Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
hesaphareketi-01.pdf.SCR.exe

Overview

General Information

Sample name:hesaphareketi-01.pdf.SCR.exe
Analysis ID:1428352
MD5:d4e8894fb5ed5f45972882fbc6ef04dc
SHA1:f5ac926e2501659cd3933afb72e1172b1147f95d
SHA256:4888ef9f557bfc04c0c7da3ff2dc1fc34767273d90053aa1e04c3892300afe12
Tags:AgentTeslaexegeoSCRTUR
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: RegAsm connects to smtp port
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • hesaphareketi-01.pdf.SCR.exe (PID: 6592 cmdline: "C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exe" MD5: D4E8894FB5ED5F45972882FBC6EF04DC)
    • powershell.exe (PID: 6692 cmdline: "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tt.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 416 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • svchost.exe (PID: 5796 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cbsBVT.exe (PID: 1068 cmdline: "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • conhost.exe (PID: 4628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cbsBVT.exe (PID: 6760 cmdline: "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • conhost.exe (PID: 6880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "business29.web-hosting.com", "Username": "admin@purchase.boats", "Password": "Esupofo234@"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.3042736012.0000000002EA4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.3042736012.0000000002E9C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.1800686343.0000000003739000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.1800686343.0000000003739000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000003.00000002.3042736012.0000000002E71000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.hesaphareketi-01.pdf.SCR.exe.38a1450.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.hesaphareketi-01.pdf.SCR.exe.38a1450.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.hesaphareketi-01.pdf.SCR.exe.38a1450.3.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x3203f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x320b1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x3213b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x321cd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x32237:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x322a9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x3233f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x323cf:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                3.2.RegAsm.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  3.2.RegAsm.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 10 entries

                    Sigma Signatures

                    Networking

                    barindex
                    Sigma detected: RegAsm connects to smtp port
                    Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 198.54.114.199, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 416, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49736

                    System Summary

                    barindex
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 416, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cbsBVT
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tt.exe', CommandLine: "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tt.exe', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exe", ParentImage: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exe, ParentProcessId: 6592, ParentProcessName: hesaphareketi-01.pdf.SCR.exe, ProcessCommandLine: "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tt.exe', ProcessId: 6692, ProcessName: powershell.exe
                    Sigma detected: Windows Processes Suspicious Parent Directory
                    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5796, ProcessName: svchost.exe

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: hesaphareketi-01.pdf.SCR.exeAvira: detected
                    Antivirus detection for URL or domain
                    Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
                    Found malware configuration
                    Source: 0.2.hesaphareketi-01.pdf.SCR.exe.38a1450.3.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "business29.web-hosting.com", "Username": "admin@purchase.boats", "Password": "Esupofo234@"}
                    Multi AV Scanner detection for submitted file
                    Source: hesaphareketi-01.pdf.SCR.exeReversingLabs: Detection: 36%
                    Machine Learning detection for sample
                    Source: hesaphareketi-01.pdf.SCR.exeJoe Sandbox ML: detected
                    Source: hesaphareketi-01.pdf.SCR.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49732 version: TLS 1.2
                    Source: hesaphareketi-01.pdf.SCR.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\GT350\source\repos\AtllasRunp\AtllasRunp\obj\Debug\Bienvenida.pdb source: hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1802401807.0000000004CC0000.00000004.08000000.00040000.00000000.sdmp, hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1800362820.0000000002731000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.1815427737.0000000007939000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: RegAsm.pdb source: cbsBVT.exe, 00000008.00000000.1943793689.0000000000252000.00000002.00000001.01000000.0000000B.sdmp, cbsBVT.exe.3.dr
                    Source: Binary string: RegAsm.pdb4 source: cbsBVT.exe, 00000008.00000000.1943793689.0000000000252000.00000002.00000001.01000000.0000000B.sdmp, cbsBVT.exe.3.dr
                    Source: global trafficTCP traffic: 192.168.2.4:49736 -> 198.54.114.199:587
                    Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.4:49736 -> 198.54.114.199:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownDNS traffic detected: queries for: api.ipify.org
                    Source: RegAsm.exe, 00000003.00000002.3042736012.0000000002E9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://business29.web-hosting.com
                    Source: RegAsm.exe, 00000003.00000002.3040895408.00000000011B0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3042736012.0000000002EA4000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3041850407.000000000127C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3050148563.0000000006290000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: RegAsm.exe, 00000003.00000002.3041850407.000000000127C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: svchost.exe, 00000004.00000002.3042082562.000001F37AC00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                    Source: RegAsm.exe, 00000003.00000002.3042736012.0000000002EA4000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3041850407.000000000127C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3050148563.0000000006290000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                    Source: svchost.exe, 00000004.00000003.1791796088.000001F37AE18000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                    Source: edb.log.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
                    Source: edb.log.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                    Source: edb.log.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                    Source: svchost.exe, 00000004.00000003.1791796088.000001F37AE18000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                    Source: svchost.exe, 00000004.00000003.1791796088.000001F37AE18000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                    Source: svchost.exe, 00000004.00000003.1791796088.000001F37AE4D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                    Source: edb.log.4.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                    Source: powershell.exe, 00000001.00000002.1808727641.00000000051FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
                    Source: powershell.exe, 00000001.00000002.1812874915.0000000005D68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: RegAsm.exe, 00000003.00000002.3040895408.00000000011B0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3042736012.0000000002EA4000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3041850407.000000000127C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3050148563.0000000006290000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: RegAsm.exe, 00000003.00000002.3042736012.0000000002EA4000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3041850407.000000000127C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3050148563.0000000006290000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0-
                    Source: powershell.exe, 00000001.00000002.1808727641.0000000004E56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000001.00000002.1808727641.0000000004E56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: powershell.exe, 00000001.00000002.1808727641.0000000004D01000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3042736012.0000000002E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000001.00000002.1808727641.0000000004E56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: powershell.exe, 00000001.00000002.1808727641.0000000004E56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1800686343.0000000003739000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3040210068.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: powershell.exe, 00000001.00000002.1815427737.0000000007939000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka..winsvrxd
                    Source: powershell.exe, 00000001.00000002.1808727641.0000000004D01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                    Source: powershell.exe, 00000001.00000002.1808727641.0000000004E56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                    Source: hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1800686343.0000000003739000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3042736012.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3040210068.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: RegAsm.exe, 00000003.00000002.3042736012.0000000002E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: RegAsm.exe, 00000003.00000002.3042736012.0000000002E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: powershell.exe, 00000001.00000002.1812874915.0000000005D68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000001.00000002.1812874915.0000000005D68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000001.00000002.1812874915.0000000005D68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: svchost.exe, 00000004.00000003.1791796088.000001F37AEC2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
                    Source: edb.log.4.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
                    Source: edb.log.4.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
                    Source: edb.log.4.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                    Source: svchost.exe, 00000004.00000003.1791796088.000001F37AEC2000.00000004.00000800.00020000.00000000.sdmp, edb.log.4.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
                    Source: powershell.exe, 00000001.00000002.1808727641.0000000004E56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1802601250.0000000004EF0000.00000004.08000000.00040000.00000000.sdmp, hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1800686343.0000000003739000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/sam210723/goesrecv-monitor/releases/latest
                    Source: powershell.exe, 00000001.00000002.1812874915.0000000005D68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: svchost.exe, 00000004.00000003.1791796088.000001F37AEC2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
                    Source: edb.log.4.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
                    Source: RegAsm.exe, 00000003.00000002.3042736012.0000000002EA4000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3041850407.000000000127C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3050148563.0000000006290000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                    Source: hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1802601250.0000000004EF0000.00000004.08000000.00040000.00000000.sdmp, hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1800686343.0000000003739000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vksdr.com/goesrecv-monitor
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49732 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.hesaphareketi-01.pdf.SCR.exe.38a1450.3.raw.unpack, cPKWk.cs.Net Code: f0r

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.hesaphareketi-01.pdf.SCR.exe.38a1450.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.hesaphareketi-01.pdf.SCR.exe.38a1450.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.hesaphareketi-01.pdf.SCR.exe.37da1b0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.hesaphareketi-01.pdf.SCR.exe.3789b80.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: hesaphareketi-01.pdf.SCR.exe
                    Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeCode function: 0_2_04B7CD3C0_2_04B7CD3C
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeCode function: 0_2_04B7F5B80_2_04B7F5B8
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeCode function: 0_2_04B7F5A80_2_04B7F5A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_02D04B103_2_02D04B10
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_02D03EF83_2_02D03EF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_02D042403_2_02D04240
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_02D0CC983_2_02D0CC98
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_02D0CCA83_2_02D0CCA8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06B041313_2_06B04131
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06B2B6C83_2_06B2B6C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06B2CE583_2_06B2CE58
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06B274403_2_06B27440
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06B2ADD03_2_06B2ADD0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06B24D583_2_06B24D58
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06B219E83_2_06B219E8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06B2C7783_2_06B2C778
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06B21A993_2_06B21A99
                    Source: hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1802601250.0000000004EF0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamegoesrecv.dllB vs hesaphareketi-01.pdf.SCR.exe
                    Source: hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1800686343.0000000003739000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegoesrecv.dllB vs hesaphareketi-01.pdf.SCR.exe
                    Source: hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1800686343.0000000003739000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename2379f9fe-9543-4c0b-b671-f5490ed118f9.exe4 vs hesaphareketi-01.pdf.SCR.exe
                    Source: hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1802401807.0000000004CC0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameBienvenida.exe6 vs hesaphareketi-01.pdf.SCR.exe
                    Source: hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1798752762.00000000007FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs hesaphareketi-01.pdf.SCR.exe
                    Source: hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1800362820.0000000002731000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBienvenida.exe6 vs hesaphareketi-01.pdf.SCR.exe
                    Source: hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1800362820.0000000002731000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename2379f9fe-9543-4c0b-b671-f5490ed118f9.exe4 vs hesaphareketi-01.pdf.SCR.exe
                    Source: hesaphareketi-01.pdf.SCR.exeBinary or memory string: OriginalFilenamePoster.exe. vs hesaphareketi-01.pdf.SCR.exe
                    Source: hesaphareketi-01.pdf.SCR.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.hesaphareketi-01.pdf.SCR.exe.38a1450.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.hesaphareketi-01.pdf.SCR.exe.38a1450.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.hesaphareketi-01.pdf.SCR.exe.37da1b0.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.hesaphareketi-01.pdf.SCR.exe.3789b80.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: hesaphareketi-01.pdf.SCR.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.hesaphareketi-01.pdf.SCR.exe.38a1450.3.raw.unpack, cPs8D.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hesaphareketi-01.pdf.SCR.exe.38a1450.3.raw.unpack, 72CF8egH.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hesaphareketi-01.pdf.SCR.exe.38a1450.3.raw.unpack, G5CXsdn.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hesaphareketi-01.pdf.SCR.exe.38a1450.3.raw.unpack, 3uPsILA6U.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.hesaphareketi-01.pdf.SCR.exe.38a1450.3.raw.unpack, 6oQOw74dfIt.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hesaphareketi-01.pdf.SCR.exe.38a1450.3.raw.unpack, aMIWm.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: 0.2.hesaphareketi-01.pdf.SCR.exe.38a1450.3.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hesaphareketi-01.pdf.SCR.exe.38a1450.3.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hesaphareketi-01.pdf.SCR.exe.4ef0000.6.raw.unpack, Symbols.csBase64 encoded string: 'xHpF2m2TxzO3qr4FIuPswPaRZvbKhAgsHoUgVc5c1AMOAI4xiJqOjlkD3YO/6qULkSENmFl3GsolqcGGkZrBbaRXVu7YY+n3wiyv8wS+UHUpwhx/IX6ZerqvTzuOLuRdO08npei7HwfH2wKRuaecB8P/FVecfW9FoWjF1A6O/68O0qK192cnIhUcctWjx/GW8ULXo/Un0WwvyWYxGKqhFtUjf6hQETjLzO/F68/W3GXggNfn4E0tbsHcWJ4Qs9QeauMywyAB+V1+9Uw+hcoLBpcocrYAhSqf6iaaMKaTanR4JlGBlD4IjJQmV1gvQRYmjDXbZawN8IgwRgaI+xcKtFjiFVvuA6CawFF5jzi4mENimIA39OD54y/zMb7idEh4oTy+f+VDOiQ16HbDvRyX1gv6ar2K+vNdRpiEk+FL75Dwi1y2R1DSLLrnXH75cn9Sxxkx16fkjltmZNwZYnnZc0VCbJz5PE8snBKcKUEemoAvDwcgj8rVX1tuhqqeYXrhP1hn6oaUpa8dLV9GkxPvUPm2U2PxYjlaVQk75pkxpaspctI89cBy4lXgWn0XYPaK1+WjxY5j1F5jeSb75FxuowoTWUXfk8j1s2KbANCsBuN3nd5227aIGAKGm+1kHAm/4MePOuLnj7mVqVrGuW9smZZvnluk2n2p0v6RGPmD818=', 'kcUEXaQPPIwtVFtC1PL/HXXkxfIZB03eNHvJetoP4hJTCBXd428OqcdPbPWqvhIczQvj71Ac6LZ7OG/e+yr4Bxet9vqIWevSzbdwqqWPf8nK2cPiNSfXdemqzBs1kBKEGQlnxKecRQs0Fim2Dq/kkqqyy4FT/M/7aleIZqMCZ4mq5jKj7zWHx8js/y7INNJykRnbqqkNJse2whyml6+Dho8xXhyKKjEjHHCQ++yYATPvU+ZwZGQ1aiyg3xM2+Mufv6OdiWo+NL8qVblSY+ML74QQ3+qn2cEZW8xaJcMAsMta6fJiSREwzJ1z86EfJ/jsm5waxGaL/ovb6ftrSW+RglFtTXsgBL0RqWZpQItqPDkF2hues0c5OGEtzNWaUVXn+H8FUCAJ+aqWE9AG5vtPYKXmrSZj5IG/6FHSIYC0nWBx5wHsGRTyzUgkPZMLeX0qotsCm9lMlGpxKlh+Z1oic1vbrF8QbV1eNo4t2Pb5oYAk/LIRoTnuPlLXjaubmL1hSqvzPQ/sVXzd5mXTvaOq58aApZHbOXkjfhfbDwVLc3Bjs25RTwPrIWsIAKwX/3kGBu/AxMY0Wb07NTJmloyghXyX9HTSpFE3N+D/N7l3tVWX/n6tnybXZUsRqFSB6rG1tbIR1a+4GVp+//5BqD3kM0VXcBGmG3xpyDSDCLIVVEXY5GyYN1vEkdGhjGvmeOX02f1RKB3vh5V5M5RcsEYhGsS36zuGpaNhrGf4h+7HDzTIU9/1Xl1nPdFaQmDFTIiidpmn26+9CW+g2SPIPlPDTjgkYnTmXT+O8PHwjD7K5IOwDZUbbAFA1Lrdc9IlU412XoEdl5mDZkue1zwbLWf+qvNJbFX8sXHehpGS3HbJZGQqyBs/WGnME/zTep7mu3SAbJ/9lw9DubLAWm3eZ/MVjBNuE3yDINYwtRQMJcyCjqvOUaWeWaIkvESwPYK4f4DzXPSa187wG+9AlgF8f2wQOygxX1dsc+xQUYb6mjfKphwvQfA49LiS6QNKSqz15qqR0H8SkeLLJ7txSyPf5o/Vb8ElYF2R/Dsozjt09H5PLZg8Mx42byNjie81RXixtgWQpr4xblQ9zxj5IaMqOBw3U6yvkKqUNQd1pRUx/33LazNTVFgHRwpx+LutF/m3Ilc9LDSXQ2sLYadTLNM4H6sg88B3Ku0bJgNkN8dFdIsCjQkk9Mdt0ps7+1BSph400PLXGB8Ouast6dmU+lpkXpEGr/mWHaX4VEifmt6MFtiG9jSUTjA2VqhJ2qS66jKrnf1CuWF5qWbXjRlBXUK1jLibI8Is03eHlVAWQOFZcrfOpPq3o0OxUDbCLddsIsPCScNdGrBY2q9RllmuBZNg/W6T5m+X2KNwjQyVBQxBU34LaUg9GMhx5G6e5/2Gji8UiH7/fu4jgyKbpw9r0egwJJndmdSHGUdUQ49W56s9vPelsDJb08XuAjWQXFOdA1Kmsw9Dh45XsM/m10+4XbpvyJ7XmTYJAvhQMXLFqtS4GpKG69JRuO4n+L6rSLGlFzxmsEhm3QM9iDYz2US4Un+EjCOwvFtl/eeSBED1CLnNZf4IbflrasiyFM6IFES8MG62FqpfoichpMq3Dt3tPmAgGD89QmkCsMCq8pGj+3BeDc98BauK1JlOc3iObuBFb0NChpfWa1lZmLvdMib+Wp2pqytptC5Ad7o8p4gSVACx6up/YNr6I8YhsqGIHpFV7Jvk6nzQ19vdCSYcUt+o2i12lPTyUqO5WujSq7P41U0w2rtJQ26/ZzkoCHMKUckEWvk2ei4A+bBCG2520B3/6O1EclfvsvlFIIf2mfft+6FFGP8enxtpFqG/1EAjM3sSS6IKARWsy3s4D5H+dtzPSaR/PDr2jejgFGRPxSbuLutKf4Kq55+afwF989Ad3WDqFcnmc5BwJhXFPxqlmhbPFSMnMVSksaW8UAhMCwLnt31FSm9CfeXXjCj8+hrMcPtn4+PDQeiLyf5/nD/vwOnFGKuLEm9JR/FzB5RktFNWqSYEqRzg8LgsYcEHc4zWyBiABM1LbR2nzax5QE3aZASIx1za/lqdqTVimq7MZbrwQrWQinziaucgzSHxKw880yNElAHNJZFw5Z4rZRzj/oK/kMoAhV4H1jnZbSuePHvddP24l9YOvlGpCsWrI3fk7BWzD8DJD3X2bGim8xoEt4g/R1aCZC/UMvPk/1IixbWw1P+li3OayxAQlbUqmb7DPHGvkbTD8evGdp3QwQWtGkbPRmu+iUWIEefvCP02tcFiIPdm82jN+Oc7+krSiRmxMiJMVt8h+1THUxoF3qD
                    Source: 0.2.hesaphareketi-01.pdf.SCR.exe.37da1b0.4.raw.unpack, Symbols.csBase64 encoded string: 'xHpF2m2TxzO3qr4FIuPswPaRZvbKhAgsHoUgVc5c1AMOAI4xiJqOjlkD3YO/6qULkSENmFl3GsolqcGGkZrBbaRXVu7YY+n3wiyv8wS+UHUpwhx/IX6ZerqvTzuOLuRdO08npei7HwfH2wKRuaecB8P/FVecfW9FoWjF1A6O/68O0qK192cnIhUcctWjx/GW8ULXo/Un0WwvyWYxGKqhFtUjf6hQETjLzO/F68/W3GXggNfn4E0tbsHcWJ4Qs9QeauMywyAB+V1+9Uw+hcoLBpcocrYAhSqf6iaaMKaTanR4JlGBlD4IjJQmV1gvQRYmjDXbZawN8IgwRgaI+xcKtFjiFVvuA6CawFF5jzi4mENimIA39OD54y/zMb7idEh4oTy+f+VDOiQ16HbDvRyX1gv6ar2K+vNdRpiEk+FL75Dwi1y2R1DSLLrnXH75cn9Sxxkx16fkjltmZNwZYnnZc0VCbJz5PE8snBKcKUEemoAvDwcgj8rVX1tuhqqeYXrhP1hn6oaUpa8dLV9GkxPvUPm2U2PxYjlaVQk75pkxpaspctI89cBy4lXgWn0XYPaK1+WjxY5j1F5jeSb75FxuowoTWUXfk8j1s2KbANCsBuN3nd5227aIGAKGm+1kHAm/4MePOuLnj7mVqVrGuW9smZZvnluk2n2p0v6RGPmD818=', 'kcUEXaQPPIwtVFtC1PL/HXXkxfIZB03eNHvJetoP4hJTCBXd428OqcdPbPWqvhIczQvj71Ac6LZ7OG/e+yr4Bxet9vqIWevSzbdwqqWPf8nK2cPiNSfXdemqzBs1kBKEGQlnxKecRQs0Fim2Dq/kkqqyy4FT/M/7aleIZqMCZ4mq5jKj7zWHx8js/y7INNJykRnbqqkNJse2whyml6+Dho8xXhyKKjEjHHCQ++yYATPvU+ZwZGQ1aiyg3xM2+Mufv6OdiWo+NL8qVblSY+ML74QQ3+qn2cEZW8xaJcMAsMta6fJiSREwzJ1z86EfJ/jsm5waxGaL/ovb6ftrSW+RglFtTXsgBL0RqWZpQItqPDkF2hues0c5OGEtzNWaUVXn+H8FUCAJ+aqWE9AG5vtPYKXmrSZj5IG/6FHSIYC0nWBx5wHsGRTyzUgkPZMLeX0qotsCm9lMlGpxKlh+Z1oic1vbrF8QbV1eNo4t2Pb5oYAk/LIRoTnuPlLXjaubmL1hSqvzPQ/sVXzd5mXTvaOq58aApZHbOXkjfhfbDwVLc3Bjs25RTwPrIWsIAKwX/3kGBu/AxMY0Wb07NTJmloyghXyX9HTSpFE3N+D/N7l3tVWX/n6tnybXZUsRqFSB6rG1tbIR1a+4GVp+//5BqD3kM0VXcBGmG3xpyDSDCLIVVEXY5GyYN1vEkdGhjGvmeOX02f1RKB3vh5V5M5RcsEYhGsS36zuGpaNhrGf4h+7HDzTIU9/1Xl1nPdFaQmDFTIiidpmn26+9CW+g2SPIPlPDTjgkYnTmXT+O8PHwjD7K5IOwDZUbbAFA1Lrdc9IlU412XoEdl5mDZkue1zwbLWf+qvNJbFX8sXHehpGS3HbJZGQqyBs/WGnME/zTep7mu3SAbJ/9lw9DubLAWm3eZ/MVjBNuE3yDINYwtRQMJcyCjqvOUaWeWaIkvESwPYK4f4DzXPSa187wG+9AlgF8f2wQOygxX1dsc+xQUYb6mjfKphwvQfA49LiS6QNKSqz15qqR0H8SkeLLJ7txSyPf5o/Vb8ElYF2R/Dsozjt09H5PLZg8Mx42byNjie81RXixtgWQpr4xblQ9zxj5IaMqOBw3U6yvkKqUNQd1pRUx/33LazNTVFgHRwpx+LutF/m3Ilc9LDSXQ2sLYadTLNM4H6sg88B3Ku0bJgNkN8dFdIsCjQkk9Mdt0ps7+1BSph400PLXGB8Ouast6dmU+lpkXpEGr/mWHaX4VEifmt6MFtiG9jSUTjA2VqhJ2qS66jKrnf1CuWF5qWbXjRlBXUK1jLibI8Is03eHlVAWQOFZcrfOpPq3o0OxUDbCLddsIsPCScNdGrBY2q9RllmuBZNg/W6T5m+X2KNwjQyVBQxBU34LaUg9GMhx5G6e5/2Gji8UiH7/fu4jgyKbpw9r0egwJJndmdSHGUdUQ49W56s9vPelsDJb08XuAjWQXFOdA1Kmsw9Dh45XsM/m10+4XbpvyJ7XmTYJAvhQMXLFqtS4GpKG69JRuO4n+L6rSLGlFzxmsEhm3QM9iDYz2US4Un+EjCOwvFtl/eeSBED1CLnNZf4IbflrasiyFM6IFES8MG62FqpfoichpMq3Dt3tPmAgGD89QmkCsMCq8pGj+3BeDc98BauK1JlOc3iObuBFb0NChpfWa1lZmLvdMib+Wp2pqytptC5Ad7o8p4gSVACx6up/YNr6I8YhsqGIHpFV7Jvk6nzQ19vdCSYcUt+o2i12lPTyUqO5WujSq7P41U0w2rtJQ26/ZzkoCHMKUckEWvk2ei4A+bBCG2520B3/6O1EclfvsvlFIIf2mfft+6FFGP8enxtpFqG/1EAjM3sSS6IKARWsy3s4D5H+dtzPSaR/PDr2jejgFGRPxSbuLutKf4Kq55+afwF989Ad3WDqFcnmc5BwJhXFPxqlmhbPFSMnMVSksaW8UAhMCwLnt31FSm9CfeXXjCj8+hrMcPtn4+PDQeiLyf5/nD/vwOnFGKuLEm9JR/FzB5RktFNWqSYEqRzg8LgsYcEHc4zWyBiABM1LbR2nzax5QE3aZASIx1za/lqdqTVimq7MZbrwQrWQinziaucgzSHxKw880yNElAHNJZFw5Z4rZRzj/oK/kMoAhV4H1jnZbSuePHvddP24l9YOvlGpCsWrI3fk7BWzD8DJD3X2bGim8xoEt4g/R1aCZC/UMvPk/1IixbWw1P+li3OayxAQlbUqmb7DPHGvkbTD8evGdp3QwQWtGkbPRmu+iUWIEefvCP02tcFiIPdm82jN+Oc7+krSiRmxMiJMVt8h+1THUxoF3qD
                    Source: 0.2.hesaphareketi-01.pdf.SCR.exe.3789b80.2.raw.unpack, Symbols.csBase64 encoded string: 'xHpF2m2TxzO3qr4FIuPswPaRZvbKhAgsHoUgVc5c1AMOAI4xiJqOjlkD3YO/6qULkSENmFl3GsolqcGGkZrBbaRXVu7YY+n3wiyv8wS+UHUpwhx/IX6ZerqvTzuOLuRdO08npei7HwfH2wKRuaecB8P/FVecfW9FoWjF1A6O/68O0qK192cnIhUcctWjx/GW8ULXo/Un0WwvyWYxGKqhFtUjf6hQETjLzO/F68/W3GXggNfn4E0tbsHcWJ4Qs9QeauMywyAB+V1+9Uw+hcoLBpcocrYAhSqf6iaaMKaTanR4JlGBlD4IjJQmV1gvQRYmjDXbZawN8IgwRgaI+xcKtFjiFVvuA6CawFF5jzi4mENimIA39OD54y/zMb7idEh4oTy+f+VDOiQ16HbDvRyX1gv6ar2K+vNdRpiEk+FL75Dwi1y2R1DSLLrnXH75cn9Sxxkx16fkjltmZNwZYnnZc0VCbJz5PE8snBKcKUEemoAvDwcgj8rVX1tuhqqeYXrhP1hn6oaUpa8dLV9GkxPvUPm2U2PxYjlaVQk75pkxpaspctI89cBy4lXgWn0XYPaK1+WjxY5j1F5jeSb75FxuowoTWUXfk8j1s2KbANCsBuN3nd5227aIGAKGm+1kHAm/4MePOuLnj7mVqVrGuW9smZZvnluk2n2p0v6RGPmD818=', 'kcUEXaQPPIwtVFtC1PL/HXXkxfIZB03eNHvJetoP4hJTCBXd428OqcdPbPWqvhIczQvj71Ac6LZ7OG/e+yr4Bxet9vqIWevSzbdwqqWPf8nK2cPiNSfXdemqzBs1kBKEGQlnxKecRQs0Fim2Dq/kkqqyy4FT/M/7aleIZqMCZ4mq5jKj7zWHx8js/y7INNJykRnbqqkNJse2whyml6+Dho8xXhyKKjEjHHCQ++yYATPvU+ZwZGQ1aiyg3xM2+Mufv6OdiWo+NL8qVblSY+ML74QQ3+qn2cEZW8xaJcMAsMta6fJiSREwzJ1z86EfJ/jsm5waxGaL/ovb6ftrSW+RglFtTXsgBL0RqWZpQItqPDkF2hues0c5OGEtzNWaUVXn+H8FUCAJ+aqWE9AG5vtPYKXmrSZj5IG/6FHSIYC0nWBx5wHsGRTyzUgkPZMLeX0qotsCm9lMlGpxKlh+Z1oic1vbrF8QbV1eNo4t2Pb5oYAk/LIRoTnuPlLXjaubmL1hSqvzPQ/sVXzd5mXTvaOq58aApZHbOXkjfhfbDwVLc3Bjs25RTwPrIWsIAKwX/3kGBu/AxMY0Wb07NTJmloyghXyX9HTSpFE3N+D/N7l3tVWX/n6tnybXZUsRqFSB6rG1tbIR1a+4GVp+//5BqD3kM0VXcBGmG3xpyDSDCLIVVEXY5GyYN1vEkdGhjGvmeOX02f1RKB3vh5V5M5RcsEYhGsS36zuGpaNhrGf4h+7HDzTIU9/1Xl1nPdFaQmDFTIiidpmn26+9CW+g2SPIPlPDTjgkYnTmXT+O8PHwjD7K5IOwDZUbbAFA1Lrdc9IlU412XoEdl5mDZkue1zwbLWf+qvNJbFX8sXHehpGS3HbJZGQqyBs/WGnME/zTep7mu3SAbJ/9lw9DubLAWm3eZ/MVjBNuE3yDINYwtRQMJcyCjqvOUaWeWaIkvESwPYK4f4DzXPSa187wG+9AlgF8f2wQOygxX1dsc+xQUYb6mjfKphwvQfA49LiS6QNKSqz15qqR0H8SkeLLJ7txSyPf5o/Vb8ElYF2R/Dsozjt09H5PLZg8Mx42byNjie81RXixtgWQpr4xblQ9zxj5IaMqOBw3U6yvkKqUNQd1pRUx/33LazNTVFgHRwpx+LutF/m3Ilc9LDSXQ2sLYadTLNM4H6sg88B3Ku0bJgNkN8dFdIsCjQkk9Mdt0ps7+1BSph400PLXGB8Ouast6dmU+lpkXpEGr/mWHaX4VEifmt6MFtiG9jSUTjA2VqhJ2qS66jKrnf1CuWF5qWbXjRlBXUK1jLibI8Is03eHlVAWQOFZcrfOpPq3o0OxUDbCLddsIsPCScNdGrBY2q9RllmuBZNg/W6T5m+X2KNwjQyVBQxBU34LaUg9GMhx5G6e5/2Gji8UiH7/fu4jgyKbpw9r0egwJJndmdSHGUdUQ49W56s9vPelsDJb08XuAjWQXFOdA1Kmsw9Dh45XsM/m10+4XbpvyJ7XmTYJAvhQMXLFqtS4GpKG69JRuO4n+L6rSLGlFzxmsEhm3QM9iDYz2US4Un+EjCOwvFtl/eeSBED1CLnNZf4IbflrasiyFM6IFES8MG62FqpfoichpMq3Dt3tPmAgGD89QmkCsMCq8pGj+3BeDc98BauK1JlOc3iObuBFb0NChpfWa1lZmLvdMib+Wp2pqytptC5Ad7o8p4gSVACx6up/YNr6I8YhsqGIHpFV7Jvk6nzQ19vdCSYcUt+o2i12lPTyUqO5WujSq7P41U0w2rtJQ26/ZzkoCHMKUckEWvk2ei4A+bBCG2520B3/6O1EclfvsvlFIIf2mfft+6FFGP8enxtpFqG/1EAjM3sSS6IKARWsy3s4D5H+dtzPSaR/PDr2jejgFGRPxSbuLutKf4Kq55+afwF989Ad3WDqFcnmc5BwJhXFPxqlmhbPFSMnMVSksaW8UAhMCwLnt31FSm9CfeXXjCj8+hrMcPtn4+PDQeiLyf5/nD/vwOnFGKuLEm9JR/FzB5RktFNWqSYEqRzg8LgsYcEHc4zWyBiABM1LbR2nzax5QE3aZASIx1za/lqdqTVimq7MZbrwQrWQinziaucgzSHxKw880yNElAHNJZFw5Z4rZRzj/oK/kMoAhV4H1jnZbSuePHvddP24l9YOvlGpCsWrI3fk7BWzD8DJD3X2bGim8xoEt4g/R1aCZC/UMvPk/1IixbWw1P+li3OayxAQlbUqmb7DPHGvkbTD8evGdp3QwQWtGkbPRmu+iUWIEefvCP02tcFiIPdm82jN+Oc7+krSiRmxMiJMVt8h+1THUxoF3qD
                    Source: classification engineClassification label: mal100.spre.troj.spyw.evad.winEXE@11/14@2/3
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hesaphareketi-01.pdf.SCR.exe.logJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6708:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4628:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6880:120:WilError_03
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xlcbossz.gmt.ps1Jump to behavior
                    Source: hesaphareketi-01.pdf.SCR.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: hesaphareketi-01.pdf.SCR.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: hesaphareketi-01.pdf.SCR.exeReversingLabs: Detection: 36%
                    Source: unknownProcess created: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exe "C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exe"
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tt.exe'
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tt.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: hesaphareketi-01.pdf.SCR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: hesaphareketi-01.pdf.SCR.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\GT350\source\repos\AtllasRunp\AtllasRunp\obj\Debug\Bienvenida.pdb source: hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1802401807.0000000004CC0000.00000004.08000000.00040000.00000000.sdmp, hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1800362820.0000000002731000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.1815427737.0000000007939000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: RegAsm.pdb source: cbsBVT.exe, 00000008.00000000.1943793689.0000000000252000.00000002.00000001.01000000.0000000B.sdmp, cbsBVT.exe.3.dr
                    Source: Binary string: RegAsm.pdb4 source: cbsBVT.exe, 00000008.00000000.1943793689.0000000000252000.00000002.00000001.01000000.0000000B.sdmp, cbsBVT.exe.3.dr
                    Source: hesaphareketi-01.pdf.SCR.exeStatic PE information: 0xF7E2BC69 [Sat Oct 15 15:02:01 2101 UTC]
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_02D00B4F push edi; ret 3_2_02D00CC2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_02D00C95 push edi; retf 3_2_02D00C3A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06B0244F push es; ret 3_2_06B02460
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06B01E3D push es; ret 3_2_06B01E44
                    Source: hesaphareketi-01.pdf.SCR.exeStatic PE information: section name: .text entropy: 7.96694997733209
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cbsBVTJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cbsBVTJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe:Zone.Identifier read attributes | deleteJump to behavior
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Uses an obfuscated file name to hide its real file extension (double extension)
                    Source: Possible double extension: pdf.scrStatic PE information: hesaphareketi-01.pdf.SCR.exe
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: hesaphareketi-01.pdf.SCR.exe PID: 6592, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeMemory allocated: D60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeMemory allocated: 2730000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeMemory allocated: 2550000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2CC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2E20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 4E20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeMemory allocated: 2380000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeMemory allocated: 2630000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeMemory allocated: 2380000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeMemory allocated: 28A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeMemory allocated: 2B30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeMemory allocated: 2930000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7053Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2450Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 1022Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 5455Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exe TID: 6660Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6932Thread sleep count: 7053 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6956Thread sleep count: 2450 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7076Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3068Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3068Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3068Thread sleep time: -99890s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3068Thread sleep time: -99781s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3068Thread sleep time: -99671s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3068Thread sleep time: -99562s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3068Thread sleep time: -99453s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3068Thread sleep time: -99343s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3068Thread sleep time: -99234s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3068Thread sleep time: -99105s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3068Thread sleep time: -98997s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3068Thread sleep time: -98890s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3068Thread sleep time: -98779s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3068Thread sleep time: -98671s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3068Thread sleep time: -98562s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3068Thread sleep time: -98429s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3068Thread sleep time: -98312s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3068Thread sleep time: -98203s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3068Thread sleep time: -98093s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3068Thread sleep time: -97984s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3068Thread sleep time: -97875s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3068Thread sleep time: -97765s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3068Thread sleep time: -97656s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3068Thread sleep time: -97546s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3068Thread sleep time: -97437s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3068Thread sleep time: -97328s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3068Thread sleep time: -97218s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3068Thread sleep time: -97109s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3068Thread sleep time: -96999s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3068Thread sleep time: -96890s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3068Thread sleep time: -96781s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3068Thread sleep time: -96671s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3068Thread sleep time: -96562s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3068Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\svchost.exe TID: 6352Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 4940Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 1696Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99671Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99343Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99105Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98997Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98779Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98671Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98429Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98093Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97546Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97218Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96999Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96671Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: powershell.exe, 00000001.00000002.1808727641.0000000004E56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                    Source: powershell.exe, 00000001.00000002.1808727641.0000000004E56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                    Source: svchost.exe, 00000004.00000002.3042182633.000001F37AC54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3041011255.000001F37562B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: RegAsm.exe, 00000003.00000002.3050148563.0000000006290000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllbb3
                    Source: powershell.exe, 00000001.00000002.1808727641.0000000004E56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    .NET source code references suspicious native API functions
                    Source: 0.2.hesaphareketi-01.pdf.SCR.exe.38a1450.3.raw.unpack, Ljq6xD21ACX.csReference to suspicious API methods: OZkujShDCVG.OpenProcess(aPNZ30.DuplicateHandle, bInheritHandle: true, (uint)snUp2.ProcessID)
                    Source: 0.2.hesaphareketi-01.pdf.SCR.exe.4cc0000.5.raw.unpack, QJDLGErGwGLnDsDTGnUfx.csReference to suspicious API methods: MyGetProcAddress(hProcess, Name)
                    Source: 0.2.hesaphareketi-01.pdf.SCR.exe.4cc0000.5.raw.unpack, QJDLGErGwGLnDsDTGnUfx.csReference to suspicious API methods: LoadLibraryA(ref name)
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tt.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" ??????????-??????????e??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????p??????????o??????????l??????????i??????????c??????????y?????????? ??????????b??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????c?????????o?????????p?????????y?????????-?????????i?????????t?????????e?????????m 'c:\users\user\desktop\hesaphareketi-01.pdf.scr.exe' 'c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\tt.exe'
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" ??????????-??????????e??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????p??????????o??????????l??????????i??????????c??????????y?????????? ??????????b??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????c?????????o?????????p?????????y?????????-?????????i?????????t?????????e?????????m 'c:\users\user\desktop\hesaphareketi-01.pdf.scr.exe' 'c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\tt.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeQueries volume information: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeQueries volume information: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.hesaphareketi-01.pdf.SCR.exe.38a1450.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi-01.pdf.SCR.exe.38a1450.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi-01.pdf.SCR.exe.37da1b0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi-01.pdf.SCR.exe.3789b80.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.3042736012.0000000002EA4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3042736012.0000000002E9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1800686343.0000000003739000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3042736012.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3040210068.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: hesaphareketi-01.pdf.SCR.exe PID: 6592, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 416, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 0.2.hesaphareketi-01.pdf.SCR.exe.38a1450.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi-01.pdf.SCR.exe.38a1450.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi-01.pdf.SCR.exe.37da1b0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi-01.pdf.SCR.exe.3789b80.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1800686343.0000000003739000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3042736012.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3040210068.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: hesaphareketi-01.pdf.SCR.exe PID: 6592, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 416, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.hesaphareketi-01.pdf.SCR.exe.38a1450.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi-01.pdf.SCR.exe.38a1450.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi-01.pdf.SCR.exe.37da1b0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi-01.pdf.SCR.exe.3789b80.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.3042736012.0000000002EA4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3042736012.0000000002E9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1800686343.0000000003739000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3042736012.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3040210068.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: hesaphareketi-01.pdf.SCR.exe PID: 6592, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 416, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Native API                    		1
                    Registry Run Keys / Startup Folder                    		11
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		34
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    Command and Scripting Interpreter                    		Logon Script (Windows)1
                    Registry Run Keys / Startup Folder                    		121
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		121
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model1
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets151
                    Virtualization/Sandbox Evasion                    		SSHKeylogging23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items111
                    Masquerading                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job151
                    Virtualization/Sandbox Evasion                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                    Hidden Files and Directories                    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428352 Sample: hesaphareketi-01.pdf.SCR.exe Startdate: 18/04/2024 Architecture: WINDOWS Score: 100 36 business29.web-hosting.com 2->36 38 api.ipify.org 2->38 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 10 other signatures 2->48 8 hesaphareketi-01.pdf.SCR.exe 3 2->8         started        10 cbsBVT.exe 2 2->10         started        12 cbsBVT.exe 1 2->12         started        14 svchost.exe 1 1 2->14         started        signatures3 process4 dnsIp5 17 RegAsm.exe 16 4 8->17         started        22 powershell.exe 21 8->22         started        24 conhost.exe 10->24         started        26 conhost.exe 12->26         started        40 127.0.0.1 unknown unknown 14->40 process6 dnsIp7 32 business29.web-hosting.com 198.54.114.199, 49736, 587 NAMECHEAP-NETUS United States 17->32 34 api.ipify.org 104.26.12.205, 443, 49732 CLOUDFLARENETUS United States 17->34 30 C:\Users\user\AppData\Roaming\...\cbsBVT.exe, PE32 17->30 dropped 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->50 52 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->52 54 Tries to steal Mail credentials (via file / registry access) 17->54 58 3 other signatures 17->58 56 Loading BitLocker PowerShell Module 22->56 28 conhost.exe 22->28         started        file8 signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    hesaphareketi-01.pdf.SCR.exe37%ReversingLabsWin32.Trojan.Generic
                    hesaphareketi-01.pdf.SCR.exe100%AviraHEUR/AGEN.1311129
                    hesaphareketi-01.pdf.SCR.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe0%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://contoso.com/License0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://go.micros0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    https://contoso.com/0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                    https://sectigo.com/CPS00%URL Reputationsafe
                    http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
                    https://contoso.com/Icon0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    api.ipify.org
                    		104.26.12.205
                    		truefalse
                      		high
                      business29.web-hosting.com
                      		198.54.114.199
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/false
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://www.fontbureau.com/designersGhesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers/?hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://aka..winsvrxdpowershell.exe, 00000001.00000002.1815427737.0000000007939000.00000004.00000020.00020000.00000000.sdmpfalse
                                		low
                                http://www.founder.com.cn/cn/bThehesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://www.fontbureau.com/designers?hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://contoso.com/Licensepowershell.exe, 00000001.00000002.1812874915.0000000005D68000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.tiro.comhesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://g.live.com/odclientsettings/ProdV2.C:edb.log.4.drfalse
                                      		high
                                      http://www.fontbureau.com/designershesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.goodfont.co.krhesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://go.microspowershell.exe, 00000001.00000002.1808727641.00000000051FC000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sajatypeworks.comhesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.typography.netDhesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://g.live.com/odclientsettings/Prod.C:edb.log.4.drfalse
                                          		high
                                          http://www.founder.com.cn/cn/cThehesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://www.galapagosdesign.com/staff/dennis.htmhesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://api.ipify.orghesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1800686343.0000000003739000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3042736012.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3040210068.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                              		high
                                              https://g.live.com/odclientsettings/ProdV2edb.log.4.drfalse
                                                		high
                                                https://aka.ms/pscore6lBpowershell.exe, 00000001.00000002.1808727641.0000000004D01000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://contoso.com/powershell.exe, 00000001.00000002.1812874915.0000000005D68000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1812874915.0000000005D68000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.galapagosdesign.com/DPleasehesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fonts.comhesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.sandoll.co.krhesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.urwpp.deDPleasehesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.zhongyicts.com.cnhesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1808727641.0000000004D01000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3042736012.0000000002E21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.sakkal.comhesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000004.00000003.1791796088.000001F37AEC2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.drfalse
                                                            		high
                                                            http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#RegAsm.exe, 00000003.00000002.3042736012.0000000002EA4000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3041850407.000000000127C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3050148563.0000000006290000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1812874915.0000000005D68000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.apache.org/licenses/LICENSE-2.0hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.fontbureau.comhesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000001.00000002.1808727641.0000000004E56000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://sectigo.com/CPS0RegAsm.exe, 00000003.00000002.3042736012.0000000002EA4000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3041850407.000000000127C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3050148563.0000000006290000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://ocsp.sectigo.com0-RegAsm.exe, 00000003.00000002.3042736012.0000000002EA4000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3041850407.000000000127C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3050148563.0000000006290000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		low
                                                                      https://account.dyn.com/hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1800686343.0000000003739000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3040210068.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.1808727641.0000000004E56000.00000004.00000800.00020000.00000000.sdmptrue
                                                                        • URL Reputation: malware
                                                                        		unknown
                                                                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.1808727641.0000000004E56000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.1808727641.0000000004E56000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://contoso.com/Iconpowershell.exe, 00000001.00000002.1812874915.0000000005D68000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://crl.ver)svchost.exe, 00000004.00000002.3042082562.000001F37AC00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		low
                                                                              https://api.ipify.org/tRegAsm.exe, 00000003.00000002.3042736012.0000000002E21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://github.com/sam210723/goesrecv-monitor/releases/latesthesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1802601250.0000000004EF0000.00000004.08000000.00040000.00000000.sdmp, hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1800686343.0000000003739000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.1808727641.0000000004E56000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.carterandcone.comlhesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://www.fontbureau.com/designers/cabarga.htmlNhesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.founder.com.cn/cnhesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        http://www.fontbureau.com/designers/frere-user.htmlhesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 00000004.00000003.1791796088.000001F37AEC2000.00000004.00000800.00020000.00000000.sdmp, edb.log.4.drfalse
                                                                                            		high
                                                                                            http://business29.web-hosting.comRegAsm.exe, 00000003.00000002.3042736012.0000000002E9C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://vksdr.com/goesrecv-monitorhesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1802601250.0000000004EF0000.00000004.08000000.00040000.00000000.sdmp, hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1800686343.0000000003739000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.1808727641.0000000004E56000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.jiyu-kobo.co.jp/hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  http://www.fontbureau.com/designers8hesaphareketi-01.pdf.SCR.exe, 00000000.00000002.1804166325.0000000006C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high

                                                                                                    World Map of Contacted IPs

                                                                                                    • No. of IPs < 25%
                                                                                                    • 25% < No. of IPs < 50%
                                                                                                    • 50% < No. of IPs < 75%
                                                                                                    • 75% < No. of IPs

                                                                                                    Public IPs

                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                    198.54.114.199
                                                                                                    		business29.web-hosting.comUnited States
                                                                                                    		22612NAMECHEAP-NETUSfalse
                                                                                                    104.26.12.205
                                                                                                    		api.ipify.orgUnited States
                                                                                                    		13335CLOUDFLARENETUSfalse

                                                                                                    Private

                                                                                                    IP
                                                                                                    127.0.0.1

                                                                                                    General Information

                                                                                                    Joe Sandbox version:40.0.0 Tourmaline
                                                                                                    Analysis ID:1428352
                                                                                                    Start date and time:2024-04-18 21:15:38 +02:00
                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                    Overall analysis duration:0h 7m 25s
                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                    Report type:full
                                                                                                    Cookbook file name:default.jbs
                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                    Number of analysed new started processes analysed:13
                                                                                                    Number of new started drivers analysed:0
                                                                                                    Number of existing processes analysed:0
                                                                                                    Number of existing drivers analysed:0
                                                                                                    Number of injected processes analysed:0
                                                                                                    Technologies:
                                                                                                    • HCA enabled
                                                                                                    • EGA enabled
                                                                                                    • AMSI enabled
                                                                                                    Analysis Mode:default
                                                                                                    Analysis stop reason:Timeout
                                                                                                    Sample name:hesaphareketi-01.pdf.SCR.exe
                                                                                                    Detection:MAL
                                                                                                    Classification:mal100.spre.troj.spyw.evad.winEXE@11/14@2/3
                                                                                                    EGA Information:
                                                                                                    • Successful, ratio: 40%
                                                                                                    HCA Information:
                                                                                                    • Successful, ratio: 100%
                                                                                                    • Number of executed functions: 109
                                                                                                    • Number of non-executed functions: 12
                                                                                                    Cookbook Comments:
                                                                                                    • Found application associated with file extension: .exe

                                                                                                    Warnings

                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                    • Excluded IPs from analysis (whitelisted): 23.220.189.216
                                                                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                                                                                    • Execution Graph export aborted for target cbsBVT.exe, PID 1068 because it is empty
                                                                                                    • Execution Graph export aborted for target cbsBVT.exe, PID 6760 because it is empty
                                                                                                    • Execution Graph export aborted for target powershell.exe, PID 6692 because it is empty
                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                    • VT rate limit hit for: hesaphareketi-01.pdf.SCR.exe

                                                                                                    Simulations

                                                                                                    Behavior and APIs

                                                                                                    TimeTypeDescription
                                                                                                    20:16:51AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run cbsBVT C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe
                                                                                                    20:16:59AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run cbsBVT C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe
                                                                                                    21:16:43API Interceptor23x Sleep call for process: powershell.exe modified
                                                                                                    21:16:44API Interceptor2x Sleep call for process: svchost.exe modified
                                                                                                    21:16:51API Interceptor32x Sleep call for process: RegAsm.exe modified

                                                                                                    Joe Sandbox View / Context

                                                                                                    IPs

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    198.54.114.199http://duckyblogs.com/2022/08/30/keith-cederholm-barnGet hashmaliciousUnknownBrowse
                                                                                                    • duckyblogs.com/2022/08/30/keith-cederholm-barn
                                                                                                    104.26.12.205Sky-Beta.exeGet hashmaliciousStealitBrowse
                                                                                                    • api.ipify.org/?format=json
                                                                                                    SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exeGet hashmaliciousBunny LoaderBrowse
                                                                                                    • api.ipify.org/
                                                                                                    lods.cmdGet hashmaliciousRemcosBrowse
                                                                                                    • api.ipify.org/

                                                                                                    Domains

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    business29.web-hosting.comhesaphareketi_1.SCR.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 198.54.114.199
                                                                                                    api.ipify.orgorder & specification.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                    • 104.26.13.205
                                                                                                    SHIPPING DOCUMENTS_PDF..vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                    • 104.26.13.205
                                                                                                    Payment Advice.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 104.26.13.205
                                                                                                    RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 104.26.13.205
                                                                                                    order 4500381478001.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 104.26.13.205
                                                                                                    Scan-IMG PO Order CW289170-A CW201.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 172.67.74.152
                                                                                                    TransactionSummary_910020049836765_110424045239.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 104.26.13.205
                                                                                                    PRODUCT LIST_002673CC1F68.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 172.67.74.152
                                                                                                    WZM.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                                                                    • 104.26.12.205
                                                                                                    hesaphareketi_1.SCR.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 104.26.13.205

                                                                                                    ASNs

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    CLOUDFLARENETUS2020.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                    • 172.67.206.230
                                                                                                    Signed Proforma Invoice 3645479_pdf.vbsGet hashmaliciousFormBookBrowse
                                                                                                    • 104.21.45.138
                                                                                                    F723838674.vbsGet hashmaliciousRemcosBrowse
                                                                                                    • 104.21.84.67
                                                                                                    order & specification.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                    • 104.26.13.205
                                                                                                    CTM REQUEST BIRTHSHIP.docGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 172.67.175.222
                                                                                                    SHIPPING DOCUMENTS_PDF..vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                    • 104.26.13.205
                                                                                                    DHL Receipt_pdf.vbsGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 104.21.84.67
                                                                                                    PO_La-Tanerie04180240124.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                    • 104.21.74.5
                                                                                                    Remittance slip.vbsGet hashmaliciousUnknownBrowse
                                                                                                    • 104.21.84.67
                                                                                                    https://msteams.link/WK80Get hashmaliciousPhisherBrowse
                                                                                                    • 104.21.80.104
                                                                                                    NAMECHEAP-NETUSRemittance slip.vbsGet hashmaliciousUnknownBrowse
                                                                                                    • 185.61.152.60
                                                                                                    hesaphareketi_1.SCR.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 198.54.114.199
                                                                                                    Payment Advice for Invoice 2024 0904.vbsGet hashmaliciousFormBookBrowse
                                                                                                    • 185.61.152.60
                                                                                                    https://assets-usa.mkt.dynamics.com/d7d7d53b-67f7-ee11-9046-6045bda8c213/digitalassets/standaloneforms/a8a5d076-d2fc-ee11-a1fe-6045bda76c78Get hashmaliciousOutlook Phishing, HTMLPhisherBrowse
                                                                                                    • 162.0.232.241
                                                                                                    PO JSC_109117.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 198.54.120.175
                                                                                                    TNT Invoicing_pdf.vbsGet hashmaliciousFormBookBrowse
                                                                                                    • 185.61.152.60
                                                                                                    Arrival Notice.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                    • 162.255.119.150
                                                                                                    RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                    • 37.61.232.138
                                                                                                    rSyDiExlek.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                    • 198.54.122.135
                                                                                                    Ordin de plat#U0103.exeGet hashmaliciousFormBookBrowse
                                                                                                    • 198.54.120.175

                                                                                                    JA3 Fingerprints

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    3b5074b1b5d032e5620f69f9f700ff0eRequest for Proposal Quote_2414976#U00b7pdf.vbsGet hashmaliciousGuLoader, LokibotBrowse
                                                                                                    • 104.26.12.205
                                                                                                    Signed Proforma Invoice 3645479_pdf.vbsGet hashmaliciousFormBookBrowse
                                                                                                    • 104.26.12.205
                                                                                                    F723838674.vbsGet hashmaliciousRemcosBrowse
                                                                                                    • 104.26.12.205
                                                                                                    order & specification.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                    • 104.26.12.205
                                                                                                    SHIPPING DOCUMENTS_PDF..vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                    • 104.26.12.205
                                                                                                    DHL Receipt_pdf.vbsGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 104.26.12.205
                                                                                                    Remittance slip.vbsGet hashmaliciousUnknownBrowse
                                                                                                    • 104.26.12.205
                                                                                                    Cheater Pro 1.6.0.msiGet hashmaliciousUnknownBrowse
                                                                                                    • 104.26.12.205
                                                                                                    pQTmpNQX2u.exeGet hashmaliciousDCRatBrowse
                                                                                                    • 104.26.12.205
                                                                                                    Payment Advice.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 104.26.12.205

                                                                                                    Dropped Files

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exehesaphareketi_1.SCR.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                      remasdasd.exeGet hashmaliciousXWormBrowse
                                                                                                        9safSk1jJz.exeGet hashmaliciousRedLineBrowse
                                                                                                          OZQB66iRBr.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                            BXQ4Nv60Rl.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                              nq5gQXmhPL.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                B266519287329.IMGGet hashmaliciousXWormBrowse
                                                                                                                  https://castorndpollux.com/R9283762154.zipGet hashmaliciousXWormBrowse
                                                                                                                    03.04.24 0000123.vbsGet hashmaliciousAgentTesla, XWormBrowse
                                                                                                                      R9283762154.wsfGet hashmaliciousXWormBrowse

                                                                                                                        Created / dropped Files

                                                                                                                        C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1310720
                                                                                                                        Entropy (8bit):1.3073548394613905
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvru:KooCEYhgYEL0In
                                                                                                                        MD5:3AD28A0EAE7DD28F148AA72F46E5F741
                                                                                                                        SHA1:9227AA3055FFA62851E522F1BE01C7F5771E87BB
                                                                                                                        SHA-256:CB74CF91662AFCB55BF2E02389935D6476A42E542FE85C15BCEADD53706B4D64
                                                                                                                        SHA-512:7EC1C387F4E6334A18ACC1D17AA24200D1C7FFBB32224F56B509174A4DC36AE2E98E896CCB7039157D4F83E063B60022793A4F77386735644148692CCD3B04C5
                                                                                                                        Malicious:false
                                                                                                                        Reputation:low
                                                                                                                        Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0x10f7c474, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1310720
                                                                                                                        Entropy (8bit):0.42217836837332384
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:ZSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:Zaza/vMUM2Uvz7DO
                                                                                                                        MD5:3EE4CCE166590DCF628721DB37BC0D76
                                                                                                                        SHA1:C48E9736D9A58BFCF6CDA8FEB5E69BB7264C0523
                                                                                                                        SHA-256:6EBF0F61A763AAA37144AAE89B43003485D317726F492C006CF37C3C92D4FA53
                                                                                                                        SHA-512:751B44A86A007B5DC20B78CFABEAE71BCC63BD401973C2B46F0FE68938139A6F740E954CAD75A46B97CE75A066FDD5C5E5786D3398ABCFC47D962CB36C114A9A
                                                                                                                        Malicious:false
                                                                                                                        Reputation:low
                                                                                                                        Preview:...t... .......A.......X\...;...{......................0.!..........{A.,....|..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{................................... .;,....|u....................H,....|W..........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):16384
                                                                                                                        Entropy (8bit):0.077526978254612
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:KlyYe+mhFlvjn13a/Zt7BlYllcVO/lnlZMxZNQl:+yzBx53qZt7TIOewk
                                                                                                                        MD5:A83D03687D54A1A8A77BD6D64A5A30D5
                                                                                                                        SHA1:129919BB4BE63A4B916E26212CEF752DD6B9031C
                                                                                                                        SHA-256:A0B8AB23971FAFCA3BB0C818E1F89446347FE1313D8A528C9F9B7DD8B83CA686
                                                                                                                        SHA-512:F3BB247D50D0A0B9134C9F6AFEA063142E0EBF53D33791C408C3F3AABDEA3A92DBE62709869D81C3660BB02345ABF0138B079498E978680DDA642EB1D1C756B4
                                                                                                                        Malicious:false
                                                                                                                        Reputation:low
                                                                                                                        Preview:.BjJ.....................................;...{..,....|W......{A..............{A......{A..........{A]...................H,....|W.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cbsBVT.exe.log

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe
                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                        Category:modified
                                                                                                                        Size (bytes):42
                                                                                                                        Entropy (8bit):4.0050635535766075
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                                                                                                                        MD5:84CFDB4B995B1DBF543B26B86C863ADC
                                                                                                                        SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                                                                                                                        SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                                                                                                                        SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                                                                                                                        Malicious:false
                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hesaphareketi-01.pdf.SCR.exe.log

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exe
                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1216
                                                                                                                        Entropy (8bit):5.34331486778365
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                        Malicious:false
                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):64
                                                                                                                        Entropy (8bit):1.1510207563435464
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:NlllulPki/llllZ:NllUcylll
                                                                                                                        MD5:D8D47FD6FA3E199E4AFF68B91F1D04A8
                                                                                                                        SHA1:788625E414B030E5174C5BE7262A4C93502C2C21
                                                                                                                        SHA-256:2D9AF9AB25D04D1CF9B25DB196A988CD6E4124C1B8E185B96F2AB9554F4A6738
                                                                                                                        SHA-512:5BFD83D07DC3CB53563F215BE1D4D7206340A4C0AB06988697637C402793146D13CDDE0E27DC8301E4506553D957876AC9D7A7BF3C7431BBDD5F019C17AB0A58
                                                                                                                        Malicious:false
                                                                                                                        Preview:@...e.................................^..............@..........

                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gjzmj1vw.pxj.ps1

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):60
                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                        Malicious:false
                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gvhm5xf5.uqc.psm1

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):60
                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                        Malicious:false
                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_py0uxfau.tk4.psm1

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):60
                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                        Malicious:false
                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xlcbossz.gmt.ps1

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):60
                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                        Malicious:false
                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                        C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:modified
                                                                                                                        Size (bytes):65440
                                                                                                                        Entropy (8bit):6.049806962480652
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:X8XcJiMjm2ieHlPyCsSuJbn8dBhFwlSMF6Iq8KSYDKbQ22qWqO8w1R:rYMaNylPYSAb8dBnsHsPDKbQBqTY
                                                                                                                        MD5:0D5DF43AF2916F47D00C1573797C1A13
                                                                                                                        SHA1:230AB5559E806574D26B4C20847C368ED55483B0
                                                                                                                        SHA-256:C066AEE7AA3AA83F763EBC5541DAA266ED6C648FBFFCDE0D836A13B221BB2ADC
                                                                                                                        SHA-512:F96CF9E1890746B12DAF839A6D0F16F062B72C1B8A40439F96583F242980F10F867720232A6FA0F7D4D7AC0A7A6143981A5A130D6417EA98B181447134C7CFE2
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Joe Sandbox View:
                                                                                                                        • Filename: hesaphareketi_1.SCR.exe, Detection: malicious, Browse
                                                                                                                        • Filename: remasdasd.exe, Detection: malicious, Browse
                                                                                                                        • Filename: 9safSk1jJz.exe, Detection: malicious, Browse
                                                                                                                        • Filename: OZQB66iRBr.exe, Detection: malicious, Browse
                                                                                                                        • Filename: BXQ4Nv60Rl.exe, Detection: malicious, Browse
                                                                                                                        • Filename: nq5gQXmhPL.exe, Detection: malicious, Browse
                                                                                                                        • Filename: B266519287329.IMG, Detection: malicious, Browse
                                                                                                                        • Filename: , Detection: malicious, Browse
                                                                                                                        • Filename: 03.04.24 0000123.vbs, Detection: malicious, Browse
                                                                                                                        • Filename: R9283762154.wsf, Detection: malicious, Browse
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0.............^.... ........@.. ....................... .......F....`.....................................O.......8................A........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P...*..0.."........(......-.r...p.rI..p(....s....z.*...0..........(....~P.....o......*..(....*n(.....(..........%...(....*~(.....(..........%...%...(....*.(.....(..........%...%...%...(....*V.(......}Q.....}R...*..{Q...*..{R...*...0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......

                                                                                                                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                        File Type:JSON data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):55
                                                                                                                        Entropy (8bit):4.306461250274409
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                        MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                        SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                        SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                        SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                        Malicious:false
                                                                                                                        Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                        \Device\ConDrv

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe
                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1049
                                                                                                                        Entropy (8bit):4.286073681226177
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24:z3d3+DO/0XZd3Wo3opQ5ZKBQFYVgt7ovrNOYlK:zNODBXZxo4ABV+SrUYE
                                                                                                                        MD5:402278578416001C915480C7040F2964
                                                                                                                        SHA1:B4833865ECE3609EC213509D4AB7D7A195C00753
                                                                                                                        SHA-256:86E0747C9B54AA9AACB788589E70E19279DF13F1393795E689342AF3302912E1
                                                                                                                        SHA-512:473600FBC051B22E9E7A6FBE1694ED736CF90DE5A8DF92AF1FA9A85DDD97379CFF0E8A5DF89937AE083BEBEFC81C407A907D0FB5ED9019BEDF6FB4703838321B
                                                                                                                        Malicious:false
                                                                                                                        Preview:Microsoft .NET Framework Assembly Registration Utility version 4.8.4084.0..for Microsoft .NET Framework version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....Syntax: RegAsm AssemblyName [Options]..Options:.. /unregister Unregister types.. /tlb[:FileName] Export the assembly to the specified type library.. and register it.. /regfile[:FileName] Generate a reg file with the specified name.. instead of registering the types. This option.. cannot be used with the /u or /tlb options.. /codebase Set the code base in the registry.. /registered Only refer to already registered type libraries.. /asmpath:Directory Look for assembly references here.. /nologo Prevents RegAsm from displaying logo.. /silent Silent mode. Prevents displaying of success messages.. /verbose Displays extra information..

                                                                                                                        Static File Info

                                                                                                                        General

                                                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Entropy (8bit):7.956150936982764
                                                                                                                        TrID:
                                                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                                                                        File name:hesaphareketi-01.pdf.SCR.exe
                                                                                                                        File size:351'744 bytes
                                                                                                                        MD5:d4e8894fb5ed5f45972882fbc6ef04dc
                                                                                                                        SHA1:f5ac926e2501659cd3933afb72e1172b1147f95d
                                                                                                                        SHA256:4888ef9f557bfc04c0c7da3ff2dc1fc34767273d90053aa1e04c3892300afe12
                                                                                                                        SHA512:bd9b3644bfe90a3c435fcbf8895163963b4302dbe64db5652c5978cb6cfcf19b6f84249909c597e00425c375456bcda0eb1aad31b2825c6d60d1bc0983f3d389
                                                                                                                        SSDEEP:6144:MvkECw92bslgwmEuLCP50vDht1LIUcz7zyr+RCniN/F59ZrE:MvKC2bwmEbIht15c/qip
                                                                                                                        TLSH:4B74E1A9C2D66BB9DD864AF4ED52107D01FD0803668F6F9D4A4D2C362C6E20D3B42B5F
                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...i.................0..T...........s... ........@.. ....................................@................................

                                                                                                                        File Icon

                                                                                                                        Icon Hash:90cececece8e8eb0

                                                                                                                        Static PE Info

                                                                                                                        General

                                                                                                                        Entrypoint:0x45732e
                                                                                                                        Entrypoint Section:.text
                                                                                                                        Digitally signed:false
                                                                                                                        Imagebase:0x400000
                                                                                                                        Subsystem:windows gui
                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                        Time Stamp:0xF7E2BC69 [Sat Oct 15 15:02:01 2101 UTC]
                                                                                                                        TLS Callbacks:
                                                                                                                        CLR (.Net) Version:
                                                                                                                        OS Version Major:4
                                                                                                                        OS Version Minor:0
                                                                                                                        File Version Major:4
                                                                                                                        File Version Minor:0
                                                                                                                        Subsystem Version Major:4
                                                                                                                        Subsystem Version Minor:0
                                                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                        Entrypoint Preview

                                                                                                                        Instruction
                                                                                                                        jmp dword ptr [00402000h]
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al

                                                                                                                        Data Directories

                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x572d80x53.text
                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x580000x596.rsrc
                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x5a0000xc.reloc
                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                        Sections

                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                        .text0x20000x553340x55400f5c6744f5793b0149df0f455b3a4af3cFalse0.9146925403225806data7.96694997733209IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                        .rsrc0x580000x5960x6003d90fd21b72ae9f5b6386b91e1399e8dFalse0.4140625data4.028643800397872IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                        .reloc0x5a0000xc0x2003a8afa8452cf5d7f547fef5fc058d9edFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                        Resources

                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                        RT_VERSION0x580a00x30cdata0.4269230769230769
                                                                                                                        RT_MANIFEST0x583ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                        Imports

                                                                                                                        DLLImport
                                                                                                                        mscoree.dll_CorExeMain

                                                                                                                        Network Behavior

                                                                                                                        Network Port Distribution

                                                                                                                        TCP Packets

                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                        Apr 18, 2024 21:16:46.099497080 CEST49732443192.168.2.4104.26.12.205
                                                                                                                        Apr 18, 2024 21:16:46.099529982 CEST44349732104.26.12.205192.168.2.4
                                                                                                                        Apr 18, 2024 21:16:46.099590063 CEST49732443192.168.2.4104.26.12.205
                                                                                                                        Apr 18, 2024 21:16:46.110135078 CEST49732443192.168.2.4104.26.12.205
                                                                                                                        Apr 18, 2024 21:16:46.110147953 CEST44349732104.26.12.205192.168.2.4
                                                                                                                        Apr 18, 2024 21:16:46.332119942 CEST44349732104.26.12.205192.168.2.4
                                                                                                                        Apr 18, 2024 21:16:46.332226038 CEST49732443192.168.2.4104.26.12.205
                                                                                                                        Apr 18, 2024 21:16:46.336447954 CEST49732443192.168.2.4104.26.12.205
                                                                                                                        Apr 18, 2024 21:16:46.336456060 CEST44349732104.26.12.205192.168.2.4
                                                                                                                        Apr 18, 2024 21:16:46.336767912 CEST44349732104.26.12.205192.168.2.4
                                                                                                                        Apr 18, 2024 21:16:46.387701035 CEST49732443192.168.2.4104.26.12.205
                                                                                                                        Apr 18, 2024 21:16:46.392978907 CEST49732443192.168.2.4104.26.12.205
                                                                                                                        Apr 18, 2024 21:16:46.436120987 CEST44349732104.26.12.205192.168.2.4
                                                                                                                        Apr 18, 2024 21:16:46.638405085 CEST44349732104.26.12.205192.168.2.4
                                                                                                                        Apr 18, 2024 21:16:46.638467073 CEST44349732104.26.12.205192.168.2.4
                                                                                                                        Apr 18, 2024 21:16:46.638560057 CEST49732443192.168.2.4104.26.12.205
                                                                                                                        Apr 18, 2024 21:16:46.648564100 CEST49732443192.168.2.4104.26.12.205
                                                                                                                        Apr 18, 2024 21:16:52.198290110 CEST49736587192.168.2.4198.54.114.199
                                                                                                                        Apr 18, 2024 21:16:52.354726076 CEST58749736198.54.114.199192.168.2.4
                                                                                                                        Apr 18, 2024 21:16:52.354945898 CEST49736587192.168.2.4198.54.114.199
                                                                                                                        Apr 18, 2024 21:16:53.268362999 CEST58749736198.54.114.199192.168.2.4
                                                                                                                        Apr 18, 2024 21:16:53.268574953 CEST49736587192.168.2.4198.54.114.199
                                                                                                                        Apr 18, 2024 21:16:53.427421093 CEST58749736198.54.114.199192.168.2.4
                                                                                                                        Apr 18, 2024 21:16:53.427661896 CEST49736587192.168.2.4198.54.114.199
                                                                                                                        Apr 18, 2024 21:16:53.583811998 CEST58749736198.54.114.199192.168.2.4
                                                                                                                        Apr 18, 2024 21:16:53.584336042 CEST49736587192.168.2.4198.54.114.199
                                                                                                                        Apr 18, 2024 21:16:53.751782894 CEST58749736198.54.114.199192.168.2.4
                                                                                                                        Apr 18, 2024 21:16:53.751847982 CEST58749736198.54.114.199192.168.2.4
                                                                                                                        Apr 18, 2024 21:16:53.751887083 CEST58749736198.54.114.199192.168.2.4
                                                                                                                        Apr 18, 2024 21:16:53.751945019 CEST58749736198.54.114.199192.168.2.4
                                                                                                                        Apr 18, 2024 21:16:53.751974106 CEST49736587192.168.2.4198.54.114.199
                                                                                                                        Apr 18, 2024 21:16:53.752006054 CEST49736587192.168.2.4198.54.114.199
                                                                                                                        Apr 18, 2024 21:16:53.753866911 CEST58749736198.54.114.199192.168.2.4
                                                                                                                        Apr 18, 2024 21:16:53.794034958 CEST49736587192.168.2.4198.54.114.199
                                                                                                                        Apr 18, 2024 21:16:53.997364044 CEST49736587192.168.2.4198.54.114.199
                                                                                                                        Apr 18, 2024 21:16:54.159778118 CEST58749736198.54.114.199192.168.2.4
                                                                                                                        Apr 18, 2024 21:16:54.163717031 CEST49736587192.168.2.4198.54.114.199
                                                                                                                        Apr 18, 2024 21:16:54.318609953 CEST58749736198.54.114.199192.168.2.4
                                                                                                                        Apr 18, 2024 21:16:54.343871117 CEST49736587192.168.2.4198.54.114.199
                                                                                                                        Apr 18, 2024 21:16:54.515575886 CEST58749736198.54.114.199192.168.2.4
                                                                                                                        Apr 18, 2024 21:16:54.515944004 CEST49736587192.168.2.4198.54.114.199
                                                                                                                        Apr 18, 2024 21:16:54.715617895 CEST58749736198.54.114.199192.168.2.4
                                                                                                                        Apr 18, 2024 21:16:54.716882944 CEST58749736198.54.114.199192.168.2.4
                                                                                                                        Apr 18, 2024 21:16:54.717271090 CEST49736587192.168.2.4198.54.114.199
                                                                                                                        Apr 18, 2024 21:16:54.872251034 CEST58749736198.54.114.199192.168.2.4
                                                                                                                        Apr 18, 2024 21:16:54.872308969 CEST58749736198.54.114.199192.168.2.4
                                                                                                                        Apr 18, 2024 21:16:54.872661114 CEST49736587192.168.2.4198.54.114.199
                                                                                                                        Apr 18, 2024 21:16:55.068231106 CEST58749736198.54.114.199192.168.2.4
                                                                                                                        Apr 18, 2024 21:16:55.094459057 CEST58749736198.54.114.199192.168.2.4
                                                                                                                        Apr 18, 2024 21:16:55.094724894 CEST49736587192.168.2.4198.54.114.199
                                                                                                                        Apr 18, 2024 21:16:55.248646021 CEST58749736198.54.114.199192.168.2.4
                                                                                                                        Apr 18, 2024 21:16:55.248718023 CEST58749736198.54.114.199192.168.2.4
                                                                                                                        Apr 18, 2024 21:16:55.249408007 CEST49736587192.168.2.4198.54.114.199
                                                                                                                        Apr 18, 2024 21:16:55.249470949 CEST49736587192.168.2.4198.54.114.199
                                                                                                                        Apr 18, 2024 21:16:55.249494076 CEST49736587192.168.2.4198.54.114.199
                                                                                                                        Apr 18, 2024 21:16:55.249511003 CEST49736587192.168.2.4198.54.114.199
                                                                                                                        Apr 18, 2024 21:16:55.403639078 CEST58749736198.54.114.199192.168.2.4
                                                                                                                        Apr 18, 2024 21:16:55.403657913 CEST58749736198.54.114.199192.168.2.4
                                                                                                                        Apr 18, 2024 21:16:55.403669119 CEST58749736198.54.114.199192.168.2.4
                                                                                                                        Apr 18, 2024 21:16:55.403769016 CEST58749736198.54.114.199192.168.2.4
                                                                                                                        Apr 18, 2024 21:16:55.440169096 CEST58749736198.54.114.199192.168.2.4
                                                                                                                        Apr 18, 2024 21:16:55.481528044 CEST49736587192.168.2.4198.54.114.199
                                                                                                                        Apr 18, 2024 21:18:32.044507980 CEST49736587192.168.2.4198.54.114.199
                                                                                                                        Apr 18, 2024 21:18:32.201553106 CEST58749736198.54.114.199192.168.2.4
                                                                                                                        Apr 18, 2024 21:18:32.202090025 CEST49736587192.168.2.4198.54.114.199

                                                                                                                        UDP Packets

                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                        Apr 18, 2024 21:16:45.979609013 CEST6345053192.168.2.41.1.1.1
                                                                                                                        Apr 18, 2024 21:16:46.084294081 CEST53634501.1.1.1192.168.2.4
                                                                                                                        Apr 18, 2024 21:16:52.051304102 CEST5394653192.168.2.41.1.1.1
                                                                                                                        Apr 18, 2024 21:16:52.197240114 CEST53539461.1.1.1192.168.2.4

                                                                                                                        DNS Queries

                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                        Apr 18, 2024 21:16:45.979609013 CEST192.168.2.41.1.1.10x3585Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                                        Apr 18, 2024 21:16:52.051304102 CEST192.168.2.41.1.1.10xc979Standard query (0)business29.web-hosting.comA (IP address)IN (0x0001)false

                                                                                                                        DNS Answers

                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                        Apr 18, 2024 21:16:46.084294081 CEST1.1.1.1192.168.2.40x3585No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                                                                        Apr 18, 2024 21:16:46.084294081 CEST1.1.1.1192.168.2.40x3585No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                                                                        Apr 18, 2024 21:16:46.084294081 CEST1.1.1.1192.168.2.40x3585No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                                                                        Apr 18, 2024 21:16:52.197240114 CEST1.1.1.1192.168.2.40xc979No error (0)business29.web-hosting.com198.54.114.199A (IP address)IN (0x0001)false

                                                                                                                        HTTP Request Dependency Graph

                                                                                                                        • api.ipify.org

                                                                                                                        HTTPS Proxied Packets

                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        0192.168.2.449732104.26.12.205443416C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        2024-04-18 19:16:46 UTC155OUTGET / HTTP/1.1
                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                                                        Host: api.ipify.org
                                                                                                                        Connection: Keep-Alive
                                                                                                                        2024-04-18 19:16:46 UTC211INHTTP/1.1 200 OK
                                                                                                                        Date: Thu, 18 Apr 2024 19:16:46 GMT
                                                                                                                        Content-Type: text/plain
                                                                                                                        Content-Length: 12
                                                                                                                        Connection: close
                                                                                                                        Vary: Origin
                                                                                                                        CF-Cache-Status: DYNAMIC
                                                                                                                        Server: cloudflare
                                                                                                                        CF-RAY: 8766fdbeb9797bdc-ATL
                                                                                                                        2024-04-18 19:16:46 UTC12INData Raw: 38 31 2e 31 38 31 2e 35 37 2e 35 32
                                                                                                                        Data Ascii: 81.181.57.52


                                                                                                                        SMTP Packets

                                                                                                                        TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                                        Apr 18, 2024 21:16:53.268362999 CEST58749736198.54.114.199192.168.2.4220-business29.web-hosting.com ESMTP Exim 4.96.2 #2 Thu, 18 Apr 2024 15:16:53 -0400
                                                                                                                        220-We do not authorize the use of this system to transport unsolicited,
                                                                                                                        220 and/or bulk e-mail.
                                                                                                                        Apr 18, 2024 21:16:53.268574953 CEST49736587192.168.2.4198.54.114.199EHLO 216041
                                                                                                                        Apr 18, 2024 21:16:53.427421093 CEST58749736198.54.114.199192.168.2.4250-business29.web-hosting.com Hello 216041 [81.181.57.52]
                                                                                                                        250-SIZE 52428800
                                                                                                                        250-8BITMIME
                                                                                                                        250-PIPELINING
                                                                                                                        250-PIPECONNECT
                                                                                                                        250-STARTTLS
                                                                                                                        250 HELP
                                                                                                                        Apr 18, 2024 21:16:53.427661896 CEST49736587192.168.2.4198.54.114.199STARTTLS
                                                                                                                        Apr 18, 2024 21:16:53.583811998 CEST58749736198.54.114.199192.168.2.4220 TLS go ahead

                                                                                                                        Statistics

                                                                                                                        CPU Usage

                                                                                                                        Click to jump to process

                                                                                                                        Memory Usage

                                                                                                                        Click to jump to process

                                                                                                                        High Level Behavior Distribution

                                                                                                                        Click to dive into process behavior distribution

                                                                                                                        Behavior

                                                                                                                        Click to jump to process

                                                                                                                        System Behavior

                                                                                                                        General

                                                                                                                        Target ID:0
                                                                                                                        Start time:21:16:42
                                                                                                                        Start date:18/04/2024
                                                                                                                        Path:C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exe"
                                                                                                                        Imagebase:0x3a0000
                                                                                                                        File size:351'744 bytes
                                                                                                                        MD5 hash:D4E8894FB5ED5F45972882FBC6EF04DC
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1800686343.0000000003739000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1800686343.0000000003739000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        Reputation:low
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:1
                                                                                                                        Start time:21:16:42
                                                                                                                        Start date:18/04/2024
                                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\hesaphareketi-01.pdf.SCR.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tt.exe'
                                                                                                                        Imagebase:0xb90000
                                                                                                                        File size:433'152 bytes
                                                                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:2
                                                                                                                        Start time:21:16:42
                                                                                                                        Start date:18/04/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:3
                                                                                                                        Start time:21:16:44
                                                                                                                        Start date:18/04/2024
                                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                        Imagebase:0xc90000
                                                                                                                        File size:65'440 bytes
                                                                                                                        MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3042736012.0000000002EA4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3042736012.0000000002E9C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3042736012.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3042736012.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3040210068.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3040210068.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        Reputation:high
                                                                                                                        Has exited:false

                                                                                                                        General

                                                                                                                        Target ID:4
                                                                                                                        Start time:21:16:44
                                                                                                                        Start date:18/04/2024
                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                        Imagebase:0x7ff6eef20000
                                                                                                                        File size:55'320 bytes
                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high
                                                                                                                        Has exited:false

                                                                                                                        General

                                                                                                                        Target ID:8
                                                                                                                        Start time:21:16:59
                                                                                                                        Start date:18/04/2024
                                                                                                                        Path:C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"
                                                                                                                        Imagebase:0x250000
                                                                                                                        File size:65'440 bytes
                                                                                                                        MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                                                        Has elevated privileges:false
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Antivirus matches:
                                                                                                                        • Detection: 0%, ReversingLabs
                                                                                                                        Reputation:high
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:9
                                                                                                                        Start time:21:16:59
                                                                                                                        Start date:18/04/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:false
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:10
                                                                                                                        Start time:21:17:08
                                                                                                                        Start date:18/04/2024
                                                                                                                        Path:C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"
                                                                                                                        Imagebase:0x770000
                                                                                                                        File size:65'440 bytes
                                                                                                                        MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                                                        Has elevated privileges:false
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:11
                                                                                                                        Start time:21:17:08
                                                                                                                        Start date:18/04/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:false
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high
                                                                                                                        Has exited:true

                                                                                                                        Disassembly

                                                                                                                        Reset < >

                                                                                                                          Execution Graph

                                                                                                                          Execution Coverage:6.6%
                                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                                          Signature Coverage:0%
                                                                                                                          Total number of Nodes:30
                                                                                                                          Total number of Limit Nodes:3
                                                                                                                          execution_graph 14216 4b7a430 14219 4b7a528 14216->14219 14217 4b7a43f 14220 4b7a539 14219->14220 14221 4b7a554 14219->14221 14220->14221 14224 4b7a7b2 14220->14224 14228 4b7a7c0 14220->14228 14221->14217 14225 4b7a7d4 14224->14225 14227 4b7a7f9 14225->14227 14232 4b798b0 14225->14232 14227->14221 14229 4b7a7d4 14228->14229 14230 4b798b0 LoadLibraryExW 14229->14230 14231 4b7a7f9 14229->14231 14230->14231 14231->14221 14233 4b7a9a0 LoadLibraryExW 14232->14233 14235 4b7aa19 14233->14235 14235->14227 14236 4b7ce10 DuplicateHandle 14237 4b7cea6 14236->14237 14238 4b7c7c0 14239 4b7c806 GetCurrentProcess 14238->14239 14241 4b7c851 14239->14241 14242 4b7c858 GetCurrentThread 14239->14242 14241->14242 14243 4b7c895 GetCurrentProcess 14242->14243 14244 4b7c88e 14242->14244 14245 4b7c8cb 14243->14245 14244->14243 14246 4b7c8f3 GetCurrentThreadId 14245->14246 14247 4b7c924 14246->14247 14248 4b7a718 14249 4b7a760 GetModuleHandleW 14248->14249 14250 4b7a75a 14248->14250 14251 4b7a78d 14249->14251 14250->14249

                                                                                                                          Executed Functions

                                                                                                                          Function 04B7C7B0 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 526 4b7c7b0-4b7c84f GetCurrentProcess 530 4b7c851-4b7c857 526->530 531 4b7c858-4b7c88c GetCurrentThread 526->531 530->531 532 4b7c895-4b7c8c9 GetCurrentProcess 531->532 533 4b7c88e-4b7c894 531->533 535 4b7c8d2-4b7c8ed call 4b7cd98 532->535 536 4b7c8cb-4b7c8d1 532->536 533->532 538 4b7c8f3-4b7c922 GetCurrentThreadId 535->538 536->535 540 4b7c924-4b7c92a 538->540 541 4b7c92b-4b7c98d 538->541 540->541
                                                                                                                          APIs
                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 04B7C83E
                                                                                                                          • GetCurrentThread.KERNEL32 ref: 04B7C87B
                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 04B7C8B8
                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 04B7C911
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1801392310.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_4b70000_hesaphareketi-01.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Current$ProcessThread
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2063062207-0
                                                                                                                          • Opcode ID: db801d2674f94e9ccb07f587209a9de4572182f8da77a7dff8f5714f9e8c5296
                                                                                                                          • Instruction ID: 64fb000b3b86667eb2120060f073c6867b5f3eac9d057db7c72cf9a718e931a6
                                                                                                                          • Opcode Fuzzy Hash: db801d2674f94e9ccb07f587209a9de4572182f8da77a7dff8f5714f9e8c5296
                                                                                                                          • Instruction Fuzzy Hash: 7B5147B09007498FEB14DFA9D548BAEBFF1EF48304F24C469D059A7260DB74A984CB66
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04B7C7C0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 548 4b7c7c0-4b7c84f GetCurrentProcess 552 4b7c851-4b7c857 548->552 553 4b7c858-4b7c88c GetCurrentThread 548->553 552->553 554 4b7c895-4b7c8c9 GetCurrentProcess 553->554 555 4b7c88e-4b7c894 553->555 557 4b7c8d2-4b7c8ed call 4b7cd98 554->557 558 4b7c8cb-4b7c8d1 554->558 555->554 560 4b7c8f3-4b7c922 GetCurrentThreadId 557->560 558->557 562 4b7c924-4b7c92a 560->562 563 4b7c92b-4b7c98d 560->563 562->563
                                                                                                                          APIs
                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 04B7C83E
                                                                                                                          • GetCurrentThread.KERNEL32 ref: 04B7C87B
                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 04B7C8B8
                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 04B7C911
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1801392310.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_4b70000_hesaphareketi-01.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Current$ProcessThread
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2063062207-0
                                                                                                                          • Opcode ID: 69a496839f031a390f63a2f1965df308d978714ac01a79f0336af3f0a9724eb3
                                                                                                                          • Instruction ID: 287e99c6f1779adfd6ab8d5f5077b5c8b078eb805eb7d0c6d617a563b2ac2d5c
                                                                                                                          • Opcode Fuzzy Hash: 69a496839f031a390f63a2f1965df308d978714ac01a79f0336af3f0a9724eb3
                                                                                                                          • Instruction Fuzzy Hash: 575136B09007498FEB14DFA9D548BAEBFF1EB48304F20C469D459A7360DB74A984CF65
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04B7CE09 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 609 4b7ce09-4b7cea4 DuplicateHandle 610 4b7cea6-4b7ceac 609->610 611 4b7cead-4b7ceca 609->611 610->611
                                                                                                                          APIs
                                                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04B7CE97
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1801392310.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_4b70000_hesaphareketi-01.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: DuplicateHandle
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3793708945-0
                                                                                                                          • Opcode ID: 58b76a84d6c24eb47817f06a4e262cc7c4be87ae1583cf4da0eda32fa3107898
                                                                                                                          • Instruction ID: de9a4b01e35fbcadd818bbb8327bce6718f6a5afef5a0ea8d3e274122a285c10
                                                                                                                          • Opcode Fuzzy Hash: 58b76a84d6c24eb47817f06a4e262cc7c4be87ae1583cf4da0eda32fa3107898
                                                                                                                          • Instruction Fuzzy Hash: 9E21E4B5D01209DFDB10CFAAD584ADEBFF5EB48320F14841AE958A7310D378A945CFA5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04B7CE10 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 614 4b7ce10-4b7cea4 DuplicateHandle 615 4b7cea6-4b7ceac 614->615 616 4b7cead-4b7ceca 614->616 615->616
                                                                                                                          APIs
                                                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04B7CE97
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1801392310.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_4b70000_hesaphareketi-01.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: DuplicateHandle
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3793708945-0
                                                                                                                          • Opcode ID: 566c56b20b81123287ea46f3264be5312987c22aed3a5e8d544796b63eb4e1ee
                                                                                                                          • Instruction ID: a88b2afa2998233f580c6756afcfcd415e477025c0312d39ad77d7d980cd77ed
                                                                                                                          • Opcode Fuzzy Hash: 566c56b20b81123287ea46f3264be5312987c22aed3a5e8d544796b63eb4e1ee
                                                                                                                          • Instruction Fuzzy Hash: 2321E4B5900208DFDB10CF9AD984ADEBFF8EB48310F14841AE958A3310C374A940CFA5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04B798B0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 619 4b798b0-4b7a9e0 621 4b7a9e2-4b7a9e5 619->621 622 4b7a9e8-4b7aa17 LoadLibraryExW 619->622 621->622 623 4b7aa20-4b7aa3d 622->623 624 4b7aa19-4b7aa1f 622->624 624->623
                                                                                                                          APIs
                                                                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04B7A7F9,00000800,00000000,00000000), ref: 04B7AA0A
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1801392310.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_4b70000_hesaphareketi-01.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: LibraryLoad
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1029625771-0
                                                                                                                          • Opcode ID: 2386b83446687f2612a61d9e99e07c879adc2f009b10cbfb8c10f2300bd5021b
                                                                                                                          • Instruction ID: a5420f09ec3481f7a4b9510738a65bfc31db8dfb54fbefdb775963f86aabd383
                                                                                                                          • Opcode Fuzzy Hash: 2386b83446687f2612a61d9e99e07c879adc2f009b10cbfb8c10f2300bd5021b
                                                                                                                          • Instruction Fuzzy Hash: 601123B69003499FDB10CF9AC544AEEFBF4EB88310F10846AE469B7210C375A945CFA9
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04B7A998 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 627 4b7a998-4b7a9e0 628 4b7a9e2-4b7a9e5 627->628 629 4b7a9e8-4b7aa17 LoadLibraryExW 627->629 628->629 630 4b7aa20-4b7aa3d 629->630 631 4b7aa19-4b7aa1f 629->631 631->630
                                                                                                                          APIs
                                                                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04B7A7F9,00000800,00000000,00000000), ref: 04B7AA0A
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1801392310.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_4b70000_hesaphareketi-01.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: LibraryLoad
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1029625771-0
                                                                                                                          • Opcode ID: c6f17950c4e0f9f958bd7336b9e19609f9144b97fe313c94791456dad6073d5f
                                                                                                                          • Instruction ID: ceab3e97b8b7766ef8f014d07cfc00ef3741710ba458f5456421f4600aafaf51
                                                                                                                          • Opcode Fuzzy Hash: c6f17950c4e0f9f958bd7336b9e19609f9144b97fe313c94791456dad6073d5f
                                                                                                                          • Instruction Fuzzy Hash: 201134B6C00249CFDB10CF9AC544ADEFBF4EB88320F10842AD569A7310C379A546CFA5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04B7A718 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 634 4b7a718-4b7a758 635 4b7a760-4b7a78b GetModuleHandleW 634->635 636 4b7a75a-4b7a75d 634->636 637 4b7a794-4b7a7a8 635->637 638 4b7a78d-4b7a793 635->638 636->635 638->637
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 04B7A77E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1801392310.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_4b70000_hesaphareketi-01.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: HandleModule
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4139908857-0
                                                                                                                          • Opcode ID: 37e11dc29aa757bd13b3f0b8a194b200997b93a0c259afbedd0acda9b35437ce
                                                                                                                          • Instruction ID: 4e4454efdd1b7fcb4d7685dca5b472fe20ea4abf4bffdf4291afe74701aeb7a2
                                                                                                                          • Opcode Fuzzy Hash: 37e11dc29aa757bd13b3f0b8a194b200997b93a0c259afbedd0acda9b35437ce
                                                                                                                          • Instruction Fuzzy Hash: 5811EDB6C00749CFDB10CF9AC944ADEFBF5EB88324F10846AD869A7210C379A545CFA5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00CCD4A0 Relevance: .1, Instructions: 75COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1799645625.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_ccd000_hesaphareketi-01.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 8e2fc9772e184608755413d9104c1eac0a5b47d336ce90b941b6c47deccd3a83
                                                                                                                          • Instruction ID: d9e9a6165e739aa9c84c8c3363167b6d467d6b48e01394192897a066475f956d
                                                                                                                          • Opcode Fuzzy Hash: 8e2fc9772e184608755413d9104c1eac0a5b47d336ce90b941b6c47deccd3a83
                                                                                                                          • Instruction Fuzzy Hash: D52100B2504200DFDB05DF18D9C0F27BFA5FB98328F20C17DE90A0A256C336D856CAA2
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00CDD01C Relevance: .1, Instructions: 72COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1799744619.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_cdd000_hesaphareketi-01.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 0a6f0b1bcb639b7ea1fcbfb2ce727fd4a56e7c9e8e40041563ecf96cc442aec6
                                                                                                                          • Instruction ID: dc5d3d7eb4bdfe095ea69968de7f348a8c35f4b8a7c7a9e0347b44db407a4692
                                                                                                                          • Opcode Fuzzy Hash: 0a6f0b1bcb639b7ea1fcbfb2ce727fd4a56e7c9e8e40041563ecf96cc442aec6
                                                                                                                          • Instruction Fuzzy Hash: F921F571904200DFCB14DF14D9C4B26BBA5EBC4314F24C56EDA0A4B356C336E847CA61
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00CDD005 Relevance: .1, Instructions: 62COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1799744619.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_cdd000_hesaphareketi-01.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: b481b1c51909a920a09171fd248cb20c23666d62370b3bfad304b904083934a2
                                                                                                                          • Instruction ID: c018b52a969eedd300f93598135edf5d108f6b1b40a0faffbd3f05a24ae23048
                                                                                                                          • Opcode Fuzzy Hash: b481b1c51909a920a09171fd248cb20c23666d62370b3bfad304b904083934a2
                                                                                                                          • Instruction Fuzzy Hash: 55218E755093808FCB12CF24D994715BF71EB86314F28C5EBD9498F6A7C33A980ACB62
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00CCD49B Relevance: .1, Instructions: 56COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1799645625.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_ccd000_hesaphareketi-01.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                          • Instruction ID: 1843935da3d9b841bb21d17f0fc43c237e85f4bf762d84f86d370fec5628692e
                                                                                                                          • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                          • Instruction Fuzzy Hash: 9511D3B6504240CFDB16CF14D5C4B16BF71FB94324F24C5ADD90A0B656C336D95ACBA2
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Non-executed Functions

                                                                                                                          Function 04B7F5B8 Relevance: .3, Instructions: 315COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1801392310.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_4b70000_hesaphareketi-01.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: fb98697228ee313a1635ca1ffc3e68d3084ff65483e62536a3e465cd20ff1665
                                                                                                                          • Instruction ID: c466d6fa09aad30d8884eccfa28ab4c27f60b73bf3911962d947a8f9330cf4bd
                                                                                                                          • Opcode Fuzzy Hash: fb98697228ee313a1635ca1ffc3e68d3084ff65483e62536a3e465cd20ff1665
                                                                                                                          • Instruction Fuzzy Hash: 9612A7F0402745AAD330CF65E86C9893BB1FB45319F54428BD2661B2E1EBBC198ADF74
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04B7CD3C Relevance: .3, Instructions: 264COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1801392310.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_4b70000_hesaphareketi-01.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 663518a131ebbeb4f59bd7db1f894f68846fbfd69a334099010ae1c74e855a26
                                                                                                                          • Instruction ID: c1a10cef26d1571efa251ecb1adcfe31a012269ae840e0330002bfa46cd6f608
                                                                                                                          • Opcode Fuzzy Hash: 663518a131ebbeb4f59bd7db1f894f68846fbfd69a334099010ae1c74e855a26
                                                                                                                          • Instruction Fuzzy Hash: 62A16D32E002198FDF15DFA4C8445AEB7B2FF85304B1585EAE815AB265EB31F946CB50
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04B7F5A8 Relevance: .2, Instructions: 221COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1801392310.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_4b70000_hesaphareketi-01.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: a7bfb87c9d4e084f9304e2492e8d92f09e95e3ab6d4e6b0e238bb5e5875989c6
                                                                                                                          • Instruction ID: 7751a25bea9bdeca9fce57017d88dde20e817aabf8675531aaf49129ae787369
                                                                                                                          • Opcode Fuzzy Hash: a7bfb87c9d4e084f9304e2492e8d92f09e95e3ab6d4e6b0e238bb5e5875989c6
                                                                                                                          • Instruction Fuzzy Hash: 6BC12BB0402746ABD730CF25E8685897BB1FB85315F64438BD1626B2E0EBBC1886DF74
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Executed Functions

                                                                                                                          Function 07BB1C10 Relevance: 5.6, Strings: 4, Instructions: 584COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.1816733331.0000000007BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BB0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_7bb0000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: 4'^q$4'^q$4'^q$4'^q
                                                                                                                          • API String ID: 0-1420252700
                                                                                                                          • Opcode ID: f17e35f91d7258823370b14feb4bd5cc146b30b6a2604c122d25ae920beb3b41
                                                                                                                          • Instruction ID: adffc72a858a5fddbe8491b22fb9157b48a7678b746b2295e2cde1fa91d7bb6e
                                                                                                                          • Opcode Fuzzy Hash: f17e35f91d7258823370b14feb4bd5cc146b30b6a2604c122d25ae920beb3b41
                                                                                                                          • Instruction Fuzzy Hash: 941257F1B042098FE7258B6C98117FABBA2EFC6210F1484BAD905CF795DBB1C855C7A1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04C429F0 Relevance: .2, Instructions: 208COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.1808540910.0000000004C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_4c40000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: cc7a28c5a84ad69fb8e234e4e4e33b317e1c0f91ddc1b8722389192104d176b4
                                                                                                                          • Instruction ID: 8404d69a94e7c241c9b04e385434fc0e28ec00715a64a64c94aa2a6bf8febf6f
                                                                                                                          • Opcode Fuzzy Hash: cc7a28c5a84ad69fb8e234e4e4e33b317e1c0f91ddc1b8722389192104d176b4
                                                                                                                          • Instruction Fuzzy Hash: 85918E74A002458FCB15CF59C5959AEFBB2FF88310B2485A9E815AB3A5C735FC91CFA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 07BB1BF0 Relevance: .1, Instructions: 124COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.1816733331.0000000007BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BB0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_7bb0000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: b99ce4d5ac9575b54f22ddd242b6699a13727c2990f55c0ae1dd8132efb35deb
                                                                                                                          • Instruction ID: 842a2c9ef3e76fac07de09068c95de65a9e35a6e4fc98577015346e12590f141
                                                                                                                          • Opcode Fuzzy Hash: b99ce4d5ac9575b54f22ddd242b6699a13727c2990f55c0ae1dd8132efb35deb
                                                                                                                          • Instruction Fuzzy Hash: EE41F3F1B0020E8FEB35CB6D8821AF97BA2EF86210F5480E9DD009F655CA71D855CBA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04C42B00 Relevance: .1, Instructions: 110COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.1808540910.0000000004C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_4c40000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: e4332bb2addc5a9b1a03a11863dde81d5fe31374f6d79a0dbd5ab4c549046d93
                                                                                                                          • Instruction ID: 8616507333e9a40a2faa3f180bd54422ab3bd3ef8005ee101fad14b79cc101e8
                                                                                                                          • Opcode Fuzzy Hash: e4332bb2addc5a9b1a03a11863dde81d5fe31374f6d79a0dbd5ab4c549046d93
                                                                                                                          • Instruction Fuzzy Hash: 86416AB4A005058FCB05CF58C199AAEFBB2FF88314B118599E815AB364C736FD91CFA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04C44C18 Relevance: .1, Instructions: 56COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.1808540910.0000000004C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_4c40000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: bcad08149c8a454e2372049b484a61c1a9df41a0535d965ad90a029c7bfa427d
                                                                                                                          • Instruction ID: 0be3a71f039fce5d8c05dab3398471e739fe3437854fb5e08636bee942805127
                                                                                                                          • Opcode Fuzzy Hash: bcad08149c8a454e2372049b484a61c1a9df41a0535d965ad90a029c7bfa427d
                                                                                                                          • Instruction Fuzzy Hash: 5A11DA78E002199FCB04CF98D5809AEBBF5FF89310B258599D809AB351C735FD45CBA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 033ED01D Relevance: .0, Instructions: 45COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.1808138873.00000000033ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 033ED000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_33ed000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: e2ad3c225bb250a69feeb936055d61af0b5473bfc6e9f298a4bcd5b815cb7adf
                                                                                                                          • Instruction ID: 8adf8ed0771d566e61d149fe78530950b989bd3212b3ba9d9cff0b6ca49bbffb
                                                                                                                          • Opcode Fuzzy Hash: e2ad3c225bb250a69feeb936055d61af0b5473bfc6e9f298a4bcd5b815cb7adf
                                                                                                                          • Instruction Fuzzy Hash: 4001F231409314AEE720CA29CDC4B67FF9CEF41325F0CC46AEC180A686C27D9C42C6B1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 033ED006 Relevance: .0, Instructions: 44COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.1808138873.00000000033ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 033ED000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_33ed000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: df2ee2044a21b1f6a152719cd5e8db1a7d9a26876fb4a9cceedb76581aee6bc5
                                                                                                                          • Instruction ID: 35810d25c72cac20580a992546129c0e2fe259b3d349f7a2022b1198f6bb9532
                                                                                                                          • Opcode Fuzzy Hash: df2ee2044a21b1f6a152719cd5e8db1a7d9a26876fb4a9cceedb76581aee6bc5
                                                                                                                          • Instruction Fuzzy Hash: 5C01407140E3C09ED7128B25CC94B52BFB4EF43225F1D84CBD8888F2A3C2699849C772
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Non-executed Functions

                                                                                                                          Function 07BB1270 Relevance: 9.2, Strings: 7, Instructions: 486COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.1816733331.0000000007BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BB0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_7bb0000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
                                                                                                                          • API String ID: 0-1608119003
                                                                                                                          • Opcode ID: f12aa48b279b6fd46211aa7dfb1c4663e3c4ce4cbd19e589b9d00f2e37230c55
                                                                                                                          • Instruction ID: 98f679b929758353bead2fc1fdff953735064fe90136f4c059f4353ed5c0def8
                                                                                                                          • Opcode Fuzzy Hash: f12aa48b279b6fd46211aa7dfb1c4663e3c4ce4cbd19e589b9d00f2e37230c55
                                                                                                                          • Instruction Fuzzy Hash: C2F126B2B0021D8FE7248B6D98216FABBE6EFC5210F1484BAD805CB755DA71C849CB91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 07BB04E0 Relevance: 9.1, Strings: 7, Instructions: 322COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.1816733331.0000000007BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BB0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_7bb0000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
                                                                                                                          • API String ID: 0-1608119003
                                                                                                                          • Opcode ID: 39efcc03134b9fa82a199d14b47de8ebc48b2e61ce3a3d18f65b9367c82fd72b
                                                                                                                          • Instruction ID: f76c6f40dcf3376509f46056e3b7250b387d028ac41c19abe75b437be9d09410
                                                                                                                          • Opcode Fuzzy Hash: 39efcc03134b9fa82a199d14b47de8ebc48b2e61ce3a3d18f65b9367c82fd72b
                                                                                                                          • Instruction Fuzzy Hash: 58A169F2B043168FE735AA2998506BBBBA5EFC5210F1484FBD805CB391DAB1C855CBD1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 07BB3228 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.1816733331.0000000007BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BB0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_7bb0000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: $^q$$^q$$^q$$^q
                                                                                                                          • API String ID: 0-2125118731
                                                                                                                          • Opcode ID: afbd968ff2b984cb94c2198946d9dc3adb758f0e704f3431870376bd65bd111f
                                                                                                                          • Instruction ID: aa28559a0edbc3a2ba748b4b28962fabbc08d1e0b2c374830efe8883d49c0642
                                                                                                                          • Opcode Fuzzy Hash: afbd968ff2b984cb94c2198946d9dc3adb758f0e704f3431870376bd65bd111f
                                                                                                                          • Instruction Fuzzy Hash: F72105F170431A5BE778596A8801BB7A6D6DFC1710F24846AA905CB385DDB6C8498261
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 07BB0308 Relevance: 5.0, Strings: 4, Instructions: 48COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.1816733331.0000000007BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BB0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_7bb0000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: 4'^q$4'^q$$^q$$^q
                                                                                                                          • API String ID: 0-2049395529
                                                                                                                          • Opcode ID: 096f2df7e7b4b2e97ce608d9afd894ee406f7c4d194626a66773309f24cc9dc2
                                                                                                                          • Instruction ID: 5382027143b1f142f308919cd4d78cf44b69a47fecb5f1a72b8eeb6d253d97bd
                                                                                                                          • Opcode Fuzzy Hash: 096f2df7e7b4b2e97ce608d9afd894ee406f7c4d194626a66773309f24cc9dc2
                                                                                                                          • Instruction Fuzzy Hash: 8301D4A170E3C68FD32B622818245765FB25B87510B2A04DBC440CF39BCD558C0D8393
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Execution Graph

                                                                                                                          Execution Coverage:11%
                                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                                          Signature Coverage:0%
                                                                                                                          Total number of Nodes:129
                                                                                                                          Total number of Limit Nodes:9
                                                                                                                          execution_graph 29671 6b04de0 DispatchMessageW 29672 6b04e4c 29671->29672 29603 119d118 29604 119d130 29603->29604 29605 119d18a 29604->29605 29608 6b006d8 29604->29608 29613 6b006c9 29604->29613 29609 6b00705 29608->29609 29610 6b00737 29609->29610 29618 6b00c68 29609->29618 29623 6b00c59 29609->29623 29610->29610 29614 6b006d8 29613->29614 29615 6b00737 29614->29615 29616 6b00c68 2 API calls 29614->29616 29617 6b00c59 2 API calls 29614->29617 29616->29615 29617->29615 29620 6b00c7c 29618->29620 29619 6b00d08 29619->29610 29628 6b00d20 29620->29628 29631 6b00d10 29620->29631 29625 6b00c68 29623->29625 29624 6b00d08 29624->29610 29626 6b00d20 2 API calls 29625->29626 29627 6b00d10 2 API calls 29625->29627 29626->29624 29627->29624 29629 6b00d31 29628->29629 29635 6b01ee0 29628->29635 29629->29619 29632 6b00d20 29631->29632 29633 6b00d31 29632->29633 29634 6b01ee0 2 API calls 29632->29634 29633->29619 29634->29633 29639 6b01f10 29635->29639 29643 6b01f00 29635->29643 29636 6b01efa 29636->29629 29640 6b01f52 29639->29640 29642 6b01f59 29639->29642 29641 6b01faa CallWindowProcW 29640->29641 29640->29642 29641->29642 29642->29636 29644 6b01f10 29643->29644 29645 6b01faa CallWindowProcW 29644->29645 29646 6b01f59 29644->29646 29645->29646 29646->29636 29647 6b04131 29648 6b04161 29647->29648 29649 6b04540 WaitMessage 29648->29649 29650 6b041ec 29648->29650 29649->29648 29673 2d0c2a3 29674 2d0c256 DuplicateHandle 29673->29674 29675 2d0c276 29674->29675 29651 2d0c7f7 29654 2d0c000 29651->29654 29655 2d0c00b 29654->29655 29659 2d0ddd0 29655->29659 29663 2d0dda7 29655->29663 29656 2d0c804 29660 2d0de1f 29659->29660 29667 2d0d9bc 29660->29667 29664 2d0ddc6 29663->29664 29665 2d0d9bc EnumThreadWindows 29664->29665 29666 2d0dea0 29665->29666 29666->29656 29668 2d0dec0 EnumThreadWindows 29667->29668 29670 2d0dea0 29668->29670 29670->29656 29676 2d0c788 29679 2d0bff0 29676->29679 29681 2d0bffb 29679->29681 29680 2d0c7ba 29681->29680 29684 2d0c0d4 29681->29684 29683 2d0c8bc 29685 2d0c0df 29684->29685 29686 2d0cbd3 29685->29686 29688 2d0c0f0 29685->29688 29686->29683 29689 2d0cc08 OleInitialize 29688->29689 29690 2d0cc6c 29689->29690 29690->29686 29691 2d00848 29692 2d0084e 29691->29692 29693 2d0091b 29692->29693 29695 2d013da 29692->29695 29697 2d013e3 29695->29697 29696 2d014fc 29696->29692 29697->29696 29705 2d07e10 29697->29705 29710 2d07e00 29697->29710 29715 2d0e834 29697->29715 29720 2d0e6f9 29697->29720 29725 2d0e708 29697->29725 29730 2d0e8d1 29697->29730 29735 2d0e872 29697->29735 29707 2d07e19 29705->29707 29706 2d07edf 29706->29697 29707->29706 29740 2d0ac48 29707->29740 29746 2d0ac3c 29707->29746 29711 2d07e10 29710->29711 29712 2d07edf 29711->29712 29713 2d0ac48 2 API calls 29711->29713 29714 2d0ac3c 2 API calls 29711->29714 29712->29697 29713->29711 29714->29711 29716 2d0e839 29715->29716 29756 2d0e980 29716->29756 29760 2d0e970 29716->29760 29717 2d0e963 29717->29697 29722 2d0e721 29720->29722 29721 2d0e963 29721->29697 29722->29721 29723 2d0e980 DeleteFileW 29722->29723 29724 2d0e970 DeleteFileW 29722->29724 29723->29721 29724->29721 29727 2d0e721 29725->29727 29726 2d0e963 29726->29697 29727->29726 29728 2d0e980 DeleteFileW 29727->29728 29729 2d0e970 DeleteFileW 29727->29729 29728->29726 29729->29726 29732 2d0e8d6 29730->29732 29731 2d0e963 29731->29697 29733 2d0e980 DeleteFileW 29732->29733 29734 2d0e970 DeleteFileW 29732->29734 29733->29731 29734->29731 29737 2d0e877 29735->29737 29736 2d0e963 29736->29697 29738 2d0e980 DeleteFileW 29737->29738 29739 2d0e970 DeleteFileW 29737->29739 29738->29736 29739->29736 29741 2d0acab 29740->29741 29742 2d0adbf GetActiveWindow 29741->29742 29743 2d0aded 29741->29743 29745 2d0ae8d 29741->29745 29742->29743 29743->29745 29752 2d0a810 29743->29752 29745->29707 29748 2d0acab 29746->29748 29747 2d0ae8d 29747->29707 29748->29747 29749 2d0adbf GetActiveWindow 29748->29749 29750 2d0aded 29748->29750 29749->29750 29750->29747 29751 2d0a810 MessageBoxW 29750->29751 29751->29747 29753 2d0e250 MessageBoxW 29752->29753 29755 2d0e2dc 29753->29755 29755->29745 29757 2d0e990 29756->29757 29759 2d0e9c2 29757->29759 29764 2d0db5c 29757->29764 29759->29717 29761 2d0e990 29760->29761 29762 2d0e9c2 29761->29762 29763 2d0db5c DeleteFileW 29761->29763 29762->29717 29763->29762 29765 2d0e9e0 DeleteFileW 29764->29765 29767 2d0ea5f 29765->29767 29767->29759

                                                                                                                          Executed Functions

                                                                                                                          Function 06B27440 Relevance: 9.0, Strings: 6, Instructions: 1491COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                                                                                                          • API String ID: 0-2392861976
                                                                                                                          • Opcode ID: 59860f40f64d20a0925343356210d0df695233831677ed2315a80f0478f8a06a
                                                                                                                          • Instruction ID: 8798eb1a2d79a66ef5d5029ef4108a95f5406b1ba5689c8e0bc362834ef24213
                                                                                                                          • Opcode Fuzzy Hash: 59860f40f64d20a0925343356210d0df695233831677ed2315a80f0478f8a06a
                                                                                                                          • Instruction Fuzzy Hash: 6CD25C70E102268FDB64DB68C584A9DB7F2FF89310F54D5A9D409AB365DB30ED86CB80
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B2CE58 Relevance: 3.0, Strings: 2, Instructions: 467COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 663 6b2ce58-6b2ce76 664 6b2ce78-6b2ce7b 663->664 665 6b2ce92-6b2ce95 664->665 666 6b2ce7d-6b2ce8b 664->666 667 6b2ceb6-6b2ceb9 665->667 668 6b2ce97-6b2ceb1 665->668 672 6b2cefe-6b2cf14 666->672 673 6b2ce8d 666->673 669 6b2cec6-6b2cec9 667->669 670 6b2cebb-6b2cec5 667->670 668->667 675 6b2cecb-6b2cee7 669->675 676 6b2ceec-6b2ceee 669->676 682 6b2cf1a-6b2cf23 672->682 683 6b2d12f-6b2d139 672->683 673->665 675->676 677 6b2cef0 676->677 678 6b2cef5-6b2cef8 676->678 677->678 678->664 678->672 684 6b2d13a-6b2d16f 682->684 685 6b2cf29-6b2cf46 682->685 689 6b2d171-6b2d174 684->689 693 6b2d11c-6b2d129 685->693 694 6b2cf4c-6b2cf74 685->694 691 6b2d3a0-6b2d3a3 689->691 692 6b2d17a-6b2d189 689->692 695 6b2d45a-6b2d45d 691->695 696 6b2d3a9-6b2d3b5 691->696 701 6b2d18b-6b2d1a6 692->701 702 6b2d1a8-6b2d1e3 692->702 693->682 693->683 694->693 717 6b2cf7a-6b2cf83 694->717 698 6b2d480-6b2d482 695->698 699 6b2d45f-6b2d47b 695->699 700 6b2d3c0-6b2d3c2 696->700 703 6b2d484 698->703 704 6b2d489-6b2d48c 698->704 699->698 706 6b2d3c4-6b2d3ca 700->706 707 6b2d3da-6b2d3e1 700->707 701->702 719 6b2d374-6b2d389 702->719 720 6b2d1e9-6b2d1fa 702->720 703->704 704->689 709 6b2d492-6b2d49b 704->709 710 6b2d3ce-6b2d3d0 706->710 711 6b2d3cc 706->711 713 6b2d3f2 707->713 714 6b2d3e3-6b2d3f0 707->714 710->707 711->707 718 6b2d3f7-6b2d3f9 713->718 714->718 717->684 722 6b2cf89-6b2cfa5 717->722 724 6b2d410-6b2d449 718->724 725 6b2d3fb-6b2d3fe 718->725 719->691 729 6b2d200-6b2d21d 720->729 730 6b2d35f-6b2d36e 720->730 732 6b2d10a-6b2d116 722->732 733 6b2cfab-6b2cfd5 722->733 724->692 744 6b2d44f-6b2d459 724->744 725->709 729->730 740 6b2d223-6b2d319 call 6b2b678 729->740 730->719 730->720 732->693 732->717 746 6b2d100-6b2d105 733->746 747 6b2cfdb-6b2d003 733->747 795 6b2d327 740->795 796 6b2d31b-6b2d325 740->796 746->732 747->746 753 6b2d009-6b2d037 747->753 753->746 759 6b2d03d-6b2d046 753->759 759->746 760 6b2d04c-6b2d07e 759->760 768 6b2d080-6b2d084 760->768 769 6b2d089-6b2d0a5 760->769 768->746 772 6b2d086 768->772 769->732 770 6b2d0a7-6b2d0fe call 6b2b678 769->770 770->732 772->769 797 6b2d32c-6b2d32e 795->797 796->797 797->730 798 6b2d330-6b2d335 797->798 799 6b2d343 798->799 800 6b2d337-6b2d341 798->800 801 6b2d348-6b2d34a 799->801 800->801 801->730 802 6b2d34c-6b2d358 801->802 802->730
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: $^q$$^q
                                                                                                                          • API String ID: 0-355816377
                                                                                                                          • Opcode ID: 2bb6f8ef2a4c1b31a015a98c6ba0c83ada6c0861376159918149dc5b3c721c3a
                                                                                                                          • Instruction ID: d33ac30721e7f5afe100b98dc0e80b8fdf594cc290b4585727c07891ed8d080e
                                                                                                                          • Opcode Fuzzy Hash: 2bb6f8ef2a4c1b31a015a98c6ba0c83ada6c0861376159918149dc5b3c721c3a
                                                                                                                          • Instruction Fuzzy Hash: A602BC70B002268FDB54EB64D99466EB7F2FF84304F1485A8D40ADB395DB35EC82CB81
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B2ADD0 Relevance: 2.9, Strings: 2, Instructions: 413COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 804 6b2add0-6b2ade0 805 6b2ade2-6b2ade5 804->805 806 6b2ae32-6b2ae38 805->806 807 6b2ade7-6b2adea 805->807 810 6b2ae3a 806->810 811 6b2adf8-6b2ae17 806->811 808 6b2adf3-6b2adf6 807->808 809 6b2adec-6b2adee 807->809 808->811 812 6b2ae2d-6b2ae30 808->812 809->808 813 6b2ae3f-6b2ae42 810->813 825 6b2ae19 811->825 826 6b2ae1c-6b2ae22 811->826 812->806 812->813 815 6b2ae60-6b2ae63 813->815 816 6b2ae44-6b2ae49 813->816 819 6b2ae65-6b2ae67 815->819 820 6b2ae6a-6b2ae6c 815->820 817 6b2ae4b 816->817 818 6b2ae4e-6b2ae5b 816->818 817->818 818->815 819->820 821 6b2ae73-6b2ae76 820->821 822 6b2ae6e 820->822 821->805 827 6b2ae7c-6b2ae84 821->827 822->821 825->826 828 6b2ae24-6b2ae28 826->828 829 6b2ae85-6b2aec2 826->829 828->812 832 6b2aec4-6b2aec7 829->832 833 6b2aed5-6b2aed8 832->833 834 6b2aec9-6b2aed2 832->834 835 6b2b052-6b2b055 833->835 836 6b2aede-6b2aee5 833->836 839 6b2b057-6b2b065 835->839 840 6b2b06a-6b2b06d 835->840 837 6b2b033-6b2b046 836->837 838 6b2aeeb-6b2af32 836->838 858 6b2af34-6b2af43 838->858 839->840 841 6b2b081-6b2b084 840->841 842 6b2b06f-6b2b076 840->842 846 6b2b0a0-6b2b0a2 841->846 847 6b2b086-6b2b09b 841->847 842->836 845 6b2b07c 842->845 845->841 849 6b2b0a4 846->849 850 6b2b0a9-6b2b0ac 846->850 847->846 849->850 850->832 853 6b2b0b2-6b2b0bc 850->853 860 6b2af49-6b2af5f 858->860 861 6b2b0bf-6b2b0fa 858->861 860->861 865 6b2af65-6b2af6d 860->865 864 6b2b0fc-6b2b0ff 861->864 866 6b2b101-6b2b114 864->866 867 6b2b117-6b2b11a 864->867 865->858 868 6b2af6f-6b2af75 865->868 871 6b2b12e-6b2b131 867->871 872 6b2b11c-6b2b129 867->872 869 6b2af77-6b2af7a 868->869 870 6b2afd5-6b2b025 call 6b29bc8 868->870 869->861 874 6b2af80-6b2af8b 869->874 919 6b2b030 870->919 920 6b2b027 870->920 875 6b2b133-6b2b13f 871->875 876 6b2b144-6b2b147 871->876 872->871 874->861 877 6b2af91-6b2af9b 874->877 875->876 880 6b2b161-6b2b164 876->880 881 6b2b149-6b2b15c 876->881 877->861 884 6b2afa1-6b2afab 877->884 882 6b2b1f1-6b2b1f4 880->882 883 6b2b16a-6b2b171 880->883 881->880 889 6b2b1f6-6b2b205 882->889 890 6b2b20a-6b2b20d 882->890 883->866 887 6b2b173-6b2b1de 883->887 884->861 888 6b2afb1-6b2afc6 884->888 926 6b2b1e7-6b2b1ee 887->926 888->861 892 6b2afcc-6b2afd3 888->892 889->890 893 6b2b225-6b2b228 890->893 894 6b2b20f-6b2b220 890->894 892->869 892->870 896 6b2b266-6b2b269 893->896 897 6b2b22a-6b2b249 893->897 894->893 902 6b2b26b-6b2b277 896->902 903 6b2b27c-6b2b27f 896->903 914 6b2b2a5-6b2b2af 897->914 902->903 907 6b2b293-6b2b295 903->907 908 6b2b281-6b2b288 903->908 912 6b2b297 907->912 913 6b2b29c-6b2b29f 907->913 908->883 911 6b2b28e 908->911 911->907 912->913 913->864 913->914 919->837 920->919
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: XPcq$\Ocq
                                                                                                                          • API String ID: 0-2802517751
                                                                                                                          • Opcode ID: 02c0bb1d7834cefef03625b4be780299ae1831ce657da72c6ba6369001a924cc
                                                                                                                          • Instruction ID: 34f904ee087e3477fbdaccf5a168ce4604170acdb326d964c48df68e7003626b
                                                                                                                          • Opcode Fuzzy Hash: 02c0bb1d7834cefef03625b4be780299ae1831ce657da72c6ba6369001a924cc
                                                                                                                          • Instruction Fuzzy Hash: C2D11871B201258FDF54EB68D490AAEBBF2FF89714F2484AAE41ADB351CA31DC41C791
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B219E8 Relevance: 2.9, Instructions: 2910COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 2cbfee6317fef33a75678338e2836faf309dced65ec35b69ddc9e0327ca37efd
                                                                                                                          • Instruction ID: 9f9e7da625f8e8c476b89c5a5520f8561e93264280519444557ea03a35075c1d
                                                                                                                          • Opcode Fuzzy Hash: 2cbfee6317fef33a75678338e2836faf309dced65ec35b69ddc9e0327ca37efd
                                                                                                                          • Instruction Fuzzy Hash: FB630871D10B1A8ACB51EF68C880599F7B1FF99300F15D79AE45CB7221EB70AAC5CB81
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B24D58 Relevance: 2.3, Instructions: 2300COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 629db0052d19e89babf26130c214137fff2897072b184b2fa67b9d589070c2a5
                                                                                                                          • Instruction ID: 9951c1f864f992fa0f32977a5bd852ffb595d14268f6d125b892e4948d54fca5
                                                                                                                          • Opcode Fuzzy Hash: 629db0052d19e89babf26130c214137fff2897072b184b2fa67b9d589070c2a5
                                                                                                                          • Instruction Fuzzy Hash: DB331F71D1071A8ECB11EF68C8905ADF7B1FF99300F15D79AE458AB211EB70AAC5CB81
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B04131 Relevance: 1.8, APIs: 1, Instructions: 329COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1879 6b04131-6b04168 1881 6b04599 1879->1881 1882 6b0416e-6b04182 1879->1882 1885 6b0459e-6b045b4 1881->1885 1883 6b041b1-6b041d0 1882->1883 1884 6b04184-6b041ae 1882->1884 1891 6b041d2-6b041d8 1883->1891 1892 6b041e8-6b041ea 1883->1892 1884->1883 1893 6b041da 1891->1893 1894 6b041dc-6b041de 1891->1894 1895 6b04209-6b04212 1892->1895 1896 6b041ec-6b04204 1892->1896 1893->1892 1894->1892 1898 6b0421a-6b04221 1895->1898 1896->1885 1899 6b04223-6b04229 1898->1899 1900 6b0422b-6b04232 1898->1900 1901 6b0423f-6b0425c call 6b034f0 1899->1901 1902 6b04234-6b0423a 1900->1902 1903 6b0423c 1900->1903 1906 6b043b1-6b043b5 1901->1906 1907 6b04262-6b04269 1901->1907 1902->1901 1903->1901 1909 6b04584-6b04597 1906->1909 1910 6b043bb-6b043bf 1906->1910 1907->1881 1908 6b0426f-6b042ac 1907->1908 1918 6b042b2-6b042b7 1908->1918 1919 6b0457a-6b0457e 1908->1919 1909->1885 1911 6b043c1-6b043d4 1910->1911 1912 6b043d9-6b043e2 1910->1912 1911->1885 1914 6b04411-6b04418 1912->1914 1915 6b043e4-6b0440e 1912->1915 1916 6b044b7-6b044cc 1914->1916 1917 6b0441e-6b04425 1914->1917 1915->1914 1916->1919 1929 6b044d2-6b044d4 1916->1929 1920 6b04454-6b04476 1917->1920 1921 6b04427-6b04451 1917->1921 1922 6b042e9-6b042fe call 6b03514 1918->1922 1923 6b042b9-6b042c7 call 6b034fc 1918->1923 1919->1898 1919->1909 1920->1916 1957 6b04478-6b04482 1920->1957 1921->1920 1933 6b04303-6b04307 1922->1933 1923->1922 1938 6b042c9-6b042e2 call 6b03508 1923->1938 1936 6b04521-6b0453e call 6b034f0 1929->1936 1937 6b044d6-6b0450f 1929->1937 1934 6b04378-6b04385 1933->1934 1935 6b04309-6b0431b call 6b03520 1933->1935 1934->1919 1955 6b0438b-6b04395 call 6b03530 1934->1955 1962 6b0435b-6b04373 1935->1962 1963 6b0431d-6b0434d 1935->1963 1936->1919 1954 6b04540-6b0456c WaitMessage 1936->1954 1951 6b04511-6b04517 1937->1951 1952 6b04518-6b0451f 1937->1952 1947 6b042e7 1938->1947 1947->1933 1951->1952 1952->1919 1959 6b04573 1954->1959 1960 6b0456e 1954->1960 1965 6b043a4-6b043ac call 6b03548 1955->1965 1966 6b04397-6b0439a call 6b0353c 1955->1966 1970 6b04484-6b0448a 1957->1970 1971 6b0449a-6b044b5 1957->1971 1959->1919 1960->1959 1962->1885 1977 6b04354 1963->1977 1978 6b0434f 1963->1978 1965->1919 1973 6b0439f 1966->1973 1975 6b0448c 1970->1975 1976 6b0448e-6b04490 1970->1976 1971->1916 1971->1957 1973->1919 1975->1971 1976->1971 1977->1962 1978->1977
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051819549.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b00000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 391238cd80ff5538d23dd244ce32e1566ddc39d071a68ea08f47b279592dcde3
                                                                                                                          • Instruction ID: e865613e72e9c282b0702a835f18d0a6aca1052279f849185dbf5620f59c6deb
                                                                                                                          • Opcode Fuzzy Hash: 391238cd80ff5538d23dd244ce32e1566ddc39d071a68ea08f47b279592dcde3
                                                                                                                          • Instruction Fuzzy Hash: EAD118B4A00209DFEB54DFA5C948BADBFF1FF48304F1581A4E615AB2A5DB70D985CB80
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B21A99 Relevance: 1.3, Instructions: 1321COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: cb12e69b2da76adbcfc6204a97bdc8d89fa80a63fd7d9d9888651d29c80637e6
                                                                                                                          • Instruction ID: 66dcc8c8eb0b428baad74a275816168be480547ddda104527b71a984bfbdcf3b
                                                                                                                          • Opcode Fuzzy Hash: cb12e69b2da76adbcfc6204a97bdc8d89fa80a63fd7d9d9888651d29c80637e6
                                                                                                                          • Instruction Fuzzy Hash: E2E2D571D10B1A8ADB50EB68C8405A9F7B1FF99300F11D79AE45CB7221EB70AAD5CF81
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B2B6C8 Relevance: .8, Instructions: 812COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: d26c0661b64283cdc28683f050252f95660c711a740b9178a338364015907922
                                                                                                                          • Instruction ID: 012072dec7b47f795d35368300f34efc3ab65cfaeb266907c57bd7403567e130
                                                                                                                          • Opcode Fuzzy Hash: d26c0661b64283cdc28683f050252f95660c711a740b9178a338364015907922
                                                                                                                          • Instruction Fuzzy Hash: 4E629C74E002268FDB54DB68D584BADB7F2EF84318F1485A9D41AEB394DB35EC42CB81
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 02D0AC48 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 328COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 450 2d0ac48-2d0acca 454 2d0acd0-2d0acf5 450->454 455 2d0af0e-2d0af41 450->455 460 2d0af48-2d0af7d 454->460 461 2d0acfb-2d0ad20 454->461 455->460 468 2d0af84-2d0afb9 460->468 461->468 469 2d0ad26-2d0ad36 461->469 473 2d0afc0-2d0afec 468->473 469->473 474 2d0ad3c-2d0ad40 469->474 479 2d0aff3-2d0b031 473->479 476 2d0ad42-2d0ad48 474->476 477 2d0ad4e-2d0ad53 474->477 476->477 476->479 480 2d0ad61-2d0ad67 477->480 481 2d0ad55-2d0ad5b 477->481 483 2d0b038-2d0b076 479->483 485 2d0ad78-2d0ad8c 480->485 486 2d0ad69-2d0ad71 480->486 481->480 481->483 519 2d0b07d-2d0b106 483->519 499 2d0ad92 485->499 500 2d0ad8e-2d0ad90 485->500 486->485 501 2d0ad97-2d0adaf 499->501 500->501 503 2d0adb1-2d0adb7 501->503 504 2d0adb9-2d0adbd 501->504 503->504 506 2d0ae0c-2d0ae19 503->506 507 2d0ae00-2d0ae09 504->507 508 2d0adbf-2d0adeb GetActiveWindow 504->508 517 2d0ae59 506->517 518 2d0ae1b-2d0ae31 call 2d0a804 506->518 507->506 510 2d0adf4-2d0adfe 508->510 511 2d0aded-2d0adf3 508->511 510->506 511->510 548 2d0ae59 call 2d0b570 517->548 549 2d0ae59 call 2d0b538 517->549 527 2d0ae50-2d0ae56 518->527 528 2d0ae33-2d0ae4a 518->528 545 2d0b113 519->545 546 2d0b108-2d0b111 519->546 522 2d0ae5f-2d0aeb3 call 2d0a810 541 2d0aebc 522->541 527->517 528->519 528->527 541->455 547 2d0b115-2d0b11b 545->547 546->547 548->522 549->522
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3042621439.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_2d00000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ActiveWindow
                                                                                                                          • String ID: Hbq$Hbq
                                                                                                                          • API String ID: 2558294473-4258043069
                                                                                                                          • Opcode ID: f08938be9e880f1c5c0add6d4ada4f61ba0695879e987992afdb663f5f72d9a6
                                                                                                                          • Instruction ID: 69d8b4f1c3e05a85210cbd636593c6aa84fcd852aa1574f09e77c3a68fe7b969
                                                                                                                          • Opcode Fuzzy Hash: f08938be9e880f1c5c0add6d4ada4f61ba0695879e987992afdb663f5f72d9a6
                                                                                                                          • Instruction Fuzzy Hash: D0C19D30B103599BDB58AFB8C4557AE7BA6FF88300F148429E906AB390DF74DD82CB55
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B2E228 Relevance: 5.2, Strings: 4, Instructions: 231COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 550 6b2e228-6b2e24d 551 6b2e24f-6b2e252 550->551 552 6b2e254-6b2e273 551->552 553 6b2e278-6b2e27b 551->553 552->553 554 6b2e281-6b2e296 553->554 555 6b2eb3b-6b2eb3d 553->555 561 6b2e298-6b2e29e 554->561 562 6b2e2ae-6b2e2c4 554->562 557 6b2eb44-6b2eb47 555->557 558 6b2eb3f 555->558 557->551 560 6b2eb4d-6b2eb57 557->560 558->557 564 6b2e2a2-6b2e2a4 561->564 565 6b2e2a0 561->565 567 6b2e2cf-6b2e2d1 562->567 564->562 565->562 568 6b2e2d3-6b2e2d9 567->568 569 6b2e2e9-6b2e35a 567->569 570 6b2e2db 568->570 571 6b2e2dd-6b2e2df 568->571 580 6b2e386-6b2e3a2 569->580 581 6b2e35c-6b2e37f 569->581 570->569 571->569 586 6b2e3a4-6b2e3c7 580->586 587 6b2e3ce-6b2e3e9 580->587 581->580 586->587 592 6b2e414-6b2e42f 587->592 593 6b2e3eb-6b2e40d 587->593 598 6b2e431-6b2e453 592->598 599 6b2e45a-6b2e464 592->599 593->592 598->599 600 6b2e466-6b2e46f 599->600 601 6b2e474-6b2e4ee 599->601 600->560 607 6b2e4f0-6b2e50e 601->607 608 6b2e53b-6b2e550 601->608 612 6b2e510-6b2e51f 607->612 613 6b2e52a-6b2e539 607->613 608->555 612->613 613->607 613->608
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: $^q$$^q$$^q$$^q
                                                                                                                          • API String ID: 0-2125118731
                                                                                                                          • Opcode ID: 53ec5a067cdaafb4c1cc547356f5c8d47b89d30d1fbb433462a2f1ee7026d461
                                                                                                                          • Instruction ID: 34fe286dc0b503be114514ed7f24b109fa86947832fb40d00985b732fca374ec
                                                                                                                          • Opcode Fuzzy Hash: 53ec5a067cdaafb4c1cc547356f5c8d47b89d30d1fbb433462a2f1ee7026d461
                                                                                                                          • Instruction Fuzzy Hash: 84914F70F0022A9FDB54DB66D8907AEB3F6EB85204F1485A9D40DEB385EB31DC468B91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B29C50 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 616 6b29c50-6b29c74 617 6b29c76-6b29c79 616->617 618 6b29c9a-6b29c9d 617->618 619 6b29c7b-6b29c95 617->619 620 6b29ca3-6b29d9b 618->620 621 6b2a37c-6b2a37e 618->621 619->618 639 6b29da1-6b29de9 620->639 640 6b29e1e-6b29e25 620->640 623 6b2a380 621->623 624 6b2a385-6b2a388 621->624 623->624 624->617 625 6b2a38e-6b2a39b 624->625 661 6b29dee call 6b2a508 639->661 662 6b29dee call 6b2a4f9 639->662 641 6b29e2b-6b29e9b 640->641 642 6b29ea9-6b29eb2 640->642 659 6b29ea6 641->659 660 6b29e9d 641->660 642->625 653 6b29df4-6b29e10 656 6b29e12 653->656 657 6b29e1b 653->657 656->657 657->640 659->642 660->659 661->653 662->653
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: fcq$XPcq$\Ocq
                                                                                                                          • API String ID: 0-3575482020
                                                                                                                          • Opcode ID: efdc868c51a4f6ff6545b5147de56ae8c20bac236e28d6155dbd28f4f17b7c5e
                                                                                                                          • Instruction ID: a3f4a4de971f2d3eb2dbc7da2cadf44405fe8294a9a0622c5e96bb47bf16a8a2
                                                                                                                          • Opcode Fuzzy Hash: efdc868c51a4f6ff6545b5147de56ae8c20bac236e28d6155dbd28f4f17b7c5e
                                                                                                                          • Instruction Fuzzy Hash: E6619370E102199FEB54AFA9C8547AEBBF7FB88700F208529D10AEB394DB758C458B51
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B29C40 Relevance: 2.6, Strings: 2, Instructions: 140COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1398 6b29c40-6b29c74 1400 6b29c76-6b29c79 1398->1400 1401 6b29c9a-6b29c9d 1400->1401 1402 6b29c7b-6b29c95 1400->1402 1403 6b29ca3-6b29d9b 1401->1403 1404 6b2a37c-6b2a37e 1401->1404 1402->1401 1422 6b29da1-6b29de9 1403->1422 1423 6b29e1e-6b29e25 1403->1423 1406 6b2a380 1404->1406 1407 6b2a385-6b2a388 1404->1407 1406->1407 1407->1400 1408 6b2a38e-6b2a39b 1407->1408 1444 6b29dee call 6b2a508 1422->1444 1445 6b29dee call 6b2a4f9 1422->1445 1424 6b29e2b-6b29e9b 1423->1424 1425 6b29ea9-6b29eb2 1423->1425 1442 6b29ea6 1424->1442 1443 6b29e9d 1424->1443 1425->1408 1436 6b29df4-6b29e10 1439 6b29e12 1436->1439 1440 6b29e1b 1436->1440 1439->1440 1440->1423 1442->1425 1443->1442 1444->1436 1445->1436
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: fcq$XPcq
                                                                                                                          • API String ID: 0-936005338
                                                                                                                          • Opcode ID: 7e1857dcac1a2d6eeaae2fbe8fbe7fc92cdb2b1af38cc05e8c81c96d7e2bb356
                                                                                                                          • Instruction ID: 94a82afc0915957a2fbc329e01cde52b59e59f72f539ee7f68dbf00dab7d4274
                                                                                                                          • Opcode Fuzzy Hash: 7e1857dcac1a2d6eeaae2fbe8fbe7fc92cdb2b1af38cc05e8c81c96d7e2bb356
                                                                                                                          • Instruction Fuzzy Hash: B5518470F102199FDB55AFA9C8547AEBBF7FF88700F208529D109AB394DB758C068B91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 02D0AC3C Relevance: 1.7, APIs: 1, Instructions: 173COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1981 2d0ac3c-2d0acca 1985 2d0acd0-2d0acf5 1981->1985 1986 2d0af0e-2d0af41 1981->1986 1991 2d0af48-2d0af7d 1985->1991 1992 2d0acfb-2d0ad20 1985->1992 1986->1991 1999 2d0af84-2d0afb9 1991->1999 1992->1999 2000 2d0ad26-2d0ad36 1992->2000 2004 2d0afc0-2d0afec 1999->2004 2000->2004 2005 2d0ad3c-2d0ad40 2000->2005 2010 2d0aff3-2d0b031 2004->2010 2007 2d0ad42-2d0ad48 2005->2007 2008 2d0ad4e-2d0ad53 2005->2008 2007->2008 2007->2010 2011 2d0ad61-2d0ad67 2008->2011 2012 2d0ad55-2d0ad5b 2008->2012 2014 2d0b038-2d0b076 2010->2014 2016 2d0ad78-2d0ad8c 2011->2016 2017 2d0ad69-2d0ad71 2011->2017 2012->2011 2012->2014 2050 2d0b07d-2d0b106 2014->2050 2030 2d0ad92 2016->2030 2031 2d0ad8e-2d0ad90 2016->2031 2017->2016 2032 2d0ad97-2d0adaf 2030->2032 2031->2032 2034 2d0adb1-2d0adb7 2032->2034 2035 2d0adb9-2d0adbd 2032->2035 2034->2035 2037 2d0ae0c-2d0ae19 2034->2037 2038 2d0ae00-2d0ae09 2035->2038 2039 2d0adbf-2d0adeb GetActiveWindow 2035->2039 2048 2d0ae59 2037->2048 2049 2d0ae1b-2d0ae31 call 2d0a804 2037->2049 2038->2037 2041 2d0adf4-2d0adfe 2039->2041 2042 2d0aded-2d0adf3 2039->2042 2041->2037 2042->2041 2079 2d0ae59 call 2d0b570 2048->2079 2080 2d0ae59 call 2d0b538 2048->2080 2058 2d0ae50-2d0ae56 2049->2058 2059 2d0ae33-2d0ae4a 2049->2059 2076 2d0b113 2050->2076 2077 2d0b108-2d0b111 2050->2077 2053 2d0ae5f-2d0aeb3 call 2d0a810 2072 2d0aebc 2053->2072 2058->2048 2059->2050 2059->2058 2072->1986 2078 2d0b115-2d0b11b 2076->2078 2077->2078 2079->2053 2080->2053
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3042621439.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_2d00000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ActiveWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2558294473-0
                                                                                                                          • Opcode ID: d9eae96843495eb07888a407ba503405bf517ef342bffd8006642ffbfb0a1784
                                                                                                                          • Instruction ID: 15d926b32812185f8bee92162ee000f624614be1ec8b40877cbecbb2a7b2a456
                                                                                                                          • Opcode Fuzzy Hash: d9eae96843495eb07888a407ba503405bf517ef342bffd8006642ffbfb0a1784
                                                                                                                          • Instruction Fuzzy Hash: EA614870E1031A9BDB14DFA5D889BADBFB2FF88315F148429E915AB390EF349841CB50
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B2A878 Relevance: 1.7, Strings: 1, Instructions: 423COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 2081 6b2a878-6b2a88b 2082 6b2a895-6b2a898 2081->2082 2083 6b2a8ba-6b2a8bd 2082->2083 2084 6b2a89a-6b2a89e 2082->2084 2087 6b2a8c7-6b2a8ca 2083->2087 2088 6b2a8bf-6b2a8c6 2083->2088 2085 6b2a982-6b2a9bc 2084->2085 2086 6b2a8a4-6b2a8ac 2084->2086 2098 6b2a9be-6b2a9c1 2085->2098 2086->2085 2089 6b2a8b2-6b2a8b5 2086->2089 2090 6b2a8e2-6b2a8e5 2087->2090 2091 6b2a8cc-6b2a8dd 2087->2091 2089->2083 2092 6b2a907-6b2a90a 2090->2092 2093 6b2a8e7-6b2a8eb 2090->2093 2091->2090 2096 6b2a91a-6b2a91d 2092->2096 2097 6b2a90c-6b2a913 2092->2097 2093->2085 2095 6b2a8f1-6b2a8f9 2093->2095 2095->2085 2100 6b2a8ff-6b2a902 2095->2100 2103 6b2a92e-6b2a931 2096->2103 2104 6b2a91f-6b2a929 2096->2104 2101 6b2a915 2097->2101 2102 6b2a97a-6b2a981 2097->2102 2105 6b2a9c3-6b2a9c8 2098->2105 2106 6b2a9cb-6b2a9ce 2098->2106 2100->2092 2101->2096 2107 6b2a933-6b2a937 2103->2107 2108 6b2a94b-6b2a94e 2103->2108 2104->2103 2105->2106 2109 6b2a9d0-6b2a9d3 2106->2109 2110 6b2aa2c-6b2abc0 2106->2110 2107->2085 2112 6b2a939-6b2a941 2107->2112 2115 6b2a950-6b2a954 2108->2115 2116 6b2a968-6b2a96a 2108->2116 2113 6b2a9f1-6b2a9f4 2109->2113 2114 6b2a9d5-6b2a9e6 2109->2114 2174 6b2abc6-6b2abcd 2110->2174 2175 6b2acf9-6b2ad0c 2110->2175 2112->2085 2123 6b2a943-6b2a946 2112->2123 2118 6b2aa02-6b2aa05 2113->2118 2119 6b2a9f6-6b2a9fd 2113->2119 2128 6b2ad85-6b2ad98 2114->2128 2129 6b2a9ec 2114->2129 2115->2085 2117 6b2a956-6b2a95e 2115->2117 2120 6b2a971-6b2a974 2116->2120 2121 6b2a96c 2116->2121 2117->2085 2124 6b2a960-6b2a963 2117->2124 2125 6b2aa23-6b2aa26 2118->2125 2126 6b2aa07-6b2aa18 2118->2126 2119->2118 2120->2082 2120->2102 2121->2120 2123->2108 2124->2116 2125->2110 2130 6b2ad0f-6b2ad12 2125->2130 2135 6b2ad74-6b2ad7b 2126->2135 2136 6b2aa1e 2126->2136 2129->2113 2132 6b2ad14-6b2ad25 2130->2132 2133 6b2ad2c-6b2ad2f 2130->2133 2132->2135 2148 6b2ad27 2132->2148 2138 6b2ad31-6b2ad42 2133->2138 2139 6b2ad49-6b2ad4c 2133->2139 2141 6b2ad80-6b2ad83 2135->2141 2136->2125 2138->2135 2152 6b2ad44 2138->2152 2139->2110 2143 6b2ad52-6b2ad55 2139->2143 2141->2128 2147 6b2ad9b-6b2ad9d 2141->2147 2144 6b2ad57-6b2ad68 2143->2144 2145 6b2ad6f-6b2ad72 2143->2145 2144->2132 2156 6b2ad6a 2144->2156 2145->2135 2145->2141 2150 6b2ada4-6b2ada7 2147->2150 2151 6b2ad9f 2147->2151 2148->2133 2150->2098 2155 6b2adad-6b2adb6 2150->2155 2151->2150 2152->2139 2156->2145 2176 6b2abd3-6b2ac06 2174->2176 2177 6b2ac81-6b2ac88 2174->2177 2187 6b2ac0b-6b2ac4c 2176->2187 2188 6b2ac08 2176->2188 2177->2175 2178 6b2ac8a-6b2acbd 2177->2178 2190 6b2acc2-6b2acef 2178->2190 2191 6b2acbf 2178->2191 2199 6b2ac64-6b2ac6b 2187->2199 2200 6b2ac4e-6b2ac5f 2187->2200 2188->2187 2190->2155 2190->2175 2191->2190 2203 6b2ac6d call 6b2add0 2199->2203 2204 6b2ac6d call 6b2adbf 2199->2204 2200->2155 2202 6b2ac73-6b2ac75 2202->2155 2203->2202 2204->2202
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: $
                                                                                                                          • API String ID: 0-3993045852
                                                                                                                          • Opcode ID: 4becd9b898052fcbbfe3f506eea7a6faf45aa905a93a6c43bffccf59a86289fd
                                                                                                                          • Instruction ID: f1cbd220104c87b18ce4b0f2ca4e7e9c1b1c93df3b46d10eb9aa6d6a294e6c4c
                                                                                                                          • Opcode Fuzzy Hash: 4becd9b898052fcbbfe3f506eea7a6faf45aa905a93a6c43bffccf59a86289fd
                                                                                                                          • Instruction Fuzzy Hash: F1E1D271E002268FDF64DBA4C4946AEF7F2FF88314F2085A9D859AB344DB319D46CB91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B01F10 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 2205 6b01f10-6b01f4c 2206 6b01f52-6b01f57 2205->2206 2207 6b01ffc-6b0201c 2205->2207 2208 6b01f59-6b01f90 2206->2208 2209 6b01faa-6b01fe2 CallWindowProcW 2206->2209 2213 6b0201f-6b0202c 2207->2213 2217 6b01f92-6b01f98 2208->2217 2218 6b01f99-6b01fa8 2208->2218 2211 6b01fe4-6b01fea 2209->2211 2212 6b01feb-6b01ffa 2209->2212 2211->2212 2212->2213 2217->2218 2218->2213
                                                                                                                          APIs
                                                                                                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 06B01FD1
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051819549.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b00000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CallProcWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2714655100-0
                                                                                                                          • Opcode ID: 520433a895951a69eb4fc0f4d30c184187ffa17077a803324d8aff3114d61dc9
                                                                                                                          • Instruction ID: 1ed79d49911c92b4081dd6202b5b2db039722d02fbd0c564698f0ec27c7570e4
                                                                                                                          • Opcode Fuzzy Hash: 520433a895951a69eb4fc0f4d30c184187ffa17077a803324d8aff3114d61dc9
                                                                                                                          • Instruction Fuzzy Hash: 0B4106B5900309CFDB54CF99C448AAABFF9FB88314F24C499E519AB361D774A841CFA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 02D0C1DB Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 2220 2d0c1db-2d0c234 2222 2d0c237 2220->2222 2223 2d0c238-2d0c249 2222->2223 2223->2222 2225 2d0c24b-2d0c24e 2223->2225 2225->2223 2227 2d0c250-2d0c274 DuplicateHandle 2225->2227 2228 2d0c276-2d0c27c 2227->2228 2229 2d0c27d-2d0c29a 2227->2229 2228->2229
                                                                                                                          APIs
                                                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D0C267
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3042621439.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_2d00000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: DuplicateHandle
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3793708945-0
                                                                                                                          • Opcode ID: b5481fc91669adfb7b81bcf2ad78195bac168d909cfa18f3d77a436bddd6b4d3
                                                                                                                          • Instruction ID: f56f0e679b8cd9e8cca3e2132e6136a223aaf09be96eb4cc814af77f32640dcf
                                                                                                                          • Opcode Fuzzy Hash: b5481fc91669adfb7b81bcf2ad78195bac168d909cfa18f3d77a436bddd6b4d3
                                                                                                                          • Instruction Fuzzy Hash: E921E2B5900248AFDB10CFAAD984ADEBFF4EB48720F14841AE918A7350C374A954CFA5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 02D0C1E0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 2232 2d0c1e0-2d0c234 2233 2d0c237 2232->2233 2234 2d0c238-2d0c249 2233->2234 2234->2233 2236 2d0c24b-2d0c24e 2234->2236 2236->2234 2238 2d0c250-2d0c274 DuplicateHandle 2236->2238 2239 2d0c276-2d0c27c 2238->2239 2240 2d0c27d-2d0c29a 2238->2240 2239->2240
                                                                                                                          APIs
                                                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D0C267
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3042621439.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_2d00000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: DuplicateHandle
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3793708945-0
                                                                                                                          • Opcode ID: f5d4343aa353caaef94b743e951755c4ec0772e032c869cd6e6e73476a47248b
                                                                                                                          • Instruction ID: 785853672fede32a0b8bb2f4c37c0d7f15f9c30759a657ea9c8e8ad528e21ae6
                                                                                                                          • Opcode Fuzzy Hash: f5d4343aa353caaef94b743e951755c4ec0772e032c869cd6e6e73476a47248b
                                                                                                                          • Instruction Fuzzy Hash: F121E2B59002489FDB10CFAAD984ADEBFF4EB48720F14841AE918A7350C374A954CFA4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 02D0D9BC Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 2243 2d0d9bc-2d0df02 2245 2d0df04 2243->2245 2246 2d0df0e-2d0df3e EnumThreadWindows 2243->2246 2249 2d0df0c 2245->2249 2247 2d0df40-2d0df46 2246->2247 2248 2d0df47-2d0df74 2246->2248 2247->2248 2249->2246
                                                                                                                          APIs
                                                                                                                          • EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E58,?,?,02D0DEA0,03E241C4,02E75058), ref: 02D0DF31
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3042621439.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_2d00000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: EnumThreadWindows
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2941952884-0
                                                                                                                          • Opcode ID: 2682a8dc6c92a61092a75ff016af6ef645c7de51f659cf75b5673b57908daec9
                                                                                                                          • Instruction ID: c44826fd1014acf892f8960edbc7605eb1bcfaf9e8d92853bb111ad4dfcc8362
                                                                                                                          • Opcode Fuzzy Hash: 2682a8dc6c92a61092a75ff016af6ef645c7de51f659cf75b5673b57908daec9
                                                                                                                          • Instruction Fuzzy Hash: 78214971D002498FDB10CF9AC884BEEFBF5EB88324F14842AE458A7390D774A945CFA5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 02D0DEB8 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 2252 2d0deb8-2d0df02 2254 2d0df04 2252->2254 2255 2d0df0e-2d0df3e EnumThreadWindows 2252->2255 2258 2d0df0c 2254->2258 2256 2d0df40-2d0df46 2255->2256 2257 2d0df47-2d0df74 2255->2257 2256->2257 2258->2255
                                                                                                                          APIs
                                                                                                                          • EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E58,?,?,02D0DEA0,03E241C4,02E75058), ref: 02D0DF31
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3042621439.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_2d00000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: EnumThreadWindows
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2941952884-0
                                                                                                                          • Opcode ID: a83897e549ca75bae10590573680268abe0852475e7a18e8c53cd6a252a0a7d5
                                                                                                                          • Instruction ID: 08ff23a2e5fac1c8d1e294607f58487785460a7ed19420a472e4fa9f74c84bea
                                                                                                                          • Opcode Fuzzy Hash: a83897e549ca75bae10590573680268abe0852475e7a18e8c53cd6a252a0a7d5
                                                                                                                          • Instruction Fuzzy Hash: 47213B71D002498FDB14CF9AC844BEEFBF5EB88324F14842AE458A7390D774A945CFA5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 02D0E249 Relevance: 1.6, APIs: 1, Instructions: 60windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • MessageBoxW.USER32(?,00000000,00000000,?,?,?,?,?,?,?,02D0AE8D,?,?,?), ref: 02D0E2CD
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3042621439.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_2d00000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Message
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2030045667-0
                                                                                                                          • Opcode ID: 627d29fc9c7391ba36d71637afbee5c26fabcae86b20b9f1923572da0beb6a7d
                                                                                                                          • Instruction ID: 5fe4924b54662693199ae2b796d17a73ddd275c01353ef67433f1bdf6894328e
                                                                                                                          • Opcode Fuzzy Hash: 627d29fc9c7391ba36d71637afbee5c26fabcae86b20b9f1923572da0beb6a7d
                                                                                                                          • Instruction Fuzzy Hash: FB2104B69013499FDB10CF9AD884ADEFBF5FB48314F14892AE818A7310C375A944CBA5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 02D0A810 Relevance: 1.6, APIs: 1, Instructions: 60windowCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 2261 2d0a810-2d0e293 2263 2d0e295-2d0e298 2261->2263 2264 2d0e29b-2d0e29f 2261->2264 2263->2264 2265 2d0e2a1-2d0e2a4 2264->2265 2266 2d0e2a7-2d0e2da MessageBoxW 2264->2266 2265->2266 2267 2d0e2e3-2d0e2f7 2266->2267 2268 2d0e2dc-2d0e2e2 2266->2268 2268->2267
                                                                                                                          APIs
                                                                                                                          • MessageBoxW.USER32(?,00000000,00000000,?,?,?,?,?,?,?,02D0AE8D,?,?,?), ref: 02D0E2CD
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3042621439.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_2d00000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Message
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2030045667-0
                                                                                                                          • Opcode ID: 8b309e229094ff802b4d04ef9c69360b8ab0fe564108d2e5216e3d736196d401
                                                                                                                          • Instruction ID: cf2be6d59d522e61f0b01429e40c2ab3fa8ef56071169a38cdfa584c3634cc21
                                                                                                                          • Opcode Fuzzy Hash: 8b309e229094ff802b4d04ef9c69360b8ab0fe564108d2e5216e3d736196d401
                                                                                                                          • Instruction Fuzzy Hash: 6C2123B69003099FCB10CF9AD884BDEBBF4FB48314F10882EE818A7310C374A944CBA4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 02D0DB5C Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • DeleteFileW.KERNEL32(00000000), ref: 02D0EA50
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3042621439.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_2d00000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: DeleteFile
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4033686569-0
                                                                                                                          • Opcode ID: d184d54a8b7f60a333b19ff3ae31ee4879f3b1be58863dc24a9a55c8c84d5485
                                                                                                                          • Instruction ID: 7c31e73b753ce754c55022df68e0c4cddbd2a9811e16880555a84984a1923ed6
                                                                                                                          • Opcode Fuzzy Hash: d184d54a8b7f60a333b19ff3ae31ee4879f3b1be58863dc24a9a55c8c84d5485
                                                                                                                          • Instruction Fuzzy Hash: EB2147B2D046599BCB10CF9AD54479EFBF0FB48320F10852AE858A7350D334A940CFA4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 02D0E9D9 Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • DeleteFileW.KERNEL32(00000000), ref: 02D0EA50
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3042621439.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_2d00000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: DeleteFile
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4033686569-0
                                                                                                                          • Opcode ID: 3fdce3bae4c7e3712f5e48d4bd539c15ffb935087879faa4e75d35e7bc2acee2
                                                                                                                          • Instruction ID: 4e75bda8bda89aadfcb99eb69618d3b6a41e66b26dc62f9b3861cd79da17af3b
                                                                                                                          • Opcode Fuzzy Hash: 3fdce3bae4c7e3712f5e48d4bd539c15ffb935087879faa4e75d35e7bc2acee2
                                                                                                                          • Instruction Fuzzy Hash: F62124B6D0061A9BCB10CF9AD5457EEFBB4BF48320F14852AD858B7350D338A944CFA4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B04DDA Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • DispatchMessageW.USER32(00000006), ref: 06B04E3D
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051819549.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b00000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: DispatchMessage
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2061451462-0
                                                                                                                          • Opcode ID: 490602403fcf09fe4fc9e302c9a8e4f19db643d5dd0584c0a7550aa81872b0b8
                                                                                                                          • Instruction ID: 0745f651a63e5aedf21b24de61bb68f9af843d4b970bcb26d2f5a1eb0f43995a
                                                                                                                          • Opcode Fuzzy Hash: 490602403fcf09fe4fc9e302c9a8e4f19db643d5dd0584c0a7550aa81872b0b8
                                                                                                                          • Instruction Fuzzy Hash: D211F2B5D00648CFCB24DF9AD844ACEFFF4EB48324F10845AE918A7210C378A544CFA5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 02D0C0F0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • OleInitialize.OLE32(00000000), ref: 02D0CC5D
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3042621439.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_2d00000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Initialize
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2538663250-0
                                                                                                                          • Opcode ID: 089dcc9409d8888522761e48bb6fe1e432fced371e160cd54d78b5f9b1f0169d
                                                                                                                          • Instruction ID: 28ce5cea5073fa22f33dfefac0fe6444b3404910fba45398c5d466d1e3f1a5f5
                                                                                                                          • Opcode Fuzzy Hash: 089dcc9409d8888522761e48bb6fe1e432fced371e160cd54d78b5f9b1f0169d
                                                                                                                          • Instruction Fuzzy Hash: 1D1115B19007488FCB20DF9AD588BDEBBF4EB48324F24855AD558A7360C374A944CFA5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 02D0CC00 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • OleInitialize.OLE32(00000000), ref: 02D0CC5D
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3042621439.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_2d00000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Initialize
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2538663250-0
                                                                                                                          • Opcode ID: e5bf83785d3d38660800b98d52bfed37071223e381c0d18a30ddc530326346a2
                                                                                                                          • Instruction ID: 2e3cab901dd7f0859a85621f71583a79edf9304261af647d54c91cc2334f8792
                                                                                                                          • Opcode Fuzzy Hash: e5bf83785d3d38660800b98d52bfed37071223e381c0d18a30ddc530326346a2
                                                                                                                          • Instruction Fuzzy Hash: 771115B19006488FCB20DF9AD589BCEFFF4EB48324F14855AD518A7360C374A944CFA5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 02D0C2A1 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D0C267
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3042621439.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_2d00000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: DuplicateHandle
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3793708945-0
                                                                                                                          • Opcode ID: 1cf0b195725705ef098ce3f994f3b5588dceb417756adc1b71de5a752d804a4d
                                                                                                                          • Instruction ID: ed57ca469aad844187333c85e4b267639fdd46b57fffa801e4b40887f8279d0c
                                                                                                                          • Opcode Fuzzy Hash: 1cf0b195725705ef098ce3f994f3b5588dceb417756adc1b71de5a752d804a4d
                                                                                                                          • Instruction Fuzzy Hash: FB018C71910208DFDB10DFE9D884BEEBBF4EF49724F14820AE465A72A0C3359841CF61
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B04DE0 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • DispatchMessageW.USER32(00000006), ref: 06B04E3D
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051819549.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b00000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: DispatchMessage
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2061451462-0
                                                                                                                          • Opcode ID: df92c7ec320c1d020f7bfc488250fe29891bda18aba5fe06aebc0b512a9ca0ea
                                                                                                                          • Instruction ID: 70e9226040d2da05d29aa36375faebc90989244ae1b792c5b3817a9fd711ab2c
                                                                                                                          • Opcode Fuzzy Hash: df92c7ec320c1d020f7bfc488250fe29891bda18aba5fe06aebc0b512a9ca0ea
                                                                                                                          • Instruction Fuzzy Hash: 1611FEB1D00648CFCB10CF9AD848ACEFFF4EB48324F10846AD518A7210C378A544CFA5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 02D0C2A3 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D0C267
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3042621439.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_2d00000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: DuplicateHandle
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3793708945-0
                                                                                                                          • Opcode ID: 9aee96e839fcf5eb23efae1af003a5da6e08882e06711123a2d353053e3c2f39
                                                                                                                          • Instruction ID: 940b21d226fd5ccd79a55e374f1e31da067a6004e3793912a37b6448b40d22e0
                                                                                                                          • Opcode Fuzzy Hash: 9aee96e839fcf5eb23efae1af003a5da6e08882e06711123a2d353053e3c2f39
                                                                                                                          • Instruction Fuzzy Hash: 2DF0EC325053808FD7219BB8D444389FFE0DF95318F28C45BD085C76A2C2395444CB51
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B272A5 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: PH^q
                                                                                                                          • API String ID: 0-2549759414
                                                                                                                          • Opcode ID: 1b34ff01edd68f1004260fe5eb9ba6c257f1376060aae9866e5ad27b75d29b08
                                                                                                                          • Instruction ID: 3364ae1ed4eb81627f1afe89e7370a5c8c143d3ec8b08d02779bbe8a79682b52
                                                                                                                          • Opcode Fuzzy Hash: 1b34ff01edd68f1004260fe5eb9ba6c257f1376060aae9866e5ad27b75d29b08
                                                                                                                          • Instruction Fuzzy Hash: FD312370B002128FCB69AB74C55466E7BE2FB89200F2445B9D80ADB385DF34CC47CB95
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B272B8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: PH^q
                                                                                                                          • API String ID: 0-2549759414
                                                                                                                          • Opcode ID: b48b9943cb74f44a91df5b7cba3799d8d934d236e86f4f935fc7a632cd6c2931
                                                                                                                          • Instruction ID: 82e059bdc1c684afae48903415f362bf3d862ebae8dde3b2b1978354a1e65cf0
                                                                                                                          • Opcode Fuzzy Hash: b48b9943cb74f44a91df5b7cba3799d8d934d236e86f4f935fc7a632cd6c2931
                                                                                                                          • Instruction Fuzzy Hash: 55310270B002168FDB69AB74C51466E7AE3FF89600F2085B9D80ADB384EF35DD46CB95
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B2D39F Relevance: 1.3, Strings: 1, Instructions: 31COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: $^q
                                                                                                                          • API String ID: 0-388095546
                                                                                                                          • Opcode ID: bbc7ab17683c1a713311c3cd64a6033dca8645d81a3ce77b3657cb5b29bf9749
                                                                                                                          • Instruction ID: 6e0c824de612e0532183e10a9dad8b4bdddbdc164340fc7d0b877f6ba783e3bb
                                                                                                                          • Opcode Fuzzy Hash: bbc7ab17683c1a713311c3cd64a6033dca8645d81a3ce77b3657cb5b29bf9749
                                                                                                                          • Instruction Fuzzy Hash: B9F0ECB5E0813ACFEFB48B01EA846AC77F1FF00310F1884A2D809A7188C330E942CB80
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B21220 Relevance: .5, Instructions: 453COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: c00411fe3118d4b313c2d296e89e8b11c2f70e255ae06176de54d1a4213e2daf
                                                                                                                          • Instruction ID: ecb660924b8a334580dd6323f535bd09ac7b6b7945f7b3f72576c36bb1676906
                                                                                                                          • Opcode Fuzzy Hash: c00411fe3118d4b313c2d296e89e8b11c2f70e255ae06176de54d1a4213e2daf
                                                                                                                          • Instruction Fuzzy Hash: E6F18274E002168FDB64DF68D9846AEBBF2EF89310F1485A5DA0AE7394DB31DC42CB51
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B2120C Relevance: .2, Instructions: 240COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 4d1fde108a95e53a51d11efe406f62088610cfedc8e4bc20d1d86ba545d210d3
                                                                                                                          • Instruction ID: 2dd608843fe5970ab448d0ef2d75588dd9b61bc63fd90799b6840c6ed6c35cd9
                                                                                                                          • Opcode Fuzzy Hash: 4d1fde108a95e53a51d11efe406f62088610cfedc8e4bc20d1d86ba545d210d3
                                                                                                                          • Instruction Fuzzy Hash: 1F917F74A001159FDB54EF68D584AADBBF2FF88314F1485A5EA0AE7364DB30DD42CB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B2936B Relevance: .2, Instructions: 230COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 2b0a847492b0e5a05e0fcf249134ae9594487694c0b2220ced2cbd72d9fac837
                                                                                                                          • Instruction ID: eb74aea2da4c7064977843fb018bef2c867bdf7f53c3113db3491e5bc0987565
                                                                                                                          • Opcode Fuzzy Hash: 2b0a847492b0e5a05e0fcf249134ae9594487694c0b2220ced2cbd72d9fac837
                                                                                                                          • Instruction Fuzzy Hash: 1C814B70F002168FDB55EBA9C59476EB7F6AF89300F108569D40EEB395EB30E8468B91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B2B2C8 Relevance: .2, Instructions: 229COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 6c66d9dda15854a2baea0c77ff49e1528925d7187a5b0ba1101f2a5696d50ef4
                                                                                                                          • Instruction ID: c240739bd2d92a7a93aff24e4517548d09b2382ff8e7f3442f5a06d797cac2f9
                                                                                                                          • Opcode Fuzzy Hash: 6c66d9dda15854a2baea0c77ff49e1528925d7187a5b0ba1101f2a5696d50ef4
                                                                                                                          • Instruction Fuzzy Hash: 9C61B2B1F001224FCB649A7EC89466FBAD7EFC4624B15447AD80EDB364DE65ED0287C2
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B29337 Relevance: .2, Instructions: 220COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 724520189ce20bc381748801fd63ce6996fb75deccd47193c6820bd19990dcfe
                                                                                                                          • Instruction ID: fb1c55501c7a0e5371bcce3a2501c99fd8dc6480f6fdf677e65eb5cda7eeed13
                                                                                                                          • Opcode Fuzzy Hash: 724520189ce20bc381748801fd63ce6996fb75deccd47193c6820bd19990dcfe
                                                                                                                          • Instruction Fuzzy Hash: 9E815870B002168FDB55EBAAD49476EB7F2EF89304F108569D40EDB395EB34E8428B91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B29390 Relevance: .2, Instructions: 218COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 83f5ccf74f7dcba6ea5b549882f2eadaeb35bb30eecf81255e9edb478f450d39
                                                                                                                          • Instruction ID: 10475d690287aeec0bfa39767baf5068a6572ec2d8a5e6da6c72b93c6d1db956
                                                                                                                          • Opcode Fuzzy Hash: 83f5ccf74f7dcba6ea5b549882f2eadaeb35bb30eecf81255e9edb478f450d39
                                                                                                                          • Instruction Fuzzy Hash: 1D813A70F0021A8FDB55EBA9D59476EB7E6EF89304F108569D40EDB384EB34EC428B91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B296A4 Relevance: .2, Instructions: 217COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 55e51e1daa796e0843d0fb59d7c395f24828f76134c57a918149939ac1e69f7d
                                                                                                                          • Instruction ID: 634ee0233a668f078b11d48b57c7e2b7887a8e091e89ac9d9b436124fae4a989
                                                                                                                          • Opcode Fuzzy Hash: 55e51e1daa796e0843d0fb59d7c395f24828f76134c57a918149939ac1e69f7d
                                                                                                                          • Instruction Fuzzy Hash: F0915E70E1021A8FDF60DF68C890B9DB7B2FF89310F208599D44DAB295DB70A985CF91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B21748 Relevance: .2, Instructions: 214COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: a2e540cf50c98b949be41d325c1d808e4a337fb25ee11b904b144e8f7e3c6177
                                                                                                                          • Instruction ID: 0a29b438a302af6a79af67ca54b6351d26837405d53e36cfd7a317f2d209fc2e
                                                                                                                          • Opcode Fuzzy Hash: a2e540cf50c98b949be41d325c1d808e4a337fb25ee11b904b144e8f7e3c6177
                                                                                                                          • Instruction Fuzzy Hash: 44817E75A002058FDB54DF6DD984B9DBBF6FF88310F14C2A9EA08AB395DB709845CB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B296B8 Relevance: .2, Instructions: 210COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: cb2686eb7eefbcaa07d379da04cd0b48a9f20611710e038cf0ae90b3cb760059
                                                                                                                          • Instruction ID: 851c03c32572ce69ac8f13025b5f758e5fad40dfa077806f1ded72396b48acdb
                                                                                                                          • Opcode Fuzzy Hash: cb2686eb7eefbcaa07d379da04cd0b48a9f20611710e038cf0ae90b3cb760059
                                                                                                                          • Instruction Fuzzy Hash: F5914E70E1021A8BDF64DF68C880B9DB7B2FF89310F208595D44DAB255DB70A985CF91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B2A710 Relevance: .2, Instructions: 153COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 50e707424b9278d30e7418c6d15d494d9e84c27ebec633e311f7f3e934fa6e30
                                                                                                                          • Instruction ID: e27c5daf2921076fa4efffc6ab46dd4bc54e743f0dea6761296f438ba491dd7b
                                                                                                                          • Opcode Fuzzy Hash: 50e707424b9278d30e7418c6d15d494d9e84c27ebec633e311f7f3e934fa6e30
                                                                                                                          • Instruction Fuzzy Hash: 1751B0B4E102568FDF718B68C4C077EBBF2EB45310F2098A6D06ECB2A6C634E841CB55
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B2A508 Relevance: .1, Instructions: 126COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: f4f1cca82fb6fc55207d6a3b568a06474488734e85cf91056eb0d5cf7757d16f
                                                                                                                          • Instruction ID: 137bee535ac7b1119a87dab159ee3ad00fba69dc6d72215081fb76ef8546085d
                                                                                                                          • Opcode Fuzzy Hash: f4f1cca82fb6fc55207d6a3b568a06474488734e85cf91056eb0d5cf7757d16f
                                                                                                                          • Instruction Fuzzy Hash: 35411DB1E0061A8FDF60CEA9D8C0AAFF7F6FB84310F10496AD25AD7654D330E9458B91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B28B80 Relevance: .1, Instructions: 114COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 110fbb4fe4a041c4334deba6bccf45fcc95e44663117196cdf9e0f9142f189b0
                                                                                                                          • Instruction ID: e9e9d409a47ebff0480b906ea2e60d72ac0cd434146b63c9213d8bcdc5e80a5c
                                                                                                                          • Opcode Fuzzy Hash: 110fbb4fe4a041c4334deba6bccf45fcc95e44663117196cdf9e0f9142f189b0
                                                                                                                          • Instruction Fuzzy Hash: C941CEB5E002269FDB50DFA9E880BEEBBF0EB48310F148169E949E7250D735D845CBA5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B27168 Relevance: .1, Instructions: 99COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 220959e05e118d55ecb54b1aa2da95f588089d15c031a83da7715dbcb1721bc2
                                                                                                                          • Instruction ID: 530d045f59d39cd9fa0dbad9b9804745cdc4295b0f19929b7675fae96bf83bc6
                                                                                                                          • Opcode Fuzzy Hash: 220959e05e118d55ecb54b1aa2da95f588089d15c031a83da7715dbcb1721bc2
                                                                                                                          • Instruction Fuzzy Hash: CA318374E102169FCB55DFA9D85469EB7F2FF89300F148569E80AE7350DB31AD42CB50
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B28ED8 Relevance: .1, Instructions: 94COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 22f662a60d1b14b9268e5a619ce533367e69127aa7a7ddd707304dc7be437f95
                                                                                                                          • Instruction ID: f7cd6519b29613e6c0489754fb0b477ab5663cd822f1db839aaf42c2be97a4c2
                                                                                                                          • Opcode Fuzzy Hash: 22f662a60d1b14b9268e5a619ce533367e69127aa7a7ddd707304dc7be437f95
                                                                                                                          • Instruction Fuzzy Hash: 1C2123317041614FCB65E73CE05472EBBD7DF84320F2484AAE009CB3A2DE2ADC0683A1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B27178 Relevance: .1, Instructions: 91COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 896ed9388860658e807ea5c4a91797c1304eecff904e44f7308870eee4b6f343
                                                                                                                          • Instruction ID: 6591bcc3163353ded7ab5ada2013916eb5bebca4fb5ed4b34d234c0c91fcff83
                                                                                                                          • Opcode Fuzzy Hash: 896ed9388860658e807ea5c4a91797c1304eecff904e44f7308870eee4b6f343
                                                                                                                          • Instruction Fuzzy Hash: 3F316370E1022A9BCB59DFA9D49469EB7F2FF89300F148569E80AE7350DB71ED42CB50
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B210F8 Relevance: .1, Instructions: 80COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 8d00956945bd6f126a12ecbc03db3306fffaaa438d6eb88406cc03acab929550
                                                                                                                          • Instruction ID: d2bc3d4c2846e3710c8eb5f76ff7ac54ff1b3d310b8d42864ab8df226bda7c99
                                                                                                                          • Opcode Fuzzy Hash: 8d00956945bd6f126a12ecbc03db3306fffaaa438d6eb88406cc03acab929550
                                                                                                                          • Instruction Fuzzy Hash: C131B170E1022A9FDF49DFA8C88079EF7B2FF49304F148655E909AB244DB709886CB80
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B28B90 Relevance: .1, Instructions: 78COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 5b09104eb33329ee1fecf1fad8c17cab77575ce601794b688bc568985b42a2c1
                                                                                                                          • Instruction ID: 8f6aaf12f62c4ce2974ff5e73d100162b50c3f72e1dfd8b6a21a977e83e08038
                                                                                                                          • Opcode Fuzzy Hash: 5b09104eb33329ee1fecf1fad8c17cab77575ce601794b688bc568985b42a2c1
                                                                                                                          • Instruction Fuzzy Hash: DA219AB5E002269FDB40DFA9D980BAEBBF1EB48610F108169E909E7354E730D8418B95
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B21108 Relevance: .1, Instructions: 78COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: eeefe9d2a1ea767f8be6641a3bd7f32b492a34defa48fac1124c9cd8042f3476
                                                                                                                          • Instruction ID: 06043a029fbccc10c396256fdea0d2578fc6cf639ebd3b8464a3b194838e4dca
                                                                                                                          • Opcode Fuzzy Hash: eeefe9d2a1ea767f8be6641a3bd7f32b492a34defa48fac1124c9cd8042f3476
                                                                                                                          • Instruction Fuzzy Hash: 85218570E1022A9BDB55DFA9C84069EF7B2FF95304F14C659E909AB340DB709D86CB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B20FF8 Relevance: .1, Instructions: 75COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 433296b46c42249dd5c98f1748aebe2f20ff9e6fa3c28c620561073bbfda2153
                                                                                                                          • Instruction ID: 7b914f07d900123d361d189ba33ef06160fe0b8398532b3797bc5cb5ff3dc525
                                                                                                                          • Opcode Fuzzy Hash: 433296b46c42249dd5c98f1748aebe2f20ff9e6fa3c28c620561073bbfda2153
                                                                                                                          • Instruction Fuzzy Hash: CF21C170E002569BDB49CFA8C8506DEB7F2FF89310F14865AE919FB390DB719846CB91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0119D118 Relevance: .1, Instructions: 72COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3040796996.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_119d000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: cd7f7796d28286efcb1afd37e9b85802858ccbb116ded8a74c690feab973f984
                                                                                                                          • Instruction ID: d9d293cfbd17f899deed481a8cf85214519a299b12b6ffe8c336112334eb64ab
                                                                                                                          • Opcode Fuzzy Hash: cd7f7796d28286efcb1afd37e9b85802858ccbb116ded8a74c690feab973f984
                                                                                                                          • Instruction Fuzzy Hash: 4C2104B2604240DFDF09DF58EAC4B26BBA5FB84314F24C57DE8094B256C37AD446CA62
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B2BDE0 Relevance: .1, Instructions: 72COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 6ac94ddf2ca957617fffc2b33ccd15e700714fe14dde04768420af85e93c5a96
                                                                                                                          • Instruction ID: db070b2d7581693030e492570c8643f16471ed224e64cc072ff63bfe8573fdbe
                                                                                                                          • Opcode Fuzzy Hash: 6ac94ddf2ca957617fffc2b33ccd15e700714fe14dde04768420af85e93c5a96
                                                                                                                          • Instruction Fuzzy Hash: 47210470B200259FDF94EB69E85069EBBF7EB88214F1489A5D509DB384DB31DC42CB80
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B21008 Relevance: .1, Instructions: 70COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: b47b037bd361f3283875b798342341280ecc896969c9d6dc9c4a81cae2de1ff1
                                                                                                                          • Instruction ID: 8fcb3d442470f6c6f6b632564e841f6282f7b52f28503549cd50b2182933ce33
                                                                                                                          • Opcode Fuzzy Hash: b47b037bd361f3283875b798342341280ecc896969c9d6dc9c4a81cae2de1ff1
                                                                                                                          • Instruction Fuzzy Hash: 3A21D370E002569BCB45CFA8C45059EF7F2FF88300F10861AE909FB340DB709846CB91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B2BDF0 Relevance: .1, Instructions: 68COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 809dd21e1b402d041e8fe2201f252e5db7340b1cdff318b85e458c71f4430049
                                                                                                                          • Instruction ID: c430917c5dce0bdd6e934db66336bd23d56fe19094a1451b25634faeb73693d8
                                                                                                                          • Opcode Fuzzy Hash: 809dd21e1b402d041e8fe2201f252e5db7340b1cdff318b85e458c71f4430049
                                                                                                                          • Instruction Fuzzy Hash: 9A21C070B1012A9BDF94EB69E85069EB7F7EB84214F1489A9D509E7344DB31DC42CB81
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B28958 Relevance: .1, Instructions: 62COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: edb7722969880fabe76e7107bc9e6dc976ccf329d369dcf6d93f4295e5fa7c65
                                                                                                                          • Instruction ID: 2e29aa3a17a40926ba04f91e51ca9214cf47e090186eaef40a8c01ad0c986996
                                                                                                                          • Opcode Fuzzy Hash: edb7722969880fabe76e7107bc9e6dc976ccf329d369dcf6d93f4295e5fa7c65
                                                                                                                          • Instruction Fuzzy Hash: 9421F0B2D01259AFCB00DF9AD884ADEFFB4FB48324F10856AE518B7201C3746554CFA5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B28CA0 Relevance: .1, Instructions: 59COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 3aea5e27fff6d9107bacf9ed19562702e586f54c70c342ceeb0955649bf8d5ff
                                                                                                                          • Instruction ID: 6430df3ab725bdc760b31c7908b5582cdc7831cb32568945d966a7aff75713e0
                                                                                                                          • Opcode Fuzzy Hash: 3aea5e27fff6d9107bacf9ed19562702e586f54c70c342ceeb0955649bf8d5ff
                                                                                                                          • Instruction Fuzzy Hash: 73116D76F101299FDB549A78D814AAFB3EAEBC9650F00457AD40EE7344EF24DC0A8BD1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B2FDD8 Relevance: .1, Instructions: 56COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 1d821f475e075f928a8624ecd880c15cad8ccb29c7409f8758ab3fc855da1d65
                                                                                                                          • Instruction ID: ea90ea55cacd27f40bd3cbab136e86074aa19e8f4c7f9b67ed0be5a641f7003d
                                                                                                                          • Opcode Fuzzy Hash: 1d821f475e075f928a8624ecd880c15cad8ccb29c7409f8758ab3fc855da1d65
                                                                                                                          • Instruction Fuzzy Hash: A5019BB07A83638AFBA636B6159437639EDDB44298F0404B9D94FC7293EA59CC00C661
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0119D113 Relevance: .1, Instructions: 53COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3040796996.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_119d000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 17de7163a1e12a4c5df783ee0f29f24f6994aba7d146e6d7d26c00eb2d5c80d5
                                                                                                                          • Instruction ID: 6aef368fdbf9007b8db53ceaec2071ff8cd28aad0887e8cb88b835613853a6e4
                                                                                                                          • Opcode Fuzzy Hash: 17de7163a1e12a4c5df783ee0f29f24f6994aba7d146e6d7d26c00eb2d5c80d5
                                                                                                                          • Instruction Fuzzy Hash: C51190B6504280DFDF06CF58D9C4B15BF61FB84314F24C6AAD8494B656C33AD44ACB61
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B28140 Relevance: .1, Instructions: 53COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 01f68c597ba4cfb64cd84f11c527121610327534a47fb350799b76f3254dee6d
                                                                                                                          • Instruction ID: 35f3005d953fda81f75d385ff2fdc003ba4380db6d6e121d3dcd0ae23d33c308
                                                                                                                          • Opcode Fuzzy Hash: 01f68c597ba4cfb64cd84f11c527121610327534a47fb350799b76f3254dee6d
                                                                                                                          • Instruction Fuzzy Hash: E6016171E002399EDBA8DBB9CC405DEF7F6EF89310F1085A9D41AE7244DA319A85CB91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B28960 Relevance: .1, Instructions: 52COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 300415bcdb75cc386a6ed0e69ca06020e4130a381e7749d9967a941b3cefab11
                                                                                                                          • Instruction ID: ce37bcc845011518cf36f3572911745551b00f7d499b4e4d31d788d78e48ad6a
                                                                                                                          • Opcode Fuzzy Hash: 300415bcdb75cc386a6ed0e69ca06020e4130a381e7749d9967a941b3cefab11
                                                                                                                          • Instruction Fuzzy Hash: F611CEB1D01259ABCB00DF9AD884ADEFFB4FB48324F10852AE918A7200C374A954CBA5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B28EE8 Relevance: .1, Instructions: 51COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: e0c4c011b6481252508e6ccf595c1de04ea92f676b7d32617954fa7b16bc1594
                                                                                                                          • Instruction ID: 650492c0ddcc935747d01d87f8eb5fd7a61c6110f552e5b222e13eebab88d037
                                                                                                                          • Opcode Fuzzy Hash: e0c4c011b6481252508e6ccf595c1de04ea92f676b7d32617954fa7b16bc1594
                                                                                                                          • Instruction Fuzzy Hash: F0018B71B101250FDBA4A66E940072BE3DBDBC9A20F14983AE40EC7344DA65DC024385
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B2F3E0 Relevance: .1, Instructions: 51COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 631328038297bd8093998af5b32a91c203133b026f01c35c91590f177a66d6e3
                                                                                                                          • Instruction ID: 7a9fa773f0725913d1b4a8e5a54ca406de260df93de61f1921d19a94bce2aec2
                                                                                                                          • Opcode Fuzzy Hash: 631328038297bd8093998af5b32a91c203133b026f01c35c91590f177a66d6e3
                                                                                                                          • Instruction Fuzzy Hash: 4201F730B441654FDB65EB7CE850B3B7BEAEB4A614F108468E11EC7355DA11DC02C795
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B28C90 Relevance: .0, Instructions: 50COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 31c5122c5c16aab7af690746c00a56f1ec97ff11285a4ce8923ada53d42a81dc
                                                                                                                          • Instruction ID: efa919534db8d386a97a411ee4f5bfa10b6fcfc33869521063fc60351c136a08
                                                                                                                          • Opcode Fuzzy Hash: 31c5122c5c16aab7af690746c00a56f1ec97ff11285a4ce8923ada53d42a81dc
                                                                                                                          • Instruction Fuzzy Hash: E2018F76F100255FEB549AB8DC107EF73AAABC8610F00417AD50EE7244EF2498064B92
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B2F3F0 Relevance: .0, Instructions: 46COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 5e872f0685e601045cffde165eed8bddbc6ecc066a3d4885708ab41895241778
                                                                                                                          • Instruction ID: e45f0a64d19b0ed0af6ca3e0a72c62c16f5aaff5d2e0e97100c71b96df6451d1
                                                                                                                          • Opcode Fuzzy Hash: 5e872f0685e601045cffde165eed8bddbc6ecc066a3d4885708ab41895241778
                                                                                                                          • Instruction Fuzzy Hash: 2201A470F401264FDBA4EA7DE950B3B73EAEB89714F108578E51EC7354EA21EC428785
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B2B548 Relevance: .0, Instructions: 28COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 2363aa985f4e95c4d0e36d91139f61594fb93fd7f453aa04a1c64870a7923426
                                                                                                                          • Instruction ID: aa1176dd1e168371ef647c6b43a8b827cdd48b3113ba42ca389886d21a7989c1
                                                                                                                          • Opcode Fuzzy Hash: 2363aa985f4e95c4d0e36d91139f61594fb93fd7f453aa04a1c64870a7923426
                                                                                                                          • Instruction Fuzzy Hash: 2CE022B0E0801A9BDF50CEB8E96439A3BEADB41308F3049E5D01CCB251E636CA118340
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B2B558 Relevance: .0, Instructions: 22COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 01286a41a581f462f2cd16cd00c9152f092291e3d396a91bfb7fb991edc7bf5d
                                                                                                                          • Instruction ID: 4fcf6d7e0ef8c29a8a01b2c0828a647ec094cd47e95e15ab708a359e9b977cb5
                                                                                                                          • Opcode Fuzzy Hash: 01286a41a581f462f2cd16cd00c9152f092291e3d396a91bfb7fb991edc7bf5d
                                                                                                                          • Instruction Fuzzy Hash: 8CE0C2F0F1011EABDF50DAB4C95575B73ECD701308F2089E5D50CCB240E676CA019780
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B2FDA1 Relevance: .0, Instructions: 12COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: dd0ad6b2d677ea7607adc91f48c6f8b26c061f296f37e05e8afc3d7e2bbc7ded
                                                                                                                          • Instruction ID: 5256dfe4850c716cab47ada5489e78af688c5bc8e80b12d16b2a22abe44f60f3
                                                                                                                          • Opcode Fuzzy Hash: dd0ad6b2d677ea7607adc91f48c6f8b26c061f296f37e05e8afc3d7e2bbc7ded
                                                                                                                          • Instruction Fuzzy Hash: 23C0125000E2605FE7022B204D00ADA3B259F512C0B4A01C2A5409A063C2188A59ABB2
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Non-executed Functions

                                                                                                                          Function 06B2C778 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                                          • API String ID: 0-2222239885
                                                                                                                          • Opcode ID: e67ca6df1ede5f23a1751bdf828db83c66cfa2c9be99e7aa138e9f6c58e2a2c7
                                                                                                                          • Instruction ID: 23272cb335ecc79bb92df343297c59722530f7d048ed43bbd4c0bb0471e6c45b
                                                                                                                          • Opcode Fuzzy Hash: e67ca6df1ede5f23a1751bdf828db83c66cfa2c9be99e7aa138e9f6c58e2a2c7
                                                                                                                          • Instruction Fuzzy Hash: CE122E70E4022A8FDBA4DF65C85469DBBF2FF89704F2085A9D409AB365DB309D85CF81
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B2FA18 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                                          • API String ID: 0-3823777903
                                                                                                                          • Opcode ID: fedc6956ae19fd737055dc1bd4c2775b5467c629e84764febcc593a4df037704
                                                                                                                          • Instruction ID: 5681f0be3d3f06a8eeea0476ecc98909cf11130fa4cf7d3296baac9971a88c0c
                                                                                                                          • Opcode Fuzzy Hash: fedc6956ae19fd737055dc1bd4c2775b5467c629e84764febcc593a4df037704
                                                                                                                          • Instruction Fuzzy Hash: 3D91AE70E8021ADFEB68DB65D598BBEB7FAEF44300F108569D4099B3A4CB349C45CB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B2C178 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                                          • API String ID: 0-390881366
                                                                                                                          • Opcode ID: 5ee57559a3392b8cd906c5fbeedf1eba8b62c94872e3375e03d1da76cc86f3c2
                                                                                                                          • Instruction ID: 1a03dc62863f26ebf51563e302a082c4fbe8224ce974ca5232e96f6239a47da6
                                                                                                                          • Opcode Fuzzy Hash: 5ee57559a3392b8cd906c5fbeedf1eba8b62c94872e3375e03d1da76cc86f3c2
                                                                                                                          • Instruction Fuzzy Hash: 9BF13C70A00219CFDB99EB65C594B6EBBB2FF84300F108569D41A9B3A9DB31DC42CB91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B2D4B0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: $^q$$^q$$^q$$^q
                                                                                                                          • API String ID: 0-2125118731
                                                                                                                          • Opcode ID: bf98f317b16c8a6db5483f0c86c1ac7276dae5d1dd8650f543f907bbb4c5eb58
                                                                                                                          • Instruction ID: fc509faa75b9e89a871865daae58542fc9d19ec624521b66956c61c2db0267b2
                                                                                                                          • Opcode Fuzzy Hash: bf98f317b16c8a6db5483f0c86c1ac7276dae5d1dd8650f543f907bbb4c5eb58
                                                                                                                          • Instruction Fuzzy Hash: B8B16B70E002198FDB58EF69D5847AEB7F2EF88304F249969D0099B395DB34DC86CB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06B2D8C8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.3051879278.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_3_2_6b20000_RegAsm.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: LR^q$LR^q$$^q$$^q
                                                                                                                          • API String ID: 0-2454687669
                                                                                                                          • Opcode ID: f75cb4364ec0a5a63d2c8fbe752ee2020c925f8840621cf5f0dbc98a88544541
                                                                                                                          • Instruction ID: f78ab57cfd6c602d1b41653424d46044524a2a7874a1aab7c91f1a6dd92989c1
                                                                                                                          • Opcode Fuzzy Hash: f75cb4364ec0a5a63d2c8fbe752ee2020c925f8840621cf5f0dbc98a88544541
                                                                                                                          • Instruction Fuzzy Hash: A251D570F002269FDB58EF39D854A6A77E6FF85700F1486A8E5099B3A6DB30EC45CB50
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Executed Functions

                                                                                                                          Function 02460E30 Relevance: 6.7, Strings: 5, Instructions: 440COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.1948748510.0000000002460000.00000040.00000800.00020000.00000000.sdmp, Offset: 02460000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_2460000_cbsBVT.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: <Qx$D@x$D@x$D@x$D@x
                                                                                                                          • API String ID: 0-2174297539
                                                                                                                          • Opcode ID: c3436d99f62021db991746c96c1aebf382d80664f469d4d14d182ba0355fd524
                                                                                                                          • Instruction ID: 7fe300d174e57095987a5701dfe0ae7c0257f1728c738c35c29431ecdd371676
                                                                                                                          • Opcode Fuzzy Hash: c3436d99f62021db991746c96c1aebf382d80664f469d4d14d182ba0355fd524
                                                                                                                          • Instruction Fuzzy Hash: 6F029030A006159FCB15DF68C888AAEBBF6FF84344B24C569D40E9B355DB75EC42CB92
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 02461498 Relevance: 2.6, Strings: 2, Instructions: 54COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.1948748510.0000000002460000.00000040.00000800.00020000.00000000.sdmp, Offset: 02460000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_2460000_cbsBVT.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: D@x$D@x
                                                                                                                          • API String ID: 0-498500616
                                                                                                                          • Opcode ID: e3754bf166b71890747d70b68c77e3f123bb0cd588c9ccdc64aec9962e8ca1a1
                                                                                                                          • Instruction ID: a4e16dab2fcd599b67a22db69db2a4f1d6cea8ad527af57fa730fceca224916d
                                                                                                                          • Opcode Fuzzy Hash: e3754bf166b71890747d70b68c77e3f123bb0cd588c9ccdc64aec9962e8ca1a1
                                                                                                                          • Instruction Fuzzy Hash: D501C431F401049FC705ABB9D8197AE7FAAEF45644F1080AAD20D9B390CE38ED01CB96
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 024608B0 Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.1948748510.0000000002460000.00000040.00000800.00020000.00000000.sdmp, Offset: 02460000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_2460000_cbsBVT.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: tP^q
                                                                                                                          • API String ID: 0-2862610199
                                                                                                                          • Opcode ID: c13cd706e28112ea1a3cd6506c97796792e79aa7a0c6c20624adfd782ff90ae7
                                                                                                                          • Instruction ID: 47ffcff5cd0ed54d3f251cdebcd73b557f202b6a4c60db851841b80ca6bcdb83
                                                                                                                          • Opcode Fuzzy Hash: c13cd706e28112ea1a3cd6506c97796792e79aa7a0c6c20624adfd782ff90ae7
                                                                                                                          • Instruction Fuzzy Hash: AA210C713405018FCB59EB38D45892D7BE2AF8AA1931604E9E50ACF372DF35DC46CB92
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 02461539 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.1948748510.0000000002460000.00000040.00000800.00020000.00000000.sdmp, Offset: 02460000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_2460000_cbsBVT.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: 8bq
                                                                                                                          • API String ID: 0-187764589
                                                                                                                          • Opcode ID: 57fe4a3729d204d577e8e0fdf4d2fa9c7b987b5da857b3bf41fe8329ef0d3a97
                                                                                                                          • Instruction ID: d9a51a1a7a526a982db94a93525195bdb3bc054ed215fc1413c3a239443ff800
                                                                                                                          • Opcode Fuzzy Hash: 57fe4a3729d204d577e8e0fdf4d2fa9c7b987b5da857b3bf41fe8329ef0d3a97
                                                                                                                          • Instruction Fuzzy Hash: D1F0A3711407102BC301B654E42477E7A8B5B85355F008436D10E87358DF289A0247D3
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 024609B0 Relevance: .3, Instructions: 312COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.1948748510.0000000002460000.00000040.00000800.00020000.00000000.sdmp, Offset: 02460000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_2460000_cbsBVT.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 7bbd5aa9dc6aabb76e98a084f92dcc4fa7369187c089996d9cda5b7d73a8d0b5
                                                                                                                          • Instruction ID: 0d88698857c7539ac2b891eba28ca923353af9c61edd0e1d71b6b6f4171fe9b2
                                                                                                                          • Opcode Fuzzy Hash: 7bbd5aa9dc6aabb76e98a084f92dcc4fa7369187c089996d9cda5b7d73a8d0b5
                                                                                                                          • Instruction Fuzzy Hash: 9AC15E34200305CFE709DF24D498B267BE6FF48304F649869E8168B369DB75EC86CB92
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 02461348 Relevance: .0, Instructions: 46COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.1948748510.0000000002460000.00000040.00000800.00020000.00000000.sdmp, Offset: 02460000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_2460000_cbsBVT.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: f3f9fa87203dffdb228c2291b6bf2aaf1a77485af36a7ef5bacaefbd543f8561
                                                                                                                          • Instruction ID: fbd5b47f782c6bfc6569d2600f4465f2e44e1c866e874b036bc8764510e3ea89
                                                                                                                          • Opcode Fuzzy Hash: f3f9fa87203dffdb228c2291b6bf2aaf1a77485af36a7ef5bacaefbd543f8561
                                                                                                                          • Instruction Fuzzy Hash: 1E01FE76B006109FDB259B25EC5CD2F3B95FB89A607154556E80FCB318CB71DC41C792
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 02461421 Relevance: .0, Instructions: 42COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.1948748510.0000000002460000.00000040.00000800.00020000.00000000.sdmp, Offset: 02460000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_2460000_cbsBVT.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 8e0d4d6d39a7c55e6f56f989992ead25e9639c830ff745afc406f7d1cae0580d
                                                                                                                          • Instruction ID: 7861d525c6e6e473ad8c7bc276dbac2443cbdc55939f4f75d5e2adf8e7ac5165
                                                                                                                          • Opcode Fuzzy Hash: 8e0d4d6d39a7c55e6f56f989992ead25e9639c830ff745afc406f7d1cae0580d
                                                                                                                          • Instruction Fuzzy Hash: ADF05272B053282FC7081B3A5C54AAB3BAEEFC6224310487AE00DD7351ED388C0387E6
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 02460857 Relevance: .0, Instructions: 29COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.1948748510.0000000002460000.00000040.00000800.00020000.00000000.sdmp, Offset: 02460000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_2460000_cbsBVT.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 6b81b4d92d5f4599710a9062edafd031ee07e0cac43f0c686482ca69ec4800e2
                                                                                                                          • Instruction ID: 8d29ed764b67e9282c50b8b271d8efd944c4d77b4e9e67b474200ad1157fe4a5
                                                                                                                          • Opcode Fuzzy Hash: 6b81b4d92d5f4599710a9062edafd031ee07e0cac43f0c686482ca69ec4800e2
                                                                                                                          • Instruction Fuzzy Hash: F4F09272B48389AFC705DFBA98486DA7FFDFE46126B15C0EBE008D3212E6749901C755
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 02460868 Relevance: .0, Instructions: 28COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.1948748510.0000000002460000.00000040.00000800.00020000.00000000.sdmp, Offset: 02460000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_2460000_cbsBVT.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 7e040ea89a792b8ff44d291b522d50d252d166ddb64a7b775686b0ec5212f4f6
                                                                                                                          • Instruction ID: c71ae7d757774f23b3be66b7e67c88c01b43e7a687520c2ee4b23b1fc45f1bce
                                                                                                                          • Opcode Fuzzy Hash: 7e040ea89a792b8ff44d291b522d50d252d166ddb64a7b775686b0ec5212f4f6
                                                                                                                          • Instruction Fuzzy Hash: 7BE0ED76A4421AAF8B04EFA9A8485DA7BE9FA48162B20806AE009D2210EAB555418794
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 024613E0 Relevance: .0, Instructions: 17COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.1948748510.0000000002460000.00000040.00000800.00020000.00000000.sdmp, Offset: 02460000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_2460000_cbsBVT.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 5a8e106a501ed7008b6376fa5fb1b63ee4397100a70db5b3a1f568f7c7cd48a1
                                                                                                                          • Instruction ID: a45d7ce4bffe1ce24c18c1f80bd0b621b4eeb0e8c2d0140072b202e9314636d0
                                                                                                                          • Opcode Fuzzy Hash: 5a8e106a501ed7008b6376fa5fb1b63ee4397100a70db5b3a1f568f7c7cd48a1
                                                                                                                          • Instruction Fuzzy Hash: 0DE0C2346887C44FD7069F24E92CB253FE5EB05215B5850D5E04D8B36BCA686C41C7AA
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 02461489 Relevance: .0, Instructions: 16COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.1948748510.0000000002460000.00000040.00000800.00020000.00000000.sdmp, Offset: 02460000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_2460000_cbsBVT.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: e462de596e4f860d4967f0b3fe4466890a5db5b8729ff0587feafe42ce85cb4e
                                                                                                                          • Instruction ID: 20191e1d35e9f5d8a9dfede41554497e2a20d8a2bd36142bc38441353d9df189
                                                                                                                          • Opcode Fuzzy Hash: e462de596e4f860d4967f0b3fe4466890a5db5b8729ff0587feafe42ce85cb4e
                                                                                                                          • Instruction Fuzzy Hash: 23D0A772E8CA546BCB0196B16C0D39D3F649B03150B0440BBD44CC7291E60C991483D3
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 02461590 Relevance: .0, Instructions: 11COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.1948748510.0000000002460000.00000040.00000800.00020000.00000000.sdmp, Offset: 02460000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_2460000_cbsBVT.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: c78f1af199a4cdde3b8bd14f188ef4ae7d5bb9d81265f31cd15e592594c31ab5
                                                                                                                          • Instruction ID: 4406ad009b8cd6cd7de8df7945a1b23ccf1b2724fac88b1bb17537b26ab11db5
                                                                                                                          • Opcode Fuzzy Hash: c78f1af199a4cdde3b8bd14f188ef4ae7d5bb9d81265f31cd15e592594c31ab5
                                                                                                                          • Instruction Fuzzy Hash: 8CD012A194D3C20DE71347314808324BF511F0210CF6814CBC19D4B3B3E3680884C76B
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Executed Functions

                                                                                                                          Function 028E08B0 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000A.00000002.2028707872.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_10_2_28e0000_cbsBVT.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: tP^q
                                                                                                                          • API String ID: 0-2862610199
                                                                                                                          • Opcode ID: 4826ce2d445ff3576d9f32e1b239790539d1f510cdeef0f62989dbdaf0f67dec
                                                                                                                          • Instruction ID: 6f291da9087284574fde664248573389776ea8d7b11270e356309c30f20aadee
                                                                                                                          • Opcode Fuzzy Hash: 4826ce2d445ff3576d9f32e1b239790539d1f510cdeef0f62989dbdaf0f67dec
                                                                                                                          • Instruction Fuzzy Hash: 862118753405118FCB49EF38D5A8A2D77E2AF89A1932504A8E40ACF371DF35DC42CB91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 028E1539 Relevance: 1.3, Strings: 1, Instructions: 28COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000A.00000002.2028707872.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_10_2_28e0000_cbsBVT.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: 8bq
                                                                                                                          • API String ID: 0-187764589
                                                                                                                          • Opcode ID: 8ac730c0b21a21f45587b09cdeb06cca2852dc354c2f1ac1c57f9d9c154d7ae7
                                                                                                                          • Instruction ID: 37294419c2cda682754426176bca2f4a757ecda1de054534bb7ebbaf64b4ba72
                                                                                                                          • Opcode Fuzzy Hash: 8ac730c0b21a21f45587b09cdeb06cca2852dc354c2f1ac1c57f9d9c154d7ae7
                                                                                                                          • Instruction Fuzzy Hash: 2EF020BA9007104FC312A6A0E0506AF77E2BB99348B05012AD48ECB294EE2589424F81
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 028E0E30 Relevance: .4, Instructions: 436COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000A.00000002.2028707872.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_10_2_28e0000_cbsBVT.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 3e4c708c3308d74a55aa1ad74de8686fc5da87b450cb6ed1ee09dbdd2621017a
                                                                                                                          • Instruction ID: 5c1681d7caed3f5ad15e87b57cd446bbf1c788f4ed6f8ef9693c8766d3bf0e1c
                                                                                                                          • Opcode Fuzzy Hash: 3e4c708c3308d74a55aa1ad74de8686fc5da87b450cb6ed1ee09dbdd2621017a
                                                                                                                          • Instruction Fuzzy Hash: 85029E74A002159FCB14DF68C984AAEBBF2FF85304B148A68D44ADF395DB35EC42CB91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 028E09B0 Relevance: .3, Instructions: 309COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000A.00000002.2028707872.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_10_2_28e0000_cbsBVT.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: a4c6ebeb64f9ddd232352818ea6df22bde7392f18a0b03e3907f93d101f78c63
                                                                                                                          • Instruction ID: 6e81c82c0914f1cc08118284fd011d14ed0cdc3f5db24fa97581043293f5878d
                                                                                                                          • Opcode Fuzzy Hash: a4c6ebeb64f9ddd232352818ea6df22bde7392f18a0b03e3907f93d101f78c63
                                                                                                                          • Instruction Fuzzy Hash: 61C16F3C200305CFDB15DF24D544A6A7BA2FB89308F548868E84ADF758DBB6ED85CB91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 028E1498 Relevance: .1, Instructions: 52COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000A.00000002.2028707872.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_10_2_28e0000_cbsBVT.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 18d15d371b70d0c280231e72f0d89a403a410b38373d6293c8a616cc8cc5fd69
                                                                                                                          • Instruction ID: c90231febee6aac85b39657cb5596a2303c9a1f4a0f88b7c4ac08b053eebdbc8
                                                                                                                          • Opcode Fuzzy Hash: 18d15d371b70d0c280231e72f0d89a403a410b38373d6293c8a616cc8cc5fd69
                                                                                                                          • Instruction Fuzzy Hash: 1F01F571F001149FCB54ABB8D8156AE7FB6EF85340F1080AAE509DB380DE399D01CB95
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 028E1421 Relevance: .0, Instructions: 40COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000A.00000002.2028707872.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_10_2_28e0000_cbsBVT.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 01b3d7a3e548f3a97c8bfddbd275aa2111710faaff9ed0192868b279f0a947e4
                                                                                                                          • Instruction ID: af4f4d9786663c4c36de8ac54b190bf4400ece352e3383eb0df70f2904dbdca2
                                                                                                                          • Opcode Fuzzy Hash: 01b3d7a3e548f3a97c8bfddbd275aa2111710faaff9ed0192868b279f0a947e4
                                                                                                                          • Instruction Fuzzy Hash: 96F0BEB2B003244FD70856789C946AB3BAAEBC5220705087EE009D7350ED798C4283A4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 028E0868 Relevance: .0, Instructions: 28COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000A.00000002.2028707872.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_10_2_28e0000_cbsBVT.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: dbf52cbe72a74324597bdfc7cb914ff3126f64b5a7cd91e2f1fa8df9837b23a6
                                                                                                                          • Instruction ID: fc4d71cca20777b550aed503362965fd2110e59c86819eb716e9857bd1ce4cda
                                                                                                                          • Opcode Fuzzy Hash: dbf52cbe72a74324597bdfc7cb914ff3126f64b5a7cd91e2f1fa8df9837b23a6
                                                                                                                          • Instruction Fuzzy Hash: D1E06D37A08219AF8B14EFE9A8485DB7BEDEA48222B008466E00DD2204FAB654809790
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 028E0857 Relevance: .0, Instructions: 25COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000A.00000002.2028707872.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_10_2_28e0000_cbsBVT.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 52d65fbb0412b55e4d151a643ae4b5821b79148c970ce5e838ffb8a4a66f977b
                                                                                                                          • Instruction ID: 9dce83c725d87a478b10651778892ce0df30628bd1cdff83b791d89661ef0cdb
                                                                                                                          • Opcode Fuzzy Hash: 52d65fbb0412b55e4d151a643ae4b5821b79148c970ce5e838ffb8a4a66f977b
                                                                                                                          • Instruction Fuzzy Hash: F4E09236A182189FCB04DFF59C487DBBFE9DF45215B0484AAE00DE3200E67195419711
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 028E1489 Relevance: .0, Instructions: 16COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000A.00000002.2028707872.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_10_2_28e0000_cbsBVT.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 5557588ca4a6885b4db3eb8aaea5ad5d074c20ede43667f7de12fa3c167ef8dd
                                                                                                                          • Instruction ID: 146d086b858c83f3cdec239e5a2733c014c1dcae6e5b63e8e6be19ec98c727de
                                                                                                                          • Opcode Fuzzy Hash: 5557588ca4a6885b4db3eb8aaea5ad5d074c20ede43667f7de12fa3c167ef8dd
                                                                                                                          • Instruction Fuzzy Hash: E0D0A772A047148BCB1056E5AC091CE3F74DF022A4B0640AAD488C7181E7689D1487D6
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 028E13E0 Relevance: .0, Instructions: 15COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000A.00000002.2028707872.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_10_2_28e0000_cbsBVT.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: fae832ca47f2279eb4d9e190ee4a02c0bc28a3e2c7baa240bceb6f04d265e025
                                                                                                                          • Instruction ID: 0e5e7e0a485aa698e49c57ceafd394600ad476bd25f592613606b5488e406ed2
                                                                                                                          • Opcode Fuzzy Hash: fae832ca47f2279eb4d9e190ee4a02c0bc28a3e2c7baa240bceb6f04d265e025
                                                                                                                          • Instruction Fuzzy Hash: CCE0C23C2083808FC7059F20EB2865A3FB2AF06209B0504D9E0C98FA6ACA789880CF05
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 028E1590 Relevance: .0, Instructions: 8COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000A.00000002.2028707872.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_10_2_28e0000_cbsBVT.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 6c968fbdf0b63ed184fac6215ecd8d691b80108219037ea1b9a825754c15b39d
                                                                                                                          • Instruction ID: 8932749ccb6c620e8b02ecdcf21c779fb674dce5499a3c4f28a52d1ceeb7db22
                                                                                                                          • Opcode Fuzzy Hash: 6c968fbdf0b63ed184fac6215ecd8d691b80108219037ea1b9a825754c15b39d
                                                                                                                          • Instruction Fuzzy Hash: 66B09277054B421BE36219508DAB3873654A760208BDD0468448682297F1CA948141CB
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%