: .3, Instructions: 322COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 80c39d784b55fbb6faab2babdd3a6fed612214e42671c258ca77d2c44bddb83e
                                                      • Instruction ID: fe50cab7bd81ed66363841145bd64ee63fc47cddcdda77721735a1a97a8b18a1
                                                      • Opcode Fuzzy Hash: 80c39d784b55fbb6faab2babdd3a6fed612214e42671c258ca77d2c44bddb83e
                                                      • Instruction Fuzzy Hash: 70C16C34A00209CFDB15EFA8D994AADBBB2FF89314F148469E506EB365DB35DC42CB50
                                                      Function 0158FD58 Relevance: .2, Instructions: 152COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 209ef68f4437c6fff306825e456368989f4fb64cb0bdb5660014fe1e889e98c9
                                                      • Instruction ID: 41fa7eb50ec9ccd8d048ce4df2977bda4c4deea35eed68de7c9b2f6ff77c158b
                                                      • Opcode Fuzzy Hash: 209ef68f4437c6fff306825e456368989f4fb64cb0bdb5660014fe1e889e98c9
                                                      • Instruction Fuzzy Hash: 02514934A003058FDB64EF68D554B9DBBF2FF89704F2045AAE509AB391CB74AD45CB90
                                                      Function 01586EA3 Relevance: .1, Instructions: 148COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0b45b0d5c0f6ae2031045d060c31c9beb9717ca6cad6846b5e82bcc162289b53
                                                      • Instruction ID: 873aa2d773ecb58b50d04ebc0fea779339a676b9d44c5a15258e020e9873eb0a
                                                      • Opcode Fuzzy Hash: 0b45b0d5c0f6ae2031045d060c31c9beb9717ca6cad6846b5e82bcc162289b53
                                                      • Instruction Fuzzy Hash: 9C51B330A102158FDB16EBB9C4507AEBBF2FF8A700F50446AE415FF255EB719846CB51
                                                      Function 01581113 Relevance: .1, Instructions: 114COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2b8a34b6af6c8762ee905f1525c43b9e8f7c02643dac95b166aedc566b3113bd
                                                      • Instruction ID: 3d9a304c7110a26053bbec15c08552953fa48176bf49ba890d1b789107ad0ac7
                                                      • Opcode Fuzzy Hash: 2b8a34b6af6c8762ee905f1525c43b9e8f7c02643dac95b166aedc566b3113bd
                                                      • Instruction Fuzzy Hash: AA519070A86241CFC705DB68F89197A3B69F75B301B04A1D9D4014B3B6EE78AD75CF82
                                                      Function 0158F465 Relevance: .1, Instructions: 113COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 43d448bc5e2cb51288a49d368e5ca920b080f4c62c1a9dcec6ba2c4d6d824ebb
                                                      • Instruction ID: 63b487a633b9310408ab8aab771c3597a28b5ab71e468334bf2e8937320676ca
                                                      • Opcode Fuzzy Hash: 43d448bc5e2cb51288a49d368e5ca920b080f4c62c1a9dcec6ba2c4d6d824ebb
                                                      • Instruction Fuzzy Hash: BC41A0317002058FDB16EFB8D56866E3BE2BB89241F24856AD406EF395DE35CC46CBA1
                                                      Function 01581138 Relevance: .1, Instructions: 100COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 30428961bec4efbfcb0f7e6b63d58bb65ab3e9bcf088fca1368dc2ccb3765a8c
                                                      • Instruction ID: 8d8bae71a1797538ad131995d5997c1a53edf8c30b8273296b18a41797dd8a84
                                                      • Opcode Fuzzy Hash: 30428961bec4efbfcb0f7e6b63d58bb65ab3e9bcf088fca1368dc2ccb3765a8c
                                                      • Instruction Fuzzy Hash: D1416F70A86241CFC705DB68F89193A3B69F75B301B04A1A9D4014B7B5DE78AD75CF82
                                                      Function 0158F328 Relevance: .1, Instructions: 99COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 112d6da16a36906ad84e8c23dfc353cf4e8c1f94f2fc616305cbd9f2b67eb1a9
                                                      • Instruction ID: a898c3dc585b082c62f7033c16682485b0aa533e9d764b0970c03bc5f6915350
                                                      • Opcode Fuzzy Hash: 112d6da16a36906ad84e8c23dfc353cf4e8c1f94f2fc616305cbd9f2b67eb1a9
                                                      • Instruction Fuzzy Hash: 86311A30A00205DBDB15EF68D45469EBBB2FF89300F24852AE806FB355EB71A846CB50
                                                      Function 01586F40 Relevance: .1, Instructions: 97COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fe93ac98a3399f3b6caa9de6142e7fd03b121344449f65e37366711cea376585
                                                      • Instruction ID: bd6cc60440beca3ce41e3f90c9aa63029d8db59f5292e908e91bd2eb2c5f0bbb
                                                      • Opcode Fuzzy Hash: fe93ac98a3399f3b6caa9de6142e7fd03b121344449f65e37366711cea376585
                                                      • Instruction Fuzzy Hash: 55317274E10209CBDB25EFA9C45079EBBB2FF89311F60452AE415FB245EB71D846CB50
                                                      Function 01581450 Relevance: .1, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 328bd86e64f420cdccd180a781e577100fc25203281caa5d2c7616058d1e7182
                                                      • Instruction ID: 792776f6aab5ab8f57ec90163247142919e7b1548a1873d53def25b60179cef6
                                                      • Opcode Fuzzy Hash: 328bd86e64f420cdccd180a781e577100fc25203281caa5d2c7616058d1e7182
                                                      • Instruction Fuzzy Hash: 1131BF72A016858FDF22BBBC98842BD7BA4FF46229F18047AD855FF252E6358843C751
                                                      Function 0158F338 Relevance: .1, Instructions: 91COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3230eeff37e76f8d0edee7d80c2e4da1bedbd57a59f70e8b6eea04637c4bad77
                                                      • Instruction ID: 9be7c72b3fc21c25a23dedc091686065aab64d982ed48755b152d17899f8637d
                                                      • Opcode Fuzzy Hash: 3230eeff37e76f8d0edee7d80c2e4da1bedbd57a59f70e8b6eea04637c4bad77
                                                      • Instruction Fuzzy Hash: F5312B30E102099BDB19EF69D45469EB7F2FF89300F10C92AE806FB355EB71AC428B50
                                                      Function 015892D1 Relevance: .1, Instructions: 86COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a26ac37256b46f37dafaa1639b6161d3c74965de31f33782a7f50f8c15282b1d
                                                      • Instruction ID: b9405d097aca4fee81e2f7bf1a506641a97779cf8a2dbb4854bdee9b54a3af44
                                                      • Opcode Fuzzy Hash: a26ac37256b46f37dafaa1639b6161d3c74965de31f33782a7f50f8c15282b1d
                                                      • Instruction Fuzzy Hash: 4C31A231E002099BDB15DF69D8506AEFBB2FFC9304F14861AE805FB341EB70A846CB91
                                                      Function 01587059 Relevance: .1, Instructions: 82COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4fc185f86c03c2015b9991b1cf189457e3340c902a5f1436cfe611e7a0fa6d01
                                                      • Instruction ID: 867bbebdbe02e49dc7700e969027c8237b98ad1eaef98876dd614d80aca46455
                                                      • Opcode Fuzzy Hash: 4fc185f86c03c2015b9991b1cf189457e3340c902a5f1436cfe611e7a0fa6d01
                                                      • Instruction Fuzzy Hash: 37212C34700214DFD705EBB4D454A2E77ABFB8D700F108068E4069B3A4CF769C52DB51
                                                      Function 0158166B Relevance: .1, Instructions: 79COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8df1ff6e80efa2d77bcfc605d2b01b5904d89ef36afa7c275f71b87ffe5ee688
                                                      • Instruction ID: 526ad45dfeb8073b9cd8573abdf8ece710dcf28981250a6810aaf1319998d859
                                                      • Opcode Fuzzy Hash: 8df1ff6e80efa2d77bcfc605d2b01b5904d89ef36afa7c275f71b87ffe5ee688
                                                      • Instruction Fuzzy Hash: 7C21E770A401008FEB12FB6CE88476D37A9FB4D304F145955D446CF252EA34DC968FA2
                                                      Function 015892E0 Relevance: .1, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4705a5bde13f5c17103986456b890dc9bf99d89d127f8cb367d72baba2daf20d
                                                      • Instruction ID: 0d403fd769df3ae3004d9868f36813e7a7c75a4cb60192f9c798a0364b1be014
                                                      • Opcode Fuzzy Hash: 4705a5bde13f5c17103986456b890dc9bf99d89d127f8cb367d72baba2daf20d
                                                      • Instruction Fuzzy Hash: 53216230E102099BDB15DFA9D4506AEF7B2FFC9304F10D61AE805FB291DB70A882CB91
                                                      Function 015891D0 Relevance: .1, Instructions: 76COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e757b3068d5aa7a6f7c180a264d0e0d13c2db2046466bb607da796bdedcc662d
                                                      • Instruction ID: 52c22d4a50bf7ececb2db27eda948f5ee413faa1bc1a972d791bb16208c73089
                                                      • Opcode Fuzzy Hash: e757b3068d5aa7a6f7c180a264d0e0d13c2db2046466bb607da796bdedcc662d
                                                      • Instruction Fuzzy Hash: EC218331E002099BDB15DFA9C450AEEFBB2BFC9304F14861AE816FB351DB709946CB50
                                                      Function 0158133F Relevance: .1, Instructions: 73COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e52fbd26557fc9423f1393afd192423f221b3cf2818b493e612b009ee9452e3f
                                                      • Instruction ID: f4313c5af5b0908567e5e1ca2274324fe01a4f278c50c3ef5b7d75c452d8f4fe
                                                      • Opcode Fuzzy Hash: e52fbd26557fc9423f1393afd192423f221b3cf2818b493e612b009ee9452e3f
                                                      • Instruction Fuzzy Hash: 4821F3706006008FEB36773CE48872C7B91FB0A311F40086AE906EB795DF28C8828B5A
                                                      Function 01581840 Relevance: .1, Instructions: 73COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c32df645ca99fb9c94f47d4433048c89a4b0207a7456abaa3b17e5a76af48bda
                                                      • Instruction ID: 696d7daff15f203f1f9ac22aa74b8d08493c97718886a7aaf8dda838ced599ab
                                                      • Opcode Fuzzy Hash: c32df645ca99fb9c94f47d4433048c89a4b0207a7456abaa3b17e5a76af48bda
                                                      • Instruction Fuzzy Hash: CE213730A04645CFDB15EB78C5A57AE77F5BB8A205F1000A9D502BF3A0DB759C42CB51
                                                      Function 01584F53 Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 06a98fc833c0dd16348bd6959c835c552ea4665a7973bfe9a0991a4860734f0e
                                                      • Instruction ID: bd1527d8e47943a40622f4e88b3ebd38f6a9b26905e0cc628f0b4ae6ce858a83
                                                      • Opcode Fuzzy Hash: 06a98fc833c0dd16348bd6959c835c552ea4665a7973bfe9a0991a4860734f0e
                                                      • Instruction Fuzzy Hash: 0E210634A00245CFDB15EB78C968BAE77F5FF89240B1044A9E802EF3A5EB359D05DB51
                                                      Function 014FD01C Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879616481.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_14fd000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1c2f9f9e08e3d3fe056cac872dd4b0ac46b053e432ea0d8fd9437247dda2c588
                                                      • Instruction ID: afcb241fd381df5825b0fbd1325144df3bb39e70279e0a5d0c0b2e10333ddb54
                                                      • Opcode Fuzzy Hash: 1c2f9f9e08e3d3fe056cac872dd4b0ac46b053e432ea0d8fd9437247dda2c588
                                                      • Instruction Fuzzy Hash: 602137B1904300DFDB15DF54D8C0B16BB61FB84318F20C56EDA0A4B366C336D447CA62
                                                      Function 014FD1E4 Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879616481.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_14fd000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 33fb8ab3228f5fe516b57c441634deed6067a34bf418c4f76e64de00d2119d09
                                                      • Instruction ID: 2a9f229bdf20b99af1e3dc4e3f4750cbdcf6154167a456da14b8313587b8aa5f
                                                      • Opcode Fuzzy Hash: 33fb8ab3228f5fe516b57c441634deed6067a34bf418c4f76e64de00d2119d09
                                                      • Instruction Fuzzy Hash: DF2126B9904300DFDB05DF94D9C4B2ABB65FB84324F21C66EDA090B366C776D446CAE2
                                                      Function 014FD394 Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879616481.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_14fd000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1d9b9b15dc6b59d72a51c8f070fcbf2a595c233320d7ad77a0700b18a8052da0
                                                      • Instruction ID: 9db01057770ecd8d94563f43a9bd0f6769c76b28989190134cbed9ec1599405d
                                                      • Opcode Fuzzy Hash: 1d9b9b15dc6b59d72a51c8f070fcbf2a595c233320d7ad77a0700b18a8052da0
                                                      • Instruction Fuzzy Hash: 4F210771A04200DFDB05DF94D9C0B26BB65FB88314F20C57EDA4A4B362C336E456CA62
                                                      Function 015891E0 Relevance: .1, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fe4ea3599de920da495accf9a040bf4ec01827d5cebb5b4f60eef1cd8ffee1dd
                                                      • Instruction ID: 1c2eb6b585ad1f4e184dab172cccff9c2eb1a57ba701b5977b16d5a28c126de8
                                                      • Opcode Fuzzy Hash: fe4ea3599de920da495accf9a040bf4ec01827d5cebb5b4f60eef1cd8ffee1dd
                                                      • Instruction Fuzzy Hash: 8A216231E002099BDB19DFA9C4549AEF7B2FFC9314F10861AE816FB391DB70A845CB90
                                                      Function 01581850 Relevance: .1, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a4d68dd39141fa0bb767914e29b0c3369df20fe2e76b5a5900e0fd0b49f11aad
                                                      • Instruction ID: 0e3e1d7f0189691c6fe6bbb241581fd49359e7b1ce7eb1c66f75b052354aacaf
                                                      • Opcode Fuzzy Hash: a4d68dd39141fa0bb767914e29b0c3369df20fe2e76b5a5900e0fd0b49f11aad
                                                      • Instruction Fuzzy Hash: 8B212830B04605CFEB15EB78C5956AE77F6BB89245F1004A8D506FF3A0DB369C42CB92
                                                      Function 01581678 Relevance: .1, Instructions: 69COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c79c7ce3bf9cc9ed6a2b42e529942bed2209d10bb5b67aa3cd2fc59105e470d2
                                                      • Instruction ID: 4c6bb3566d35df3c2373a20da7445d241d0a69cd1b382848f95215d3cb40802a
                                                      • Opcode Fuzzy Hash: c79c7ce3bf9cc9ed6a2b42e529942bed2209d10bb5b67aa3cd2fc59105e470d2
                                                      • Instruction Fuzzy Hash: EC219370A005008FEF25FB6CE8C4B6D3759FB49314F105925D406CB656EA38DCA68FA5
                                                      Function 01584F60 Relevance: .1, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1abeb1a48597f6d72f3f53ade88197f80cd38a4ffd4c9be035d40a0e40b0b5c9
                                                      • Instruction ID: 53168c8aaeafafaff1498cfbcb6699396e6d95d9eb92ae291b97e2950ab69f40
                                                      • Opcode Fuzzy Hash: 1abeb1a48597f6d72f3f53ade88197f80cd38a4ffd4c9be035d40a0e40b0b5c9
                                                      • Instruction Fuzzy Hash: 84210534B00205CFDB15EB78C968BAE77F5BB88240F1044A9E906EB3A0EB359D01DB91
                                                      Function 01586B68 Relevance: .1, Instructions: 67COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 50a2592aeb0772cf2aa4c4b9c65947fbd242fcbb3ea18ca7e1b6523eeab65ef8
                                                      • Instruction ID: fc3662fea2f27206afa7b105fd49c756ea93e3ef8eb06052b6983fb3046f6e6e
                                                      • Opcode Fuzzy Hash: 50a2592aeb0772cf2aa4c4b9c65947fbd242fcbb3ea18ca7e1b6523eeab65ef8
                                                      • Instruction Fuzzy Hash: C821F3716092548FC316AB7894643AA7FE2EF86705F0444EFC085CB296EB799808C7A2
                                                      Function 0158178B Relevance: .1, Instructions: 66COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7691f417b193e4168c5ac67e5a27d72859894d1146f18b208fe706a180bfde48
                                                      • Instruction ID: 7771a2bca27abb7a2ceab905d79a65765b9980a658570e4c003acd75dd4107fb
                                                      • Opcode Fuzzy Hash: 7691f417b193e4168c5ac67e5a27d72859894d1146f18b208fe706a180bfde48
                                                      • Instruction Fuzzy Hash: 1B112676F006549FDF11BF78984426E7FF9FB49250F10056AE905EB346EB34880287E1
                                                      Function 01580838 Relevance: .1, Instructions: 64COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f6d8b8e68577698b3302e38a14c399269242f197f0a427efef0bb6c49ab985c7
                                                      • Instruction ID: e806f3b9884daf9ddb2418c534dc1d5ef4399c590301286b3cae09048a42e486
                                                      • Opcode Fuzzy Hash: f6d8b8e68577698b3302e38a14c399269242f197f0a427efef0bb6c49ab985c7
                                                      • Instruction Fuzzy Hash: 82116D30A152058BEF266B7CC85437D37A5FB86314F14496AE402EF282DA24CCC98FD2
                                                      Function 01580848 Relevance: .1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 876dd68e568b20b15b75d0bc17658f6ead8d991d18887caf17bff02fe439c316
                                                      • Instruction ID: 754d6f0495168bfc4a24c90ff49724c174ccba257a916cc5b864223e783c2090
                                                      • Opcode Fuzzy Hash: 876dd68e568b20b15b75d0bc17658f6ead8d991d18887caf17bff02fe439c316
                                                      • Instruction Fuzzy Hash: 52113A30B102098BEF65BB7DC84472D3395FB4A214F208969E406EF282DA25CCC98FD2
                                                      Function 014FD006 Relevance: .1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879616481.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_14fd000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8648a01c8f85d9010cbfc8eb6737ad22e6cacbd18653b6e40d0148246c384026
                                                      • Instruction ID: 31d67a0a1dc78e483a631df32a839d113d4d4a0039b2de4fbf4deebdbafa219b
                                                      • Opcode Fuzzy Hash: 8648a01c8f85d9010cbfc8eb6737ad22e6cacbd18653b6e40d0148246c384026
                                                      • Instruction Fuzzy Hash: 2E217F755093808FCB06CF24D594716BF71EB46218F28C5EAD9498F7A7C33A984ACB62
                                                      Function 01581460 Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 895f843984cb68ee15c216ce6aaee6fabdd10b1f6554c9962e37b3d75468b3c3
                                                      • Instruction ID: 49a3ea76e68c87b330d99f59f568a0858e24317aa32b0e70899915729aa8691c
                                                      • Opcode Fuzzy Hash: 895f843984cb68ee15c216ce6aaee6fabdd10b1f6554c9962e37b3d75468b3c3
                                                      • Instruction Fuzzy Hash: 45016D31A016168FCF21FFBC84905AD7BF4BB88264B14447AD405FB241E635D842CB95
                                                      Function 014FD38F Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879616481.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_14fd000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
                                                      • Instruction ID: 3c001d02765d968c4b5ce486bf8df476fe9ef495831aae664776fc2fb65de082
                                                      • Opcode Fuzzy Hash: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
                                                      • Instruction Fuzzy Hash: 1E11AC75904240DFCB02CF54D5C4B56BB61FB84218F24C6AED9494B762C33AE44ACF52
                                                      Function 014FD1DF Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879616481.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_14fd000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fe29617760380478690089006a0cc6f54f4220f428edbdb5d188c8f044c695c2
                                                      • Instruction ID: fba8614447df93100ad81a07d70999976275f174aabd18851bfb4ab287d3c5b0
                                                      • Opcode Fuzzy Hash: fe29617760380478690089006a0cc6f54f4220f428edbdb5d188c8f044c695c2
                                                      • Instruction Fuzzy Hash: FC119079904280CFDB12CF54D5C4B16BB61FB84324F25C6AED9494B756C33AD44ACB92
                                                      Function 014ED89D Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879562716.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_14ed000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6dc812c9837ba5c2149908573d756b62387051013d58df342b145abd3f244cc4
                                                      • Instruction ID: 86772788aa1b1ba9efb6d264f5749d828e820827df4dff8490fcf871753444e2
                                                      • Opcode Fuzzy Hash: 6dc812c9837ba5c2149908573d756b62387051013d58df342b145abd3f244cc4
                                                      • Instruction Fuzzy Hash: 3701F7314083449BE7144A96DC88B67BBD8EF41221F08C05BED6D0A292C6799844CA72
                                                      Function 01588170 Relevance: .0, Instructions: 38COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d766f2854fb1634a7a8f24535e4063f6b83745e7238cd1b087e8022a364c98b6
                                                      • Instruction ID: f0e3f129bd15c180f923de68c878497a49a61f52c900c89cfe5977d4e44b7270
                                                      • Opcode Fuzzy Hash: d766f2854fb1634a7a8f24535e4063f6b83745e7238cd1b087e8022a364c98b6
                                                      • Instruction Fuzzy Hash: 39017170D05249DFDB02EBA8E9506AD7BB5EF45300F5042ADC8049B152DF30AE659B91
                                                      Function 014ED89C Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879562716.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_14ed000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 91196f8f346fb5f51099e00afaf24c7c5fec1bebbdba1bd844eabeb6a16b2499
                                                      • Instruction ID: 609326ccd1da81fca7982ad425f520d2cbda67f65ace82be7fc2d18325d24706
                                                      • Opcode Fuzzy Hash: 91196f8f346fb5f51099e00afaf24c7c5fec1bebbdba1bd844eabeb6a16b2499
                                                      • Instruction Fuzzy Hash: 2DF0CD71408344AEE7108A0ADC88B67FFD8EB41735F18C05AED980F293C278A844CAB1
                                                      Function 01588180 Relevance: .0, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.3879880665.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_1580000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c067b53c262fc5bcc17ad142fdd7044f5bdbf8100cae968424cc7856419a9e9b
                                                      • Instruction ID: abe51634d3c5230793ffc61ae2c353af7873cc87641d6be1b1ab5a58789feeff
                                                      • Opcode Fuzzy Hash: c067b53c262fc5bcc17ad142fdd7044f5bdbf8100cae968424cc7856419a9e9b
                                                      • Instruction Fuzzy Hash: 8DF03C70E01209DFDB05EFA8E9605AD7BB5EB44300F5096A9C4049B251EF306EA59BA1