Edit tour

Windows Analysis Report
62402781, Fiyat Teklif Talebi.pdf.exe

Overview

General Information

Sample name:	62402781, Fiyat Teklif Talebi.pdf.exe
Analysis ID:	1430787
MD5:	52e4f8ee79c595a890bc451dfbbbb9f4
SHA1:	12b24cc207161c893d5c87fc12453c083275d11f
SHA256:	0766dcf703dbf0243d873fff3b325054eee96ce58a9753ac8aa9891c311b4434
Tags:	AgentTeslaexegeoTUR
Infos:

Detection

AgentTesla, PureLog Stealer, RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension File Execution

Snort IDS alert for network traffic

Yara detected AgentTesla

Yara detected PureLog Stealer

Yara detected RedLine Stealer

.NET source code contains method to dynamically call methods (often used by packers)

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Contains functionality to register a low level keyboard hook

Found API chain indicative of sandbox detection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Writes to foreign memory regions

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

62402781, Fiyat Teklif Talebi.pdf.exe (PID: 4744 cmdline: "C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe" MD5: 52E4F8EE79C595A890BC451DFBBBB9F4)

RegSvcs.exe (PID: 7124 cmdline: "C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

62402781, Fiyat Teklif Talebi.pdf.exe (PID: 5688 cmdline: "C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe" MD5: 52E4F8EE79C595A890BC451DFBBBB9F4)

RegSvcs.exe (PID: 6380 cmdline: "C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

ctsdvwT.exe (PID: 4028 cmdline: "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 2212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ctsdvwT.exe (PID: 3580 cmdline: "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 5032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.musabody.com", "Username": "victoria@musabody.com", "Password": "MUSAbody_victoria2018"}

Threatname: RedLine

{"C2 url": ["mail.musabody.com"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.4475963234.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000002.4475963234.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 7D 88 44 24 2B 88 44 24 2F B0 1E 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000004.00000002.4478825665.0000000005120000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.4478825665.0000000005120000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.4478825665.0000000005120000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000002.4478825665.0000000005120000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3fba4:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3fc16:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3fca0:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3fd32:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3fd9c:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fe0e:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fea4:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3ff34:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000004.00000002.4477299535.000000000280F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.4477299535.000000000280F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.4477299535.000000000280F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000002.2028748340.00000000011F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000003.00000002.2028748340.00000000011F0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 7D 88 44 24 2B 88 44 24 2F B0 1E 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000004.00000002.4478416946.0000000004F80000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.4478416946.0000000004F80000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.4478416946.0000000004F80000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000002.4478416946.0000000004F80000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x40a8c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40afe:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x40b88:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40c1a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x40c84:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x40cf6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x40d8c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40e1c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000004.00000002.4477550403.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.4478163041.0000000003C01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.4478163041.0000000003C01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.4478163041.0000000003C01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2016173689.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.2016173689.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 7D 88 44 24 2B 88 44 24 2F B0 1E 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
Process Memory Space: RegSvcs.exe PID: 6380	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 6380	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 7D 88 44 24 2B 88 44 24 2F B0 1E 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
3.2.62402781, Fiyat Teklif Talebi.pdf.exe.11f0000.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.2.62402781, Fiyat Teklif Talebi.pdf.exe.11f0000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 7D 88 44 24 2B 88 44 24 2F B0 1E 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
4.2.RegSvcs.exe.285020e.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.285020e.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.RegSvcs.exe.285020e.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.285020e.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3fba4:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3fc16:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3fca0:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3fd32:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3fd9c:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fe0e:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fea4:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3ff34:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.62402781, Fiyat Teklif Talebi.pdf.exe.3cf0000.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.62402781, Fiyat Teklif Talebi.pdf.exe.3cf0000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 7D 88 44 24 2B 88 44 24 2F B0 1E 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
4.2.RegSvcs.exe.284f326.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.284f326.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.RegSvcs.exe.284f326.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.284f326.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3ec8c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3ecfe:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3ed88:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3ee1a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3ee84:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3eef6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3ef8c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f01c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.RegSvcs.exe.5120000.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.5120000.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.RegSvcs.exe.5120000.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.5120000.8.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3dda4:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3de16:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3dea0:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3df32:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3df9c:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3e00e:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3e0a4:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3e134:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.RegSvcs.exe.5120000.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.5120000.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.RegSvcs.exe.5120000.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.5120000.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3fba4:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3fc16:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3fca0:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3fd32:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3fd9c:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fe0e:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fea4:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3ff34:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.RegSvcs.exe.4f80000.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.4f80000.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.RegSvcs.exe.4f80000.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.4f80000.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x40a8c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40afe:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x40b88:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40c1a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x40c84:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x40cf6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x40d8c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40e1c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.RegSvcs.exe.284f326.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.284f326.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.RegSvcs.exe.284f326.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.284f326.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x40a8c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40afe:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x40b88:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40c1a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x40c84:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x40cf6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x40d8c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40e1c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.RegSvcs.exe.4f80ee8.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.4f80ee8.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.RegSvcs.exe.4f80ee8.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.4f80ee8.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3fba4:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3fc16:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3fca0:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3fd32:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3fd9c:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fe0e:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fea4:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3ff34:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.RegSvcs.exe.3c53790.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.3c53790.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.RegSvcs.exe.3c53790.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.3c53790.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3dda4:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3de16:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3dea0:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3df32:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3df9c:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3e00e:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3e0a4:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3e134:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.RegSvcs.exe.3c53790.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.3c53790.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.RegSvcs.exe.3c53790.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.3c53790.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3fba4:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3fc16:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3fca0:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3fd32:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3fd9c:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fe0e:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fea4:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3ff34:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.RegSvcs.exe.3c05570.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.3c05570.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.RegSvcs.exe.3c05570.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.3c05570.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x40a8c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x8ddc4:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40afe:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x8de36:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x40b88:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x8dec0:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40c1a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x8df52:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x40c84:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x8dfbc:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x40cf6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x8e02e:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x40d8c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x8e0c4:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40e1c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x8e154:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.RegSvcs.exe.3c06458.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.3c06458.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.RegSvcs.exe.3c06458.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.3c06458.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3dda4:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3de16:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3dea0:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3df32:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3df9c:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3e00e:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3e0a4:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3e134:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.RegSvcs.exe.4f80000.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.4f80000.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.RegSvcs.exe.4f80000.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.4f80000.7.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3ec8c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3ecfe:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3ed88:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3ee1a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3ee84:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3eef6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3ef8c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f01c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.RegSvcs.exe.285020e.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.285020e.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.RegSvcs.exe.285020e.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.285020e.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3dda4:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3de16:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3dea0:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3df32:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3df9c:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3e00e:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3e0a4:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3e134:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.RegSvcs.exe.4f80ee8.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.4f80ee8.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.RegSvcs.exe.4f80ee8.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.4f80ee8.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3dda4:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3de16:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3dea0:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3df32:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3df9c:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3e00e:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3e0a4:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3e134:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.2.RegSvcs.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 7D 88 44 24 2B 88 44 24 2F B0 1E 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
4.2.RegSvcs.exe.3c05570.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.3c05570.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.RegSvcs.exe.3c05570.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.3c05570.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3ec8c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3ecfe:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3ed88:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3ee1a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3ee84:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3eef6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3ef8c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f01c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.RegSvcs.exe.3c06458.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.3c06458.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.RegSvcs.exe.3c06458.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.3c06458.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3fba4:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x8cedc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3fc16:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x8cf4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3fca0:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x8cfd8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3fd32:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x8d06a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3fd9c:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x8d0d4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fe0e:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x8d146:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fea4:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x8d1dc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3ff34:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x8d26c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 67 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe", CommandLine: "C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe", CommandLine|base64offset|contains: ,, Image: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe, NewProcessName: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe, OriginalFileName: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe", ProcessId: 4744, ProcessName: 62402781, Fiyat Teklif Talebi.pdf.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6380, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctsdvwT

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 108.167.140.123, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 6380, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49712

Snort Signatures

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.5 - Destination IP: 108.167.140.123

Timestamp:	04/24/24-07:20:53.590123
SID:	2030171
Source Port:	49712
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/Agent Tesla SMTP Activity - Source IP: 192.168.2.5 - Destination IP: 108.167.140.123

Timestamp:	04/24/24-07:20:53.590123
SID:	2839723
Source Port:	49712
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.5 - Destination IP: 108.167.140.123

Timestamp:	04/24/24-07:20:53.590247
SID:	2855542
Source Port:	49712
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.5 - Destination IP: 108.167.140.123

Timestamp:	04/24/24-07:20:53.590247
SID:	2840032
Source Port:	49712
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.5 - Destination IP: 108.167.140.123

Timestamp:	04/24/24-07:20:53.590247
SID:	2851779
Source Port:	49712
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 4.2.RegSvcs.exe.285020e.2.raw.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.musabody.com", "Username": "victoria@musabody.com", "Password": "MUSAbody_victoria2018"}
Source: 4.2.RegSvcs.exe.285020e.2.raw.unpack	Malware Configuration Extractor: RedLine {"C2 url": ["mail.musabody.com"]}

Multi AV Scanner detection for submitted file

Source: 62402781, Fiyat Teklif Talebi.pdf.exe	ReversingLabs: Detection: 52%
Source: 62402781, Fiyat Teklif Talebi.pdf.exe	Virustotal: Detection: 48%			Perma Link

Machine Learning detection for sample

Source: 62402781, Fiyat Teklif Talebi.pdf.exe

Joe Sandbox ML: detected

Source: 62402781, Fiyat Teklif Talebi.pdf.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000004.00000002.4477299535.000000000280F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4478416946.0000000004F80000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4478163041.0000000003C01000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: ctsdvwT.exe, 00000005.00000000.2142766619.0000000000342000.00000002.00000001.01000000.00000007.sdmp, ctsdvwT.exe.4.dr
Source:	Binary string: wntdll.pdbUGP source: 62402781, Fiyat Teklif Talebi.pdf.exe, 00000000.00000003.2013710069.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, 62402781, Fiyat Teklif Talebi.pdf.exe, 00000000.00000003.2013148328.0000000004200000.00000004.00001000.00020000.00000000.sdmp, 62402781, Fiyat Teklif Talebi.pdf.exe, 00000003.00000003.2025312823.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, 62402781, Fiyat Teklif Talebi.pdf.exe, 00000003.00000003.2024412542.0000000003B50000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 62402781, Fiyat Teklif Talebi.pdf.exe, 00000000.00000003.2013710069.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, 62402781, Fiyat Teklif Talebi.pdf.exe, 00000000.00000003.2013148328.0000000004200000.00000004.00001000.00020000.00000000.sdmp, 62402781, Fiyat Teklif Talebi.pdf.exe, 00000003.00000003.2025312823.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, 62402781, Fiyat Teklif Talebi.pdf.exe, 00000003.00000003.2024412542.0000000003B50000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: ctsdvwT.exe, 00000005.00000000.2142766619.0000000000342000.00000002.00000001.01000000.00000007.sdmp, ctsdvwT.exe.4.dr

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_0082DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0082DBBE
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_007FC2A2 FindFirstFileExW,	0_2_007FC2A2
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_008368EE FindFirstFileW,FindClose,	0_2_008368EE
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_0083698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0083698F
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_0082D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0082D076
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_0082D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0082D3A9
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_00839642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00839642
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_0083979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0083979D
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_00839B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00839B2B
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_00835C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00835C97

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49712 -> 108.167.140.123:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49712 -> 108.167.140.123:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49712 -> 108.167.140.123:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49712 -> 108.167.140.123:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49712 -> 108.167.140.123:587

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: mail.musabody.com

Source: global traffic

TCP traffic: 192.168.2.5:49712 -> 108.167.140.123:587

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: global traffic

TCP traffic: 192.168.2.5:49712 -> 108.167.140.123:587

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe

Code function: 0_2_0083CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_0083CE44

Source: unknown

DNS traffic detected: queries for: mail.musabody.com

Source: RegSvcs.exe, 00000004.00000002.4477550403.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.musabody.com
Source: RegSvcs.exe, 00000004.00000002.4478825665.0000000005120000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4477299535.000000000280F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4478416946.0000000004F80000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4478163041.0000000003C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 4.2.RegSvcs.exe.5120000.8.raw.unpack, POq2Ux.cs

.Net Code: _4H57oeN1J

Contains functionality to register a low level keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 4_2_0600A268 SetWindowsHookExA 0000000D,00000000,?,?,?,?,?,?,?,?,?,0600A8C0,00000000,00000000

4_2_0600A268

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Jump to behavior

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe

Code function: 0_2_0083EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0083EAFF

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe

Code function: 0_2_0083ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0083ED6A

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe

0_2_0083EAFF

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe

Code function: 0_2_0082AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0082AA57

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe

Code function: 0_2_00859576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00859576

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.62402781, Fiyat Teklif Talebi.pdf.exe.11f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.2.RegSvcs.exe.285020e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.62402781, Fiyat Teklif Talebi.pdf.exe.3cf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.2.RegSvcs.exe.284f326.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.RegSvcs.exe.5120000.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.RegSvcs.exe.5120000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.RegSvcs.exe.4f80000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.RegSvcs.exe.284f326.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.RegSvcs.exe.4f80ee8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.RegSvcs.exe.3c53790.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.RegSvcs.exe.3c53790.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.RegSvcs.exe.3c05570.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.RegSvcs.exe.3c06458.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.RegSvcs.exe.4f80000.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.RegSvcs.exe.285020e.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.RegSvcs.exe.4f80ee8.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.2.RegSvcs.exe.3c05570.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.RegSvcs.exe.3c06458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000004.00000002.4475963234.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000004.00000002.4478825665.0000000005120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000003.00000002.2028748340.00000000011F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000004.00000002.4478416946.0000000004F80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.2016173689.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: 62402781, Fiyat Teklif Talebi.pdf.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 62402781, Fiyat Teklif Talebi.pdf.exe, 00000000.00000000.2004997068.0000000000882000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_976eb398-3
Source: 62402781, Fiyat Teklif Talebi.pdf.exe, 00000000.00000000.2004997068.0000000000882000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_8c62133b-2
Source: 62402781, Fiyat Teklif Talebi.pdf.exe, 00000003.00000002.2028136586.0000000000882000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_9ff3d474-f
Source: 62402781, Fiyat Teklif Talebi.pdf.exe, 00000003.00000002.2028136586.0000000000882000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_463114a5-a
Source: 62402781, Fiyat Teklif Talebi.pdf.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2c7e1c25-5
Source: 62402781, Fiyat Teklif Talebi.pdf.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_6b0cda2d-6

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: 62402781, Fiyat Teklif Talebi.pdf.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe

Code function: 0_2_0082D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0082D5EB

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe

Code function: 0_2_00821201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00821201

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe

Code function: 0_2_0082E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0082E8F6

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_007C8060	0_2_007C8060
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_00832046	0_2_00832046
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_00828298	0_2_00828298
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_007FE4FF	0_2_007FE4FF
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_007F676B	0_2_007F676B
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_00854873	0_2_00854873
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_007CCAF0	0_2_007CCAF0
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_007ECAA0	0_2_007ECAA0
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_007DCC39	0_2_007DCC39
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_007F6DD9	0_2_007F6DD9
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_007DB119	0_2_007DB119
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_007C91C0	0_2_007C91C0
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_007E1394	0_2_007E1394
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_007E1706	0_2_007E1706
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_007E781B	0_2_007E781B
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_007D997D	0_2_007D997D
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_007C7920	0_2_007C7920
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_007E19B0	0_2_007E19B0
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_007E7A4A	0_2_007E7A4A
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_007E1C77	0_2_007E1C77
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_007E7CA7	0_2_007E7CA7
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_007F9EEE	0_2_007F9EEE
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_0084BE44	0_2_0084BE44
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_007E1F32	0_2_007E1F32
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_01903640	0_2_01903640
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 3_2_011E3640	3_2_011E3640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00408C60	4_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040DC11	4_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00407C3F	4_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00418CCC	4_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00406CA0	4_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004028B0	4_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041A4BE	4_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00418244	4_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00401650	4_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00402F20	4_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004193C4	4_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00418788	4_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00402F89	4_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00402B90	4_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004073A0	4_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0271DCB0	4_2_0271DCB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0271D098	4_2_0271D098
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0271D3E0	4_2_0271D3E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_02710FD0	4_2_02710FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_02711030	4_2_02711030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05FC4938	4_2_05FC4938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05FCA7B8	4_2_05FCA7B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05FC7BB8	4_2_05FC7BB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05FCC368	4_2_05FCC368
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05FC0108	4_2_05FC0108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05FC00F9	4_2_05FC00F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05FCD478	4_2_05FCD478
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0600161C	4_2_0600161C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06001610	4_2_06001610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_060035D0	4_2_060035D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06149360	4_2_06149360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_061458A8	4_2_061458A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_061410D0	4_2_061410D0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: String function: 007DF9F2 appears 40 times
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: String function: 007C9CB3 appears 31 times
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: String function: 007E0A30 appears 46 times

Source: 62402781, Fiyat Teklif Talebi.pdf.exe, 00000000.00000003.2013287474.00000000044CD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 62402781, Fiyat Teklif Talebi.pdf.exe
Source: 62402781, Fiyat Teklif Talebi.pdf.exe, 00000000.00000002.2016173689.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename24eacbb4-825a-4768-ad59-21c6c6ffb60d.exe4 vs 62402781, Fiyat Teklif Talebi.pdf.exe
Source: 62402781, Fiyat Teklif Talebi.pdf.exe, 00000000.00000003.2013148328.0000000004323000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 62402781, Fiyat Teklif Talebi.pdf.exe
Source: 62402781, Fiyat Teklif Talebi.pdf.exe, 00000003.00000003.2026090146.0000000003C73000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 62402781, Fiyat Teklif Talebi.pdf.exe
Source: 62402781, Fiyat Teklif Talebi.pdf.exe, 00000003.00000003.2024613808.0000000003E1D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 62402781, Fiyat Teklif Talebi.pdf.exe
Source: 62402781, Fiyat Teklif Talebi.pdf.exe, 00000003.00000002.2028748340.00000000011F0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename24eacbb4-825a-4768-ad59-21c6c6ffb60d.exe4 vs 62402781, Fiyat Teklif Talebi.pdf.exe

Source: 62402781, Fiyat Teklif Talebi.pdf.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.62402781, Fiyat Teklif Talebi.pdf.exe.11f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.2.RegSvcs.exe.285020e.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.62402781, Fiyat Teklif Talebi.pdf.exe.3cf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.2.RegSvcs.exe.284f326.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.RegSvcs.exe.5120000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.RegSvcs.exe.5120000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.RegSvcs.exe.4f80000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.RegSvcs.exe.284f326.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.RegSvcs.exe.4f80ee8.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.RegSvcs.exe.3c53790.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.RegSvcs.exe.3c53790.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.RegSvcs.exe.3c05570.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.RegSvcs.exe.3c06458.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.RegSvcs.exe.4f80000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.RegSvcs.exe.285020e.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.RegSvcs.exe.4f80ee8.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.2.RegSvcs.exe.3c05570.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.RegSvcs.exe.3c06458.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000004.00000002.4475963234.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000004.00000002.4478825665.0000000005120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000003.00000002.2028748340.00000000011F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000004.00000002.4478416946.0000000004F80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.2016173689.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: 4.2.RegSvcs.exe.285020e.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.285020e.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.4f80ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.4f80ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.3c53790.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.3c53790.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.5120000.8.raw.unpack, ZTFEpdjP8zw.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.RegSvcs.exe.5120000.8.raw.unpack, WnRNxU.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.RegSvcs.exe.5120000.8.raw.unpack, 2njIk.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.RegSvcs.exe.5120000.8.raw.unpack, I5ElxL.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@11/10@1/1

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe

Code function: 0_2_008337B5 GetLastError,FormatMessageW,

0_2_008337B5

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_008210BF AdjustTokenPrivileges,CloseHandle,		0_2_008210BF
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_008216C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_008216C3

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe

Code function: 0_2_008351CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_008351CD

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe

Code function: 0_2_0084A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0084A67C

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe

Code function: 0_2_0083648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0083648E

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe

Code function: 0_2_007C42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_007C42A2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\ctsdvwT

Jump to behavior

Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2212:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5032:120:WilError_03

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe

File created: C:\Users\user\AppData\Local\Temp\aut32DD.tmp

Jump to behavior

Source: 62402781, Fiyat Teklif Talebi.pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000004.00000002.4477550403.0000000002D46000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4477550403.0000000002D59000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 62402781, Fiyat Teklif Talebi.pdf.exe	ReversingLabs: Detection: 52%
Source: 62402781, Fiyat Teklif Talebi.pdf.exe	Virustotal: Detection: 48%

Source: unknown	Process created: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe "C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe"
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe"
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Process created: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe "C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe"
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Process created: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe "C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe"	Jump to behavior

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: 62402781, Fiyat Teklif Talebi.pdf.exe

Static file information: File size 1209856 > 1048576

Source: 62402781, Fiyat Teklif Talebi.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 62402781, Fiyat Teklif Talebi.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 62402781, Fiyat Teklif Talebi.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 62402781, Fiyat Teklif Talebi.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 62402781, Fiyat Teklif Talebi.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 62402781, Fiyat Teklif Talebi.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 62402781, Fiyat Teklif Talebi.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000004.00000002.4477299535.000000000280F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4478416946.0000000004F80000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4478163041.0000000003C01000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: ctsdvwT.exe, 00000005.00000000.2142766619.0000000000342000.00000002.00000001.01000000.00000007.sdmp, ctsdvwT.exe.4.dr
Source:	Binary string: wntdll.pdbUGP source: 62402781, Fiyat Teklif Talebi.pdf.exe, 00000000.00000003.2013710069.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, 62402781, Fiyat Teklif Talebi.pdf.exe, 00000000.00000003.2013148328.0000000004200000.00000004.00001000.00020000.00000000.sdmp, 62402781, Fiyat Teklif Talebi.pdf.exe, 00000003.00000003.2025312823.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, 62402781, Fiyat Teklif Talebi.pdf.exe, 00000003.00000003.2024412542.0000000003B50000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 62402781, Fiyat Teklif Talebi.pdf.exe, 00000000.00000003.2013710069.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, 62402781, Fiyat Teklif Talebi.pdf.exe, 00000000.00000003.2013148328.0000000004200000.00000004.00001000.00020000.00000000.sdmp, 62402781, Fiyat Teklif Talebi.pdf.exe, 00000003.00000003.2025312823.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, 62402781, Fiyat Teklif Talebi.pdf.exe, 00000003.00000003.2024412542.0000000003B50000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: ctsdvwT.exe, 00000005.00000000.2142766619.0000000000342000.00000002.00000001.01000000.00000007.sdmp, ctsdvwT.exe.4.dr

Source: 62402781, Fiyat Teklif Talebi.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 62402781, Fiyat Teklif Talebi.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 62402781, Fiyat Teklif Talebi.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 62402781, Fiyat Teklif Talebi.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 62402781, Fiyat Teklif Talebi.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 4.2.RegSvcs.exe.285020e.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 4.2.RegSvcs.exe.4f80ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 4.2.RegSvcs.exe.3c53790.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 4.2.RegSvcs.exe.5120000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 4.2.RegSvcs.exe.3c06458.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe

Code function: 0_2_007C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007C42DE

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_007E0A76 push ecx; ret	0_2_007E0A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041C40C push cs; iretd	4_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00423149 push eax; ret	4_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041C50E push cs; iretd	4_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004231C8 push eax; ret	4_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040E21D push ecx; ret	4_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041C6BE push ebx; ret	4_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_02714316 pushfd ; iretd	4_2_02714319
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05FCFDA3 push 14418B05h; ret	4_2_05FCFDB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05FCFF30 push 18418B05h; ret	4_2_05FCFF43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_060025E1 push 10418B05h; ret	4_2_060025F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_060014AC push 04418B05h; ret	4_2_060026E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06003270 push 0C418B05h; ret	4_2_06003283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_060073F8 pushfd ; retf	4_2_06007405
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06003190 push 14418B05h; ret	4_2_060031C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_060031D0 push 24418B05h; ret	4_2_06003223
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0600BCC1 push es; ret	4_2_0600BCD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06145120 push 24418B05h; ret	4_2_06145133

Source: 4.2.RegSvcs.exe.285020e.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'IuVLqWDm5xkXP', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 4.2.RegSvcs.exe.4f80ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'IuVLqWDm5xkXP', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 4.2.RegSvcs.exe.3c53790.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'IuVLqWDm5xkXP', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 4.2.RegSvcs.exe.5120000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'IuVLqWDm5xkXP', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 4.2.RegSvcs.exe.3c06458.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'IuVLqWDm5xkXP', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctsdvwT			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctsdvwT			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe:Zone.Identifier read attributes | delete

Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: 62402781, Fiyat Teklif Talebi.pdf.exe

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_007DF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_007DF98E
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_00851C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00851C41

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95934

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Memory allocated: AC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Memory allocated: 2750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Memory allocated: AC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Memory allocated: 3010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Memory allocated: 32A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Memory allocated: 30A0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 4_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

4_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2399875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2399766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2399641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2399532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2399407	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2399282	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2399172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2399063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2398938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2398813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2398688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2398563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2398453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2398344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2398219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2398110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2397985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2397860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2397735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2397610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2397485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2397360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2397235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2397110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2396985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2396860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2396735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2396610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2396485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2396360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2396235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2396110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2395985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2395860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2395735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2395610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2395485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2395360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2395235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2395110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2394985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2394860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2394735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2394610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2394485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2394360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2394235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2394110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2393985	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8108			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1713			Jump to behavior

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe

API coverage: 4.1 %

Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6396	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5788	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_0082DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0082DBBE
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_007FC2A2 FindFirstFileExW,	0_2_007FC2A2
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_008368EE FindFirstFileW,FindClose,	0_2_008368EE
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_0083698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0083698F
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_0082D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0082D076
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_0082D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0082D3A9
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_00839642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00839642
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_0083979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0083979D
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_00839B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00839B2B
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_00835C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00835C97

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe

Code function: 0_2_007C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007C42DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2399875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2399766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2399641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2399532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2399407	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2399282	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2399172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2399063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2398938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2398813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2398688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2398563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2398453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2398344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2398219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2398110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2397985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2397860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2397735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2397610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2397485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2397360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2397235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2397110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2396985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2396860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2396735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2396610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2396485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2396360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2396235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2396110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2395985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2395860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2395735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2395610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2395485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2395360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2395235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2395110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2394985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2394860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2394735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2394610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2394485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2394360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2394235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2394110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 2393985	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegSvcs.exe, 00000004.00000002.4479098874.0000000005463000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe

Code function: 0_2_0083EAA2 BlockInput,

0_2_0083EAA2

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe

Code function: 0_2_007F2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_007F2622

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

4_2_004019F0

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe

Code function: 0_2_007C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007C42DE

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_007E4CE8 mov eax, dword ptr fs:[00000030h]	0_2_007E4CE8
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_01903530 mov eax, dword ptr fs:[00000030h]	0_2_01903530
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_019034D0 mov eax, dword ptr fs:[00000030h]	0_2_019034D0
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_01901ED0 mov eax, dword ptr fs:[00000030h]	0_2_01901ED0
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 3_2_011E3530 mov eax, dword ptr fs:[00000030h]	3_2_011E3530
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 3_2_011E34D0 mov eax, dword ptr fs:[00000030h]	3_2_011E34D0
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 3_2_011E1ED0 mov eax, dword ptr fs:[00000030h]	3_2_011E1ED0

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe

Code function: 0_2_00820B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00820B62

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_007F2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_007F2622
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_007E083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_007E083F
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_007E09D5 SetUnhandledExceptionFilter,	0_2_007E09D5
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_007E0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_007E0C21
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004123F1 SetUnhandledExceptionFilter,	4_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 8F4008

Jump to behavior

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe

0_2_00821201

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe

Code function: 0_2_00802BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00802BA5

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe

Code function: 0_2_0082B226 SendInput,keybd_event,

0_2_0082B226

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe

Code function: 0_2_008422DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_008422DA

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe"			Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe"			Jump to behavior

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe

0_2_00820B62

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe

Code function: 0_2_00821663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00821663

Source: 62402781, Fiyat Teklif Talebi.pdf.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RegSvcs.exe, 00000004.00000002.4477550403.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4477550403.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Time: 06/24/2024 01:10:13<br>User Name: user<br>Computer Name: 888683<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br><hr><b>[ Program Manager]</b> (24/04/2024 21:58:41)<br>{Win}r{Win}r
Source: RegSvcs.exe, 00000004.00000002.4477550403.0000000002C65000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $eq8<b>[ Program Manager]</b> (24/04/2024 21:58:41)<br>{Win}THjq
Source: RegSvcs.exe, 00000004.00000002.4477550403.0000000002C65000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $eq9<b>[ Program Manager]</b> (24/04/2024 21:58:41)<br>{Win}rTHjq
Source: RegSvcs.exe, 00000004.00000002.4477550403.0000000002C65000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000004.00000002.4477550403.0000000002C65000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLReq
Source: 62402781, Fiyat Teklif Talebi.pdf.exe	Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000004.00000002.4477550403.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Time: 06/24/2024 01:10:13<br>User Name: user<br>Computer Name: 888683<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br><hr><b>[ Program Manager]</b> (24/04/2024 21:58:41)<br>{Win}r{Win}rTeeq
Source: RegSvcs.exe, 00000004.00000002.4477550403.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: @\eqDTime: 06/24/2024 01:10:13<br>User Name: user<br>Computer Name: 888683<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br><hr><b>[ Program Manager]</b> (24/04/2024 21:58:41)<br>{Win}r{Win}r
Source: RegSvcs.exe, 00000004.00000002.4477550403.0000000002C65000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $eq?<b>[ Program Manager]</b> (24/04/2024 21:58:41)<br>{Win}r{Win}rTHjq
Source: RegSvcs.exe, 00000004.00000002.4477550403.0000000002C65000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $eq><b>[ Program Manager]</b> (24/04/2024 21:58:41)<br>{Win}r{Win}THjq
Source: RegSvcs.exe, 00000004.00000002.4477550403.0000000002C65000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $eq3<b>[ Program Manager]</b> (24/04/2024 21:58:41)<br>

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe

Code function: 0_2_007E0698 cpuid

0_2_007E0698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

4_2_00417A20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Queries volume information: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Queries volume information: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe

Code function: 0_2_00838195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00838195

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe

Code function: 0_2_0081D27A GetUserNameW,

0_2_0081D27A

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe

Code function: 0_2_007FB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_007FB952

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe

Code function: 0_2_007C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007C42DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 4.2.RegSvcs.exe.285020e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.284f326.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5120000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5120000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4f80000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.284f326.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4f80ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3c53790.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3c53790.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3c05570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3c06458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4f80000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.285020e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4f80ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3c05570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3c06458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4478825665.0000000005120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4477299535.000000000280F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4478416946.0000000004F80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4478163041.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6380, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 4.2.RegSvcs.exe.285020e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.284f326.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5120000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5120000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4f80000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.284f326.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4f80ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3c53790.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3c53790.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3c05570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3c06458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4f80000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.285020e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4f80ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3c05570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3c06458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4478825665.0000000005120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4477299535.000000000280F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4478416946.0000000004F80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4478163041.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.62402781, Fiyat Teklif Talebi.pdf.exe.11f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.62402781, Fiyat Teklif Talebi.pdf.exe.3cf0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4475963234.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2028748340.00000000011F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2016173689.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: 62402781, Fiyat Teklif Talebi.pdf.exe	Binary or memory string: WIN_81
Source: 62402781, Fiyat Teklif Talebi.pdf.exe	Binary or memory string: WIN_XP
Source: 62402781, Fiyat Teklif Talebi.pdf.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: 62402781, Fiyat Teklif Talebi.pdf.exe	Binary or memory string: WIN_XPe
Source: 62402781, Fiyat Teklif Talebi.pdf.exe	Binary or memory string: WIN_VISTA
Source: 62402781, Fiyat Teklif Talebi.pdf.exe	Binary or memory string: WIN_7
Source: 62402781, Fiyat Teklif Talebi.pdf.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 4.2.RegSvcs.exe.285020e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.284f326.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5120000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5120000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4f80000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.284f326.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4f80ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3c53790.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3c53790.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3c05570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3c06458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4f80000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.285020e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4f80ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3c05570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3c06458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4478825665.0000000005120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4477299535.000000000280F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4478416946.0000000004F80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4477550403.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4478163041.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6380, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 4.2.RegSvcs.exe.285020e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.284f326.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5120000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5120000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4f80000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.284f326.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4f80ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3c53790.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3c53790.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3c05570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3c06458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4f80000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.285020e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4f80ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3c05570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3c06458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4478825665.0000000005120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4477299535.000000000280F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4478416946.0000000004F80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4478163041.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6380, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 4.2.RegSvcs.exe.285020e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.284f326.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5120000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5120000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4f80000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.284f326.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4f80ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3c53790.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3c53790.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3c05570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3c06458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4f80000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.285020e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4f80ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3c05570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3c06458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4478825665.0000000005120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4477299535.000000000280F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4478416946.0000000004F80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4478163041.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.62402781, Fiyat Teklif Talebi.pdf.exe.11f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.62402781, Fiyat Teklif Talebi.pdf.exe.3cf0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4475963234.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2028748340.00000000011F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2016173689.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_00841204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00841204
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe	Code function: 0_2_00841806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00841806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	321 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	2 Valid Accounts	12 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 Software Packing	NTDS	48 System Information Discovery	Distributed Component Object Model	321 Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	241 Security Software Discovery	SSH	4 Clipboard Data	111 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	11 Masquerading	Cached Domain Credentials	241 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	241 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	212 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Hidden Files and Directories	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
62402781, Fiyat Teklif Talebi.pdf.exe	53%	ReversingLabs	Win32.Spyware.RedLine
62402781, Fiyat Teklif Talebi.pdf.exe	49%	Virustotal		Browse
62402781, Fiyat Teklif Talebi.pdf.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	0%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
mail.musabody.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
mail.musabody.com	0%	Avira URL Cloud	safe
http://mail.musabody.com	0%	Avira URL Cloud	safe
mail.musabody.com	0%	Virustotal		Browse
http://mail.musabody.com	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.musabody.com	108.167.140.123	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
mail.musabody.com	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://account.dyn.com/	RegSvcs.exe, 00000004.00000002.4478825665.0000000005120000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4477299535.000000000280F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4478416946.0000000004F80000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4478163041.0000000003C01000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mail.musabody.com	RegSvcs.exe, 00000004.00000002.4477550403.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
108.167.140.123	mail.musabody.com	United States		46606	UNIFIEDLAYER-AS-1US	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430787
Start date and time:	2024-04-24 07:18:16 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	62402781, Fiyat Teklif Talebi.pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@11/10@1/1
EGA Information:	Successful, ratio: 60%
HCA Information:	Successful, ratio: 95% Number of executed functions: 52 Number of non-executed functions: 294
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target ctsdvwT.exe, PID 3580 because it is empty
Execution Graph export aborted for target ctsdvwT.exe, PID 4028 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:19:08	API Interceptor	10644463x Sleep call for process: RegSvcs.exe modified
07:19:10	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ctsdvwT C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
07:19:18	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ctsdvwT C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
108.167.140.123	2024-19-2118fernas.pdf.exe	Get hash	malicious	AgentTesla	Browse
	DHL Shipping DocumentTracking No Confirmation.doc.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Fiyat_teklifi_Istegi_23070_PER_120_Adet_#U2026scanneed_00101.pdf.bat.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.musabody.com	2024-19-2118fernas.pdf.exe	Get hash	malicious	AgentTesla	Browse	108.167.140.123
	DHL Shipping DocumentTracking No Confirmation.doc.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	108.167.140.123
	Fiyat_teklifi_Istegi_23070_PER_120_Adet_#U2026scanneed_00101.pdf.bat.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	108.167.140.123

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNIFIEDLAYER-AS-1US	DHL_1003671162.exe	Get hash	malicious	AgentTesla	Browse	50.87.253.239
	1000901 LIQUIDACION.vbs	Get hash	malicious	FormBook, GuLoader	Browse	162.241.253.78
	FT. 40FE CNY .xlsx.lnk	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer, RedLine	Browse	192.185.124.132
	CREDIT NOTE.exe	Get hash	malicious	AgentTesla	Browse	192.185.129.60
	Total Invoices.exe	Get hash	malicious	AgentTesla	Browse	192.185.129.60
	knfV5IVjEV.lnk	Get hash	malicious	Unknown	Browse	162.241.216.65
	http://www.noahsarkademy.com	Get hash	malicious	Unknown	Browse	69.49.230.31
	CR-FEDEX_TN-775720741041.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	192.185.13.234
	Wire Transfer Payment Receipt#2024-22-04.exe	Get hash	malicious	AgentTesla	Browse	162.144.15.164
	DHL_RF_20200712_BN_OTN 0095673441.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	192.185.13.234

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe	CREDIT NOTE.exe	Get hash	malicious	AgentTesla	Browse
	Total Invoices.exe	Get hash	malicious	AgentTesla	Browse
	BARSYL SHIPPING Co (VIETNAM).exe	Get hash	malicious	AgentTesla	Browse
	BARSYL SHIPPING Co (VIETNAM).exe	Get hash	malicious	AgentTesla	Browse
	Urgent PO 18-3081 Confirmation.exe	Get hash	malicious	AgentTesla	Browse
	CAHKHCM2404009CFS.exe	Get hash	malicious	AgentTesla	Browse
	FAR.N_2430-240009934.exe	Get hash	malicious	AgentTesla	Browse
	TT copy of the first payment.exe	Get hash	malicious	AgentTesla	Browse
	Booking_BK24-000288_19_Apr_2410_52_34 AM.exe	Get hash	malicious	AgentTesla	Browse
	charesworh.exe	Get hash	malicious	AgentTesla	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ctsdvwT.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	142
Entropy (8bit):	5.090621108356562
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
MD5:	8C0458BB9EA02D50565175E38D577E35
SHA1:	F0B50702CD6470F3C17D637908F83212FDBDB2F2
SHA-256:	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
SHA-512:	804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\Keily

Download File

Process:	C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	268800
Entropy (8bit):	7.884485715236842
Encrypted:	false
SSDEEP:	6144:nrDag7U8J4nypuw/Zq+ZkzojtdmrHC9eix5bE:njUm4nMV/bEmtIO9m
MD5:	AF93BAC11A87DF70B05710E2B7218060
SHA1:	2A4A8A7AC508FF1981296B784B6042E5D7C150A0
SHA-256:	33B56671717891B41069F8A8252E1AA46DCD99E681393F4BE26235D85291DF1C
SHA-512:	27163075FC4E0D6B98B3188EDA42E0D01E5ACB0F1F53EE6742E0123C267007AD6829DDA77A7517BAAF5C5A9F27D90483D7866BECF0CE5319E45824163844F4BA
Malicious:	false
Reputation:	low
Preview:	...7@SLOHQ43..5I.7KAQ7CS.OLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CS.OLQ:,.K5.@.j.P{.r.'%".C6R;(Zk"0Y-<8o.4.A1+. '......<(b\99`E5II7KA9'.~`>./.B.;.8.Iyb.I\|".1G.Mo4.7eF.?.F.-~l"/(B.;.j I.0.Iqp71a .M.,V!eF.?Q7CSLOLQ43DE5II7op.RCSLO..43.D1I=.K.Q7CSLOLQ.3gD>H@7K.P7C-NOLQ43k.5II'KAQ.BSLO.Q4#DE5KI7NAQ7CSLOIQ43DE5IIWOAQ3CS.tNQ63D.5IY7KQQ7CS\OLA43DE5IY7KAQ7CSLOLQ.&FEeII7K!S7.MOLQ43DE5II7KAQ7CSLOLQ43DE..H7WAQ7CSLOLQ43DE5II7KAQ7CSLOLQ.>FEuII7KAQ7CSLOL.53.D5II7KAQ7CSLOLQ43DE5II7KAQ7m')78Q43\.4II'KAQ.BSLKLQ43DE5II7KAQ7cSL/b#PR0$5I.ZKAQ.BSL!LQ4.EE5II7KAQ7CSLO.Q4sj!T=(7KA..CSLoNQ4%DE5CK7KAQ7CSLOLQ43.E5.gE8327CS.MQ4SFE5.H7KaS7CSLOLQ43DE5I.7K.Q7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ

C:\Users\user\AppData\Local\Temp\Maianthemum

Download File

Process:	C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe
File Type:	ASCII text, with very long lines (28690), with no line terminators
Category:	dropped
Size (bytes):	28690
Entropy (8bit):	3.593650467829383
Encrypted:	false
SSDEEP:	768:PiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbiE+Ik6Ng4vfF3if6gyH:PiTZ+2QoioGRk6ZklputwjpjBkCiw2R5
MD5:	7D7F1EBFA316B694372C36637AA2E445
SHA1:	AF3EDDAAD5B3131E4B9F2CB099C8684A49927C08
SHA-256:	96107D3CEC23CABD7C8CE646D4B48B5920DBBE4BE1321F14531D44D45DA9455F
SHA-512:	FEE547DB8EBAF79E0272D697E44CD34065A0CCDB41A8AEAB671A85D0DBDC30D678848146020DE8E1AAD4B21474FAC14B4180ED50F3A7E882F3A42CF33C3751F5
Malicious:	false
Reputation:	low
Preview:	ZXJVISJXZX6R1BKY0x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c0000006689857effffff33c966894d80ba7300

C:\Users\user\AppData\Local\Temp\aut32DD.tmp

Download File

Process:	C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	268800
Entropy (8bit):	7.884485715236842
Encrypted:	false
SSDEEP:	6144:nrDag7U8J4nypuw/Zq+ZkzojtdmrHC9eix5bE:njUm4nMV/bEmtIO9m
MD5:	AF93BAC11A87DF70B05710E2B7218060
SHA1:	2A4A8A7AC508FF1981296B784B6042E5D7C150A0
SHA-256:	33B56671717891B41069F8A8252E1AA46DCD99E681393F4BE26235D85291DF1C
SHA-512:	27163075FC4E0D6B98B3188EDA42E0D01E5ACB0F1F53EE6742E0123C267007AD6829DDA77A7517BAAF5C5A9F27D90483D7866BECF0CE5319E45824163844F4BA
Malicious:	false
Reputation:	low
Preview:	...7@SLOHQ43..5I.7KAQ7CS.OLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CS.OLQ:,.K5.@.j.P{.r.'%".C6R;(Zk"0Y-<8o.4.A1+. '......<(b\99`E5II7KA9'.~`>./.B.;.8.Iyb.I\|".1G.Mo4.7eF.?.F.-~l"/(B.;.j I.0.Iqp71a .M.,V!eF.?Q7CSLOLQ43DE5II7op.RCSLO..43.D1I=.K.Q7CSLOLQ.3gD>H@7K.P7C-NOLQ43k.5II'KAQ.BSLO.Q4#DE5KI7NAQ7CSLOIQ43DE5IIWOAQ3CS.tNQ63D.5IY7KQQ7CS\OLA43DE5IY7KAQ7CSLOLQ.&FEeII7K!S7.MOLQ43DE5II7KAQ7CSLOLQ43DE..H7WAQ7CSLOLQ43DE5II7KAQ7CSLOLQ.>FEuII7KAQ7CSLOL.53.D5II7KAQ7CSLOLQ43DE5II7KAQ7m')78Q43\.4II'KAQ.BSLKLQ43DE5II7KAQ7cSL/b#PR0$5I.ZKAQ.BSL!LQ4.EE5II7KAQ7CSLO.Q4sj!T=(7KA..CSLoNQ4%DE5CK7KAQ7CSLOLQ43.E5.gE8327CS.MQ4SFE5.H7KaS7CSLOLQ43DE5I.7K.Q7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ

C:\Users\user\AppData\Local\Temp\aut332C.tmp

Download File

Process:	C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	9842
Entropy (8bit):	7.589523147591666
Encrypted:	false
SSDEEP:	192:4ZsqLUGeKtxWQa8NAr+mnPVU9NuV0Ohwu08RIPx38hMmxK7B:fqLFLtx3a8E+m69NPPutIp3cLxyB
MD5:	D194AFDD0191515B1FD3CC79B47C95B7
SHA1:	594CB21B83D325C605F6E234EB4EDCF75FAC7C96
SHA-256:	DF949830404B1BCC9CAD55193C1EBA8306AD728DF39BC2B3DC775C6832C02E61
SHA-512:	0A09B140B9CF64CB8755467A6011AD72B5C33DD9629F2BF8009D95C14CAB5A1065BAE721D38B0EF9D2E629FAA90C34726BC5EA4F5FE5B77EADC434ACF0D74098
Malicious:	false
Reputation:	low
Preview:	EA06..p..V)UjMN.X.V&.)...Y.^&.Y..c.Ll.;..a2....Y..ob.M.@...a6.N'3I..ib....]........K........\|...o..b..`.....8.....9.X.30...,.....2.Z..k9..6.@.o.l..X......g.9...v0..X....N.,.I.........9..&....r.'.Y...c ....Aa.H.......F.3<..Y@.6...$.`....f@...x..j....Br.....Xf.0..l....n...Y&@5_..h....&.5_..p.U.., 5_....U..,.5_..`.U..f@5\..>3...M.^.a.Z..k6.z..o6......@.....3y..G../Z.M. .....jr....n.u....$.`./.o8...f.G_T.......>_.......zk5....i....3 ...................`.M..`... ...c...@..(.'.4.X.{>K...c.MlS@..X..._..p.....>K.#G.b..3\|v9..G.4.X.@8_..kc..i\|v9....c.h.,v..........7.Ml.K5...M..0;..8.Nf.0.L..6i..f..+..ff6)...6.N,....f...E...Y....3.I.....M.......vI.....0.....2p....<d....,vb........N@!+..'& ....,fo2..,.).......r.2.X...c3k$.ef.Y.!...Gf@....,f.9..,.. .#7.....c.0.....y..p.h.s.....,vf......t.L@...40.....f....N&3....4..@.6.-..p..S.-..2...S0.N.@.;5.`..9.M,`...k8.....c.P..Yf3.wx.....vl......@.E....N.y6....p.c3.%..4..b.!....F ....B5c.L.3........vn.....f.;%.r...B3P.....;8.X...a.M... ......

C:\Users\user\AppData\Local\Temp\aut3686.tmp

Download File

Process:	C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	268800
Entropy (8bit):	7.884485715236842
Encrypted:	false
SSDEEP:	6144:nrDag7U8J4nypuw/Zq+ZkzojtdmrHC9eix5bE:njUm4nMV/bEmtIO9m
MD5:	AF93BAC11A87DF70B05710E2B7218060
SHA1:	2A4A8A7AC508FF1981296B784B6042E5D7C150A0
SHA-256:	33B56671717891B41069F8A8252E1AA46DCD99E681393F4BE26235D85291DF1C
SHA-512:	27163075FC4E0D6B98B3188EDA42E0D01E5ACB0F1F53EE6742E0123C267007AD6829DDA77A7517BAAF5C5A9F27D90483D7866BECF0CE5319E45824163844F4BA
Malicious:	false
Reputation:	low
Preview:	...7@SLOHQ43..5I.7KAQ7CS.OLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CS.OLQ:,.K5.@.j.P{.r.'%".C6R;(Zk"0Y-<8o.4.A1+. '......<(b\99`E5II7KA9'.~`>./.B.;.8.Iyb.I\|".1G.Mo4.7eF.?.F.-~l"/(B.;.j I.0.Iqp71a .M.,V!eF.?Q7CSLOLQ43DE5II7op.RCSLO..43.D1I=.K.Q7CSLOLQ.3gD>H@7K.P7C-NOLQ43k.5II'KAQ.BSLO.Q4#DE5KI7NAQ7CSLOIQ43DE5IIWOAQ3CS.tNQ63D.5IY7KQQ7CS\OLA43DE5IY7KAQ7CSLOLQ.&FEeII7K!S7.MOLQ43DE5II7KAQ7CSLOLQ43DE..H7WAQ7CSLOLQ43DE5II7KAQ7CSLOLQ.>FEuII7KAQ7CSLOL.53.D5II7KAQ7CSLOLQ43DE5II7KAQ7m')78Q43\.4II'KAQ.BSLKLQ43DE5II7KAQ7cSL/b#PR0$5I.ZKAQ.BSL!LQ4.EE5II7KAQ7CSLO.Q4sj!T=(7KA..CSLoNQ4%DE5CK7KAQ7CSLOLQ43.E5.gE8327CS.MQ4SFE5.H7KaS7CSLOLQ43DE5I.7K.Q7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ43DE5II7KAQ7CSLOLQ

C:\Users\user\AppData\Local\Temp\aut36D6.tmp

Download File

Process:	C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	9842
Entropy (8bit):	7.589523147591666
Encrypted:	false
SSDEEP:	192:4ZsqLUGeKtxWQa8NAr+mnPVU9NuV0Ohwu08RIPx38hMmxK7B:fqLFLtx3a8E+m69NPPutIp3cLxyB
MD5:	D194AFDD0191515B1FD3CC79B47C95B7
SHA1:	594CB21B83D325C605F6E234EB4EDCF75FAC7C96
SHA-256:	DF949830404B1BCC9CAD55193C1EBA8306AD728DF39BC2B3DC775C6832C02E61
SHA-512:	0A09B140B9CF64CB8755467A6011AD72B5C33DD9629F2BF8009D95C14CAB5A1065BAE721D38B0EF9D2E629FAA90C34726BC5EA4F5FE5B77EADC434ACF0D74098
Malicious:	false
Preview:	EA06..p..V)UjMN.X.V&.)...Y.^&.Y..c.Ll.;..a2....Y..ob.M.@...a6.N'3I..ib....]........K........\|...o..b..`.....8.....9.X.30...,.....2.Z..k9..6.@.o.l..X......g.9...v0..X....N.,.I.........9..&....r.'.Y...c ....Aa.H.......F.3<..Y@.6...$.`....f@...x..j....Br.....Xf.0..l....n...Y&@5_..h....&.5_..p.U.., 5_....U..,.5_..`.U..f@5\..>3...M.^.a.Z..k6.z..o6......@.....3y..G../Z.M. .....jr....n.u....$.`./.o8...f.G_T.......>_.......zk5....i....3 ...................`.M..`... ...c...@..(.'.4.X.{>K...c.MlS@..X..._..p.....>K.#G.b..3\|v9..G.4.X.@8_..kc..i\|v9....c.h.,v..........7.Ml.K5...M..0;..8.Nf.0.L..6i..f..+..ff6)...6.N,....f...E...Y....3.I.....M.......vI.....0.....2p....<d....,vb........N@!+..'& ....,fo2..,.).......r.2.X...c3k$.ef.Y.!...Gf@....,f.9..,.. .#7.....c.0.....y..p.h.s.....,vf......t.L@...40.....f....N&3....4..@.6.-..p..S.-..2...S0.N.@.;5.`..9.M,`...k8.....c.P..Yf3.wx.....vl......@.E....N.y6....p.c3.%..4..b.!....F ....B5c.L.3........vn.....f.;%.r...B3P.....;8.X...a.M... ......

C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	45984
Entropy (8bit):	6.16795797263964
Encrypted:	false
SSDEEP:	768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
MD5:	9D352BC46709F0CB5EC974633A0C3C94
SHA1:	1969771B2F022F9A86D77AC4D4D239BECDF08D07
SHA-256:	2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
SHA-512:	13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: CREDIT NOTE.exe, Detection: malicious, Browse Filename: Total Invoices.exe, Detection: malicious, Browse Filename: BARSYL SHIPPING Co (VIETNAM).exe, Detection: malicious, Browse Filename: BARSYL SHIPPING Co (VIETNAM).exe, Detection: malicious, Browse Filename: Urgent PO 18-3081 Confirmation.exe, Detection: malicious, Browse Filename: CAHKHCM2404009CFS.exe, Detection: malicious, Browse Filename: FAR.N_2430-240009934.exe, Detection: malicious, Browse Filename: TT copy of the first payment.exe, Detection: malicious, Browse Filename: Booking_BK24-000288_19_Apr_2410_52_34 AM.exe, Detection: malicious, Browse Filename: charesworh.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..d..........V.... ........@.. ..............................s.....`.....................................O.......8............r...A.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........\|...P...........................................r...p(....2.(....(....z..r...p(....(....(......}......{.....s..........0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t........0..(....... ....s$........o%....X..(....-...o&....0...........('......&.........................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1141
Entropy (8bit):	4.442398121585593
Encrypted:	false
SSDEEP:	24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
MD5:	6FB4D27A716A8851BC0505666E7C7A10
SHA1:	AD2A232C6E709223532C4D1AB892303273D8C814
SHA-256:	1DC36F296CE49BDF1D560B527DB06E1E9791C10263459A67EACE706C6DDCDEAE
SHA-512:	3192095C68C6B7AD94212B7BCA0563F2058BCE00C0C439B90F0E96EA2F029A37C2F2B69487591B494C1BA54697FE891E214582E392127CB8C90AB682E0D81ADB
Malicious:	false
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.089601056045462
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	62402781, Fiyat Teklif Talebi.pdf.exe
File size:	1'209'856 bytes
MD5:	52e4f8ee79c595a890bc451dfbbbb9f4
SHA1:	12b24cc207161c893d5c87fc12453c083275d11f
SHA256:	0766dcf703dbf0243d873fff3b325054eee96ce58a9753ac8aa9891c311b4434
SHA512:	b10bad66f74786fef8e514c807700127e5518f3b64f14c6f05585f65bf01da7e0ff38de338e88ff1d5698e7c7a4c6f60a3294066ce7ea0d7b8a2881a67e3fcea
SSDEEP:	24576:sqDEvCTbMWu7rQYlBQcBiT6rprG8alPCJcAwNhy:sTvC/MTQYxsWR7alPC6B
TLSH:	F945CF0273D1C062FF9BA2334F5AF6515ABC6A260123E61F13981D79BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x662788FA [Tue Apr 23 10:10:02 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F7D51423C43h
jmp 00007F7D5142354Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F7D5142372Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F7D514236FAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F7D514262EDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F7D51426338h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F7D51426321h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x50b54	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x125000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x50b54	0x50c00	8d27de06d9bdfdb84997a035f713d1d7	False	0.9187215799148607	data	7.873779797350826	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x125000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x47dec	data			1.0003261091106732
RT_GROUP_ICON	0x1245a4	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x12461c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x124630	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x124644	0x14	data	English	Great Britain	1.25
RT_VERSION	0x124658	0x10c	data	English	Great Britain	0.5932835820895522
RT_MANIFEST	0x124764	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/24/24-07:20:53.590123	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49712	587	192.168.2.5	108.167.140.123
04/24/24-07:20:53.590123	TCP	2839723	ETPRO TROJAN Win32/Agent Tesla SMTP Activity	49712	587	192.168.2.5	108.167.140.123
04/24/24-07:20:53.590247	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49712	587	192.168.2.5	108.167.140.123
04/24/24-07:20:53.590247	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49712	587	192.168.2.5	108.167.140.123
04/24/24-07:20:53.590247	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49712	587	192.168.2.5	108.167.140.123

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 07:20:51.890005112 CEST	49712	587	192.168.2.5	108.167.140.123
Apr 24, 2024 07:20:52.072721004 CEST	587	49712	108.167.140.123	192.168.2.5
Apr 24, 2024 07:20:52.072787046 CEST	49712	587	192.168.2.5	108.167.140.123
Apr 24, 2024 07:20:52.344182968 CEST	587	49712	108.167.140.123	192.168.2.5
Apr 24, 2024 07:20:52.345765114 CEST	49712	587	192.168.2.5	108.167.140.123
Apr 24, 2024 07:20:52.526928902 CEST	587	49712	108.167.140.123	192.168.2.5
Apr 24, 2024 07:20:52.532222986 CEST	49712	587	192.168.2.5	108.167.140.123
Apr 24, 2024 07:20:52.723032951 CEST	587	49712	108.167.140.123	192.168.2.5
Apr 24, 2024 07:20:52.723889112 CEST	49712	587	192.168.2.5	108.167.140.123
Apr 24, 2024 07:20:52.946681976 CEST	587	49712	108.167.140.123	192.168.2.5
Apr 24, 2024 07:20:52.999408960 CEST	587	49712	108.167.140.123	192.168.2.5
Apr 24, 2024 07:20:52.999651909 CEST	49712	587	192.168.2.5	108.167.140.123
Apr 24, 2024 07:20:53.180499077 CEST	587	49712	108.167.140.123	192.168.2.5
Apr 24, 2024 07:20:53.180783033 CEST	587	49712	108.167.140.123	192.168.2.5
Apr 24, 2024 07:20:53.180942059 CEST	49712	587	192.168.2.5	108.167.140.123
Apr 24, 2024 07:20:53.402695894 CEST	587	49712	108.167.140.123	192.168.2.5
Apr 24, 2024 07:20:53.408198118 CEST	587	49712	108.167.140.123	192.168.2.5
Apr 24, 2024 07:20:53.408368111 CEST	49712	587	192.168.2.5	108.167.140.123
Apr 24, 2024 07:20:53.589337111 CEST	587	49712	108.167.140.123	192.168.2.5
Apr 24, 2024 07:20:53.589520931 CEST	587	49712	108.167.140.123	192.168.2.5
Apr 24, 2024 07:20:53.590122938 CEST	49712	587	192.168.2.5	108.167.140.123
Apr 24, 2024 07:20:53.590246916 CEST	49712	587	192.168.2.5	108.167.140.123
Apr 24, 2024 07:20:53.590296030 CEST	49712	587	192.168.2.5	108.167.140.123
Apr 24, 2024 07:20:53.590378046 CEST	49712	587	192.168.2.5	108.167.140.123
Apr 24, 2024 07:20:53.771146059 CEST	587	49712	108.167.140.123	192.168.2.5
Apr 24, 2024 07:20:53.772097111 CEST	587	49712	108.167.140.123	192.168.2.5
Apr 24, 2024 07:20:53.822330952 CEST	49712	587	192.168.2.5	108.167.140.123
Apr 24, 2024 07:22:31.634862900 CEST	49712	587	192.168.2.5	108.167.140.123
Apr 24, 2024 07:22:31.856556892 CEST	587	49712	108.167.140.123	192.168.2.5
Apr 24, 2024 07:22:32.018495083 CEST	587	49712	108.167.140.123	192.168.2.5
Apr 24, 2024 07:22:32.018553972 CEST	49712	587	192.168.2.5	108.167.140.123
Apr 24, 2024 07:22:32.018716097 CEST	49712	587	192.168.2.5	108.167.140.123
Apr 24, 2024 07:22:32.199999094 CEST	587	49712	108.167.140.123	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 07:20:51.611255884 CEST	58365	53	192.168.2.5	1.1.1.1
Apr 24, 2024 07:20:51.879870892 CEST	53	58365	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 24, 2024 07:20:51.611255884 CEST	192.168.2.5	1.1.1.1	0x14ea	Standard query (0)	mail.musabody.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 24, 2024 07:20:51.879870892 CEST	1.1.1.1	192.168.2.5	0x14ea	No error (0)	mail.musabody.com		108.167.140.123	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 24, 2024 07:20:52.344182968 CEST	587	49712	108.167.140.123	192.168.2.5	220-gator4156.hostgator.com ESMTP Exim 4.96.2 #2 Wed, 24 Apr 2024 00:20:52 -0500 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 24, 2024 07:20:52.345765114 CEST	49712	587	192.168.2.5	108.167.140.123	EHLO 888683
Apr 24, 2024 07:20:52.526928902 CEST	587	49712	108.167.140.123	192.168.2.5	250-gator4156.hostgator.com Hello 888683 [154.16.105.36] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Apr 24, 2024 07:20:52.532222986 CEST	49712	587	192.168.2.5	108.167.140.123	AUTH login dmljdG9yaWFAbXVzYWJvZHkuY29t
Apr 24, 2024 07:20:52.723032951 CEST	587	49712	108.167.140.123	192.168.2.5	334 UGFzc3dvcmQ6
Apr 24, 2024 07:20:52.999408960 CEST	587	49712	108.167.140.123	192.168.2.5	235 Authentication succeeded
Apr 24, 2024 07:20:52.999651909 CEST	49712	587	192.168.2.5	108.167.140.123	MAIL FROM:<victoria@musabody.com>
Apr 24, 2024 07:20:53.180783033 CEST	587	49712	108.167.140.123	192.168.2.5	250 OK
Apr 24, 2024 07:20:53.180942059 CEST	49712	587	192.168.2.5	108.167.140.123	RCPT TO:<pritchardchristopher281@gmail.com>
Apr 24, 2024 07:20:53.408198118 CEST	587	49712	108.167.140.123	192.168.2.5	250 Accepted
Apr 24, 2024 07:20:53.408368111 CEST	49712	587	192.168.2.5	108.167.140.123	DATA
Apr 24, 2024 07:20:53.589520931 CEST	587	49712	108.167.140.123	192.168.2.5	354 Enter message, ending with "." on a line by itself
Apr 24, 2024 07:20:53.590378046 CEST	49712	587	192.168.2.5	108.167.140.123	.
Apr 24, 2024 07:20:53.772097111 CEST	587	49712	108.167.140.123	192.168.2.5	250 OK id=1rzV3t-001AF9-1c
Apr 24, 2024 07:22:31.634862900 CEST	49712	587	192.168.2.5	108.167.140.123	QUIT
Apr 24, 2024 07:22:32.018495083 CEST	587	49712	108.167.140.123	192.168.2.5	221 gator4156.hostgator.com closing connection

Target ID:	0
Start time:	07:19:05
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe"
Imagebase:	0x7c0000
File size:	1'209'856 bytes
MD5 hash:	52E4F8EE79C595A890BC451DFBBBB9F4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2016173689.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.2016173689.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:19:05
Start date:	24/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe"
Imagebase:	0x220000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:19:06
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe"
Imagebase:	0x7c0000
File size:	1'209'856 bytes
MD5 hash:	52E4F8EE79C595A890BC451DFBBBB9F4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.2028748340.00000000011F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000003.00000002.2028748340.00000000011F0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:19:07
Start date:	24/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe"
Imagebase:	0x630000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.4475963234.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000004.00000002.4475963234.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4478825665.0000000005120000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4478825665.0000000005120000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.4478825665.0000000005120000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000004.00000002.4478825665.0000000005120000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4477299535.000000000280F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4477299535.000000000280F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.4477299535.000000000280F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4478416946.0000000004F80000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4478416946.0000000004F80000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.4478416946.0000000004F80000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000004.00000002.4478416946.0000000004F80000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4477550403.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4478163041.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4478163041.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.4478163041.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	07:19:18
Start date:	24/04/2024
Path:	C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
Imagebase:	0x340000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:19:18
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	07:19:26
Start date:	24/04/2024
Path:	C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
Imagebase:	0xdd0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	07:19:26
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	2.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	54

Executed Functions

Function 007C42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 007C430D

Part of subcall function 007C6B57: _wcslen.LIBCMT ref: 007C6B6A

GetCurrentProcess.KERNEL32(?,0085CB64,00000000,?,?), ref: 007C4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 007C4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 007C4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 007C4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 007C4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 007C447B
GetSystemInfo.KERNEL32(?,?,?), ref: 007C44A0

Strings

|O, xrefs: 008036F8
GetNativeSystemInfo, xrefs: 007C4460
kernel32.dll, xrefs: 007C444F

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 89ae806339cffab5701428dfcf288ab79e442882f9d85709ca8a26fcb99afddc
Instruction ID: 877f89cdbcc267a00211539e8e5e73aa2dd8269f22b28fbab3604a7d915e7fef
Opcode Fuzzy Hash: 89ae806339cffab5701428dfcf288ab79e442882f9d85709ca8a26fcb99afddc
Instruction Fuzzy Hash: F2A1856590E3C2DFCF16E7797C496A67FB8BB66300B1C44AFD44193B61D62C4608EB21

Uniqueness

Uniqueness Score: -1.00%

Function 007C42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,007C50AA,?,?,00000000,00000000), ref: 007C42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,007C50AA,?,?,00000000,00000000), ref: 007C42C9
LoadResource.KERNEL32(?,00000000,?,?,007C50AA,?,?,00000000,00000000,?,?,?,?,?,?,007C4F20), ref: 008035BE
SizeofResource.KERNEL32(?,00000000,?,?,007C50AA,?,?,00000000,00000000,?,?,?,?,?,?,007C4F20), ref: 008035D3
LockResource.KERNEL32(007C50AA,?,?,007C50AA,?,?,00000000,00000000,?,?,?,?,?,?,007C4F20,?), ref: 008035E6

Strings

SCRIPT, xrefs: 007C42BF

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 1ee6d77447cd219d20e929bbe9dff02f2452c3e80102016f9d68713d308c1e92
Instruction ID: bc047b3bcfcb8bc9d01cf56bbc71226552b3774464744a5f2c00cbf489c35105
Opcode Fuzzy Hash: 1ee6d77447cd219d20e929bbe9dff02f2452c3e80102016f9d68713d308c1e92
Instruction Fuzzy Hash: 6B117971200700BFEB218BA5DC49F277BBAFBC5B52F20816DB816D62A0DB75D800DA20

Uniqueness

Uniqueness Score: -1.00%

Function 00802BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 007C2B6B

Part of subcall function 007C3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00891418,?,007C2E7F,?,?,?,00000000), ref: 007C3A78

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00882224), ref: 00802C10
ShellExecuteW.SHELL32(00000000,?,?,00882224), ref: 00802C17

Strings

runas, xrefs: 00802C0B

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: e3838865b1a8e2fb918234ce42368ae08795484707e75e1e2510e8dac32a1544
Instruction ID: cbadce0eefe39af43e481c5cdded0b2d91fe8c15ac48121c378e466dc42b696e
Opcode Fuzzy Hash: e3838865b1a8e2fb918234ce42368ae08795484707e75e1e2510e8dac32a1544
Instruction Fuzzy Hash: A911D231208341DACB14FF60D85DFAEBBA5FB94310F48442DF192420A3DF2C894A8712

Uniqueness

Uniqueness Score: -1.00%

Function 0082DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00805222), ref: 0082DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0082DBDD
FindFirstFileW.KERNELBASE(?,?), ref: 0082DBEE
FindClose.KERNEL32(00000000), ref: 0082DBFA

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: ca123e6a1e36eccb304da8b35d25193fe099bc7dea26776daafd0a8366402a3c
Instruction ID: ff9a2ccd413a4dff525b7b8cbdc600ba942d61089b49f7d392c5eb97ffda219b
Opcode Fuzzy Hash: ca123e6a1e36eccb304da8b35d25193fe099bc7dea26776daafd0a8366402a3c
Instruction Fuzzy Hash: ABF0A030810B245B82206B78AC0D8AA3BACFF01336B104702F836D22E0EBB45994CA96

Uniqueness

Uniqueness Score: -1.00%

Function 007CD730 Relevance: 21.6, APIs: 14, Instructions: 623sleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 007CD807
timeGetTime.WINMM ref: 007CDA07
Sleep.KERNEL32(0000000A), ref: 007CDBB1

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 05d7e602ae4ceec15d7f873bf9cb2b5424f8e50613b0500ed42f45922a9dfca4
Instruction ID: 8ec6db029b2263934147f965f486b12ccf2834d0bc8b02479fe64185be12bfa5
Opcode Fuzzy Hash: 05d7e602ae4ceec15d7f873bf9cb2b5424f8e50613b0500ed42f45922a9dfca4
Instruction Fuzzy Hash: 5542AD70608341EFDB35DF24C888FAAB7A5FF85304F14852EE55687291D778AC94CB92

Uniqueness

Uniqueness Score: -1.00%

Function 007C2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 007C2D07
RegisterClassExW.USER32(00000030), ref: 007C2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007C2D42
InitCommonControlsEx.COMCTL32(?), ref: 007C2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007C2D6F
LoadIconW.USER32(000000A9), ref: 007C2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007C2D94

Strings

AutoIt v3 GUI, xrefs: 007C2D23
0, xrefs: 007C2CE9
TaskbarCreated, xrefs: 007C2D37
+, xrefs: 007C2CF0

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: c56f464fd07a216dc0c55e20c3a9fc8ed6d7bece3386665310a908e3c5f91bcf
Instruction ID: 37bf9d576a46a9cb043270db42efa9b5cc69a5cdd284c1c3d9e221916fc79750
Opcode Fuzzy Hash: c56f464fd07a216dc0c55e20c3a9fc8ed6d7bece3386665310a908e3c5f91bcf
Instruction Fuzzy Hash: 9F21B2B5905319AFDF00EFA4EC49B9DBFB4FB08B01F14811AFA11A62A0D7B95544CF91

Uniqueness

Uniqueness Score: -1.00%

Function 007F8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.~, xrefs: 007F903A, 007F8FD0, 007F8FF2

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID:
String ID: .~
API String ID: 0-505086709
Opcode ID: 14a0eeb3614ff5dd77136993b0d492b03b5b7075fc5c244b492a28218ca35f44
Instruction ID: 0a6a9fad284a35817a476b5e280936ea8de0462b85be011fc2c4508798c73d06
Opcode Fuzzy Hash: 14a0eeb3614ff5dd77136993b0d492b03b5b7075fc5c244b492a28218ca35f44
Instruction Fuzzy Hash: 84C1D37590424EEFCB11EFA9D845BBDBBB4BF09310F084059E714A7392CB399941CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0080065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0080039A: CreateFileW.KERNELBASE(00000000,00000000,?,00800704,?,?,00000000,?,00800704,00000000,0000000C), ref: 008003B7

GetLastError.KERNEL32 ref: 0080076F
__dosmaperr.LIBCMT ref: 00800776
GetFileType.KERNELBASE(00000000), ref: 00800782
GetLastError.KERNEL32 ref: 0080078C
__dosmaperr.LIBCMT ref: 00800795
CloseHandle.KERNEL32(00000000), ref: 008007B5
CloseHandle.KERNEL32(?), ref: 008008FF
GetLastError.KERNEL32 ref: 00800931
__dosmaperr.LIBCMT ref: 00800938

Strings

H, xrefs: 008008BD

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: f12c2bdba94906bd693ed0cd2ce33d9df6858d41d45c9b36e884e0cc3316bf0a
Instruction ID: 76461b565d984ef6a90e71f7766223acc16a769d36a058756c863045d39662f6
Opcode Fuzzy Hash: f12c2bdba94906bd693ed0cd2ce33d9df6858d41d45c9b36e884e0cc3316bf0a
Instruction Fuzzy Hash: 24A13632A002488FDF19AF68DC55BAE3BA0FB06324F14415AF815DB3D2DB359912CF92

Uniqueness

Uniqueness Score: -1.00%

Function 007C344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007C3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00891418,?,007C2E7F,?,?,?,00000000), ref: 007C3A78

Part of subcall function 007C3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 007C3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 007C356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0080318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 008031CE
RegCloseKey.ADVAPI32(?), ref: 00803210
_wcslen.LIBCMT ref: 00803277
_wcslen.LIBCMT ref: 00803286

Strings

Software\AutoIt v3\AutoIt, xrefs: 007C3560
\, xrefs: 0080328C
Include, xrefs: 00803184, 008031C5
\Include\, xrefs: 007C3527

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 580dd701ab215ccbc4c6ae37558e7abb1a2c2243c2299c5c5107cdf874ac29d1
Instruction ID: f34e1c1a9b4552f75af602e5985a78e26473695cb287f801d2ed79d84cd9e032
Opcode Fuzzy Hash: 580dd701ab215ccbc4c6ae37558e7abb1a2c2243c2299c5c5107cdf874ac29d1
Instruction Fuzzy Hash: F1716C71505301EEC314EF65EC869ABBBE8FF89340B44452EF545D32B1EB389A48DB62

Uniqueness

Uniqueness Score: -1.00%

Function 007C2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 007C2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 007C2B9D
LoadIconW.USER32(00000063), ref: 007C2BB3
LoadIconW.USER32(000000A4), ref: 007C2BC5
LoadIconW.USER32(000000A2), ref: 007C2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 007C2BEF
RegisterClassExW.USER32(?), ref: 007C2C40

Part of subcall function 007C2CD4: GetSysColorBrush.USER32(0000000F), ref: 007C2D07
Part of subcall function 007C2CD4: RegisterClassExW.USER32(00000030), ref: 007C2D31
Part of subcall function 007C2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007C2D42
Part of subcall function 007C2CD4: InitCommonControlsEx.COMCTL32(?), ref: 007C2D5F
Part of subcall function 007C2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007C2D6F
Part of subcall function 007C2CD4: LoadIconW.USER32(000000A9), ref: 007C2D85
Part of subcall function 007C2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007C2D94

Strings

#, xrefs: 007C2C16
AutoIt v3, xrefs: 007C2C2F
0, xrefs: 007C2C0F

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: ebb1f9b92a4203b603fed041209b49684bc7dcb26331c05461d338a06bde891a
Instruction ID: 5643461955c447aa3e7c3e07ed61d6bcf6bb62529ec538eb7057c4358dda30b2
Opcode Fuzzy Hash: ebb1f9b92a4203b603fed041209b49684bc7dcb26331c05461d338a06bde891a
Instruction Fuzzy Hash: 7B211A70E04319AFDF10AFA9EC59B997FB4FB48B50F08411BE504A67A0D7B90540EF90

Uniqueness

Uniqueness Score: -1.00%

Function 007C3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,007C316A,?,?), ref: 007C31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,007C316A,?,?), ref: 007C3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 007C3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,007C316A,?,?), ref: 007C3232
CreatePopupMenu.USER32 ref: 007C3246
PostQuitMessage.USER32(00000000), ref: 007C3267

Strings

TaskbarCreated, xrefs: 007C322D

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 325329408b397b50699891cc3888727433dfc2025cad70639e8ce8f6f39e228a
Instruction ID: 31d86aab01b88ff0ffcd981ba878570e65abad4e90c1351b976ae614db042165
Opcode Fuzzy Hash: 325329408b397b50699891cc3888727433dfc2025cad70639e8ce8f6f39e228a
Instruction Fuzzy Hash: 5541D735248209AFDF152B789D4DFB93B69F705340F0C812EF902C66E1C76D9E40ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 01902620 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 019026F1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01902917

Memory Dump Source

Source File: 00000000.00000002.2015781313.0000000001900000.00000040.00001000.00020000.00000000.sdmp, Offset: 01900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1900000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
Instruction ID: 88970670e1e4c7f5788ed59ed4494ca887968120f48f71afd4f7aab18ab651c7
Opcode Fuzzy Hash: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
Instruction Fuzzy Hash: 35A11774E00209EFDB15CFA4C898BEEBBB5BF48305F208559E609BB2C1D7759A80CB55

Uniqueness

Uniqueness Score: -1.00%

Function 007C2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 007C2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 007C2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,007C1CAD,?), ref: 007C2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,007C1CAD,?), ref: 007C2CCF

Strings

AutoIt v3, xrefs: 007C2C89, 007C2C8E, 007C2C8F
edit, xrefs: 007C2CAC

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: ac1ae4fb455c1bf6644759a41150ef7ae0ae30780858ed2996971231fef3964f
Instruction ID: 122572d6b13ff50bc621053de1057b4ad885caa5a5304f01e7feddc591a9e2ee
Opcode Fuzzy Hash: ac1ae4fb455c1bf6644759a41150ef7ae0ae30780858ed2996971231fef3964f
Instruction Fuzzy Hash: 9FF0DA755443917EEF312727AC0CE772EBDF7CAF51B04005AF904A26A0C6791854EEB0

Uniqueness

Uniqueness Score: -1.00%

Function 01902410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01902300: Sleep.KERNELBASE(000001F4), ref: 01902311

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01902515

Strings

KAQ7CSLOLQ43DE5II7, xrefs: 01902578, 0190257B

Memory Dump Source

Source File: 00000000.00000002.2015781313.0000000001900000.00000040.00001000.00020000.00000000.sdmp, Offset: 01900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1900000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: CreateFileSleep
String ID: KAQ7CSLOLQ43DE5II7
API String ID: 2694422964-1857432456
Opcode ID: 2b472c9df499155a305bd4b2c613f03d97614cf5dc27ad555fd99672a7aad3cd
Instruction ID: eec71c3b93732369e8e085f2a4ea087580a6b58528d5137d56ede1d0458c50a9
Opcode Fuzzy Hash: 2b472c9df499155a305bd4b2c613f03d97614cf5dc27ad555fd99672a7aad3cd
Instruction Fuzzy Hash: 91519471D04249DEEF12DBE4C818BEEBBB8AF54304F004199E609BB2C0D7B95B45CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00832947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00832C05
DeleteFileW.KERNEL32(?), ref: 00832C87
CopyFileW.KERNELBASE(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00832C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00832CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00832CC0

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 3cc72a439e5110648fce28ec1bb59d04d1912cbceb81614d724d342d343cce22
Instruction ID: 65a3f2db11f3e1cf95b1509a1e62df2288aa4bd2011effa981b589d52585c8cf
Opcode Fuzzy Hash: 3cc72a439e5110648fce28ec1bb59d04d1912cbceb81614d724d342d343cce22
Instruction Fuzzy Hash: 8CB13071901119EBDF21EBA4CC89EDEB77DFF48350F1040AAF509E6151EA35AA448FA1

Uniqueness

Uniqueness Score: -1.00%

Function 007F5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

JO|, xrefs: 007F5BA8, 007F5C6C

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID:
String ID: JO|
API String ID: 0-2887696345
Opcode ID: da214a9845865a79e57d21e2c12ceae0c728f570d0631f369fd87d4b4c08297e
Instruction ID: a67a72bab9d489e23be8fca55af7aeadfa73f7c8e4f6e39d7b836146dfa1bf57
Opcode Fuzzy Hash: da214a9845865a79e57d21e2c12ceae0c728f570d0631f369fd87d4b4c08297e
Instruction Fuzzy Hash: 7A518EB1901A0EEFCB11AFA5C849ABE7BB8BF49310F14015AF705A7391D7799A01CB61

Uniqueness

Uniqueness Score: -1.00%

Function 007C3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,007C3B0F,SwapMouseButtons,00000004,?), ref: 007C3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,007C3B0F,SwapMouseButtons,00000004,?), ref: 007C3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,007C3B0F,SwapMouseButtons,00000004,?), ref: 007C3B83

Strings

Control Panel\Mouse, xrefs: 007C3B3E

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 9c8030313db181661d32c067842f3f77f430c98c4195f7efd825a160fab383a0
Instruction ID: 18c0af9de58db67b25e2d5d45c0897365addcfb2ec79d1cd9fc069948672e21a
Opcode Fuzzy Hash: 9c8030313db181661d32c067842f3f77f430c98c4195f7efd825a160fab383a0
Instruction Fuzzy Hash: 0D1127B5610208FFDB208FA5DC84EEFBBB8EF04795B10846EB805D7110E235AE409BA0

Uniqueness

Uniqueness Score: -1.00%

Function 01901300 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01901B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01901B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01901B73
TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 01901E7C

Memory Dump Source

Source File: 00000000.00000002.2015781313.0000000001900000.00000040.00001000.00020000.00000000.sdmp, Offset: 01900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1900000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadTerminateThreadWow64
String ID:
API String ID: 572931308-0
Opcode ID: c5347b81de31fe322318ac143d5ad7503c5525a24d4d98ae8bc56a200060b54f
Instruction ID: 5e5265ca179ca08b703809fd90306846c3927496c5d4d52ef43d4d444f9f08a7
Opcode Fuzzy Hash: c5347b81de31fe322318ac143d5ad7503c5525a24d4d98ae8bc56a200060b54f
Instruction Fuzzy Hash: FE621830A14258DBEB25CFA4C850BDEB776EF58300F1091A9D20DEB2D4E7759E81CB59

Uniqueness

Uniqueness Score: -1.00%

Function 007CDFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 008132B7

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 86d7a6e76ec2804b0242a12f4db03464b2255f06b539bf5e72600306c16d368d
Instruction ID: 71d6c66c30a8adbca869514a7f07baf3d1c27886e606a198c0f79f1c725403f7
Opcode Fuzzy Hash: 86d7a6e76ec2804b0242a12f4db03464b2255f06b539bf5e72600306c16d368d
Instruction Fuzzy Hash: B5C24571A00214DFCB24DF58C884BADB7B5FF18310F24856EE956AB391D379AD81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 007C3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008033A2

Part of subcall function 007C6B57: _wcslen.LIBCMT ref: 007C6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 007C3A04

Strings

Line: , xrefs: 008033EB

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: efcf2f5cbb04be257003805c954df35c71a2ad971a98253ebf6ebe043ac04bc3
Instruction ID: 8819eea696ff22caa13f904329a7335340c7115a082d19f31f2670af5a0d4ec2
Opcode Fuzzy Hash: efcf2f5cbb04be257003805c954df35c71a2ad971a98253ebf6ebe043ac04bc3
Instruction Fuzzy Hash: 6A31C271408301AAD721EB20DC49FEBB7ECBB44714F04892EF59992291DB7CAA48C7C2

Uniqueness

Uniqueness Score: -1.00%

Function 007DFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 007E0668

Part of subcall function 007E32A4: RaiseException.KERNEL32(?,?,?,007E068A,?,00891444,?,?,?,?,?,?,007E068A,007C1129,00888738,007C1129), ref: 007E3304

__CxxThrowException@8.LIBVCRUNTIME ref: 007E0685

Strings

Unknown exception, xrefs: 007E0692

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 7c92d11ddc65e0e4b3868a6493931473d4e918a06ece9dd8b5933375e34733f0
Instruction ID: 8c0d27525c9208a91f4cb87982e1bd4ab32a0219edb697a197c4835dd280a50a
Opcode Fuzzy Hash: 7c92d11ddc65e0e4b3868a6493931473d4e918a06ece9dd8b5933375e34733f0
Instruction Fuzzy Hash: 58F04C3490128DF3CF00B676D84ED5E777DAE04310BA04431F924D6691EFB8DA65C6C0

Uniqueness

Uniqueness Score: -1.00%

Function 00833017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0083302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00833044

Strings

aut, xrefs: 00833038

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: b65a86947dcca7bd0ad053875919d661ff12d1bde9fc5c50fa58fdf04fef556d
Instruction ID: 98e58a1145cb6b1606809b517cf45f24df94bf0d7320a8b3f47ecbb33bf51f69
Opcode Fuzzy Hash: b65a86947dcca7bd0ad053875919d661ff12d1bde9fc5c50fa58fdf04fef556d
Instruction Fuzzy Hash: C9D05E765003286BDA30A7A4AC4EFCB3B6CEB04751F0002A1B655E2091EAB89984CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 00847F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 008482F5
TerminateProcess.KERNEL32(00000000), ref: 008482FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 008484DD

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: d0e31ac0b97bef63e207b736211c828c6e9324191339f0e2b77f5439053a7e1b
Instruction ID: 623915f23a4086d1d853db6e9e33ff4344626fce232997f146859de2950e0c7e
Opcode Fuzzy Hash: d0e31ac0b97bef63e207b736211c828c6e9324191339f0e2b77f5439053a7e1b
Instruction Fuzzy Hash: B1125871A08345DFC724DF28C484B2ABBE5FF89318F04895DE889CB252DB35E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 007C10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 007C1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 007C1BF4
Part of subcall function 007C1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 007C1BFC
Part of subcall function 007C1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 007C1C07
Part of subcall function 007C1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 007C1C12
Part of subcall function 007C1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 007C1C1A
Part of subcall function 007C1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 007C1C22

Part of subcall function 007C1B4A: RegisterWindowMessageW.USER32(00000004,?,007C12C4), ref: 007C1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 007C136A
OleInitialize.OLE32 ref: 007C1388
CloseHandle.KERNEL32(00000000,00000000), ref: 008024AB

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 499cd24c498cf5d77826c36c65fd7e1f064f14f8dd6c00caea352d4b5c361015
Instruction ID: edd2bf79495671fb66d00451c9b4c2c1d9e87d2ccf29af1dd76bae969a3e2a5c
Opcode Fuzzy Hash: 499cd24c498cf5d77826c36c65fd7e1f064f14f8dd6c00caea352d4b5c361015
Instruction Fuzzy Hash: 2071B7B49193028ECF85FFB9A94DA583BE1FB8834434E822FE51AD7261EB344409CF44

Uniqueness

Uniqueness Score: -1.00%

Function 007C54C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 007C556D
SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 007C557D

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9b94fcf90212f1280dc06fea4e27b2b64e089633e46c1cb4cd9af3e6dbd55efe
Instruction ID: 98c4e0d2936064be42bb80572f8aa2f39f5fb4a4fc86bef815bf45bd529b8af1
Opcode Fuzzy Hash: 9b94fcf90212f1280dc06fea4e27b2b64e089633e46c1cb4cd9af3e6dbd55efe
Instruction Fuzzy Hash: C8312D71A00A09EFDB14CF68D880F99B7B6FB48714F14862DE91597240D776FEA4CB90

Uniqueness

Uniqueness Score: -1.00%

Function 007F86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,007F85CC,?,00888CC8,0000000C), ref: 007F8704
GetLastError.KERNEL32(?,007F85CC,?,00888CC8,0000000C), ref: 007F870E
__dosmaperr.LIBCMT ref: 007F8739

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 667951fa9933c60d698ac04c79d75b9f40f78a9bbbb3a8944b0eb03e8913a3c3
Instruction ID: 3073a3774a925ade5aefb2766007471988db13c6d119924614a4fd1bfc997411
Opcode Fuzzy Hash: 667951fa9933c60d698ac04c79d75b9f40f78a9bbbb3a8944b0eb03e8913a3c3
Instruction Fuzzy Hash: EE016B33605A285AC2A07338A84D77E67894F8277DF390119FB14CB3D3DEAC8C818152

Uniqueness

Uniqueness Score: -1.00%

Function 00832FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00832CD4,?,?,?,00000004,00000001), ref: 00832FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00832CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00833006
CloseHandle.KERNEL32(00000000,?,00832CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0083300D

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: f794d351e91bd60551eb64ca9c5704e661e861c57ee434370d8d65a30dcca906
Instruction ID: 3d1ed52565becd3f5627face11f1f9cb49febae03709ac106aa700eb6f849ae2
Opcode Fuzzy Hash: f794d351e91bd60551eb64ca9c5704e661e861c57ee434370d8d65a30dcca906
Instruction Fuzzy Hash: AAE086366807147BD2311765BC0DFCB3A1CE7C6B72F104210F719B91D046A4150146A8

Uniqueness

Uniqueness Score: -1.00%

Function 007D1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 007D17F6

Strings

CALL, xrefs: 007D17C6

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: b18b2141632e01dea980926a0efc88658273bb382d41168cb07fe4f8fe93c846
Instruction ID: 170eba3241e4f5feeab7120dc3ac26264de3484d04bde3e3363a1f885dac8afc
Opcode Fuzzy Hash: b18b2141632e01dea980926a0efc88658273bb382d41168cb07fe4f8fe93c846
Instruction Fuzzy Hash: 7922AB70608201EFC714DF14C484A6ABBF5FF89314F58896EF4968B362D739E895CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00836EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00836F6B

Part of subcall function 007C4ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00836F5A, 00836F63

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 330409fb23f8ad36d8d40c40e05a16d50049ca043a7030506e161fc9dd531f6b
Instruction ID: ad4eab6a43c63ea34a70daa282f4911f2929ce0047ba4cae09c403cede628c3c
Opcode Fuzzy Hash: 330409fb23f8ad36d8d40c40e05a16d50049ca043a7030506e161fc9dd531f6b
Instruction Fuzzy Hash: 55B15A71108601DFCB24EF24C495E6AB7E5FF94304F04895DF496972A2EB34ED49CB92

Uniqueness

Uniqueness Score: -1.00%

Function 007C2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00802C8C

Part of subcall function 007C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007C3A97,?,?,007C2E7F,?,?,?,00000000), ref: 007C3AC2

Part of subcall function 007C2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007C2DC4

Strings

X, xrefs: 00802C5A

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 902106a640404c79010464c2a8bb312ccd1105ec009c06759e710b0494889a09
Instruction ID: fa452d79c9dba659df2e595aaf3ebfa4c20333e94f5233a1134bfe637bbecf50
Opcode Fuzzy Hash: 902106a640404c79010464c2a8bb312ccd1105ec009c06759e710b0494889a09
Instruction Fuzzy Hash: 13218171A002989ADB41EF94C849BEE7BB8AF48314F00805DE505EB281DBB85A498FA1

Uniqueness

Uniqueness Score: -1.00%

Function 00832557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00832587

Strings

EA06, xrefs: 008325B9

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 9d3dcaef5501a1e6c98b0a0df8db5fb2e9e2630a3c0ccd20dbca74e1ae799142
Instruction ID: c825c9610271292c5fad063d8589768659c2c68b1f98fba9b90b1a348722cdb5
Opcode Fuzzy Hash: 9d3dcaef5501a1e6c98b0a0df8db5fb2e9e2630a3c0ccd20dbca74e1ae799142
Instruction Fuzzy Hash: 4001B572904258BEDF28D7A9C85AEAEBBF8DB05305F00455AE152D6181E5B8E7088BA0

Uniqueness

Uniqueness Score: -1.00%

Function 01902390 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 019023EA

Strings

D, xrefs: 019023A4

Memory Dump Source

Source File: 00000000.00000002.2015781313.0000000001900000.00000040.00001000.00020000.00000000.sdmp, Offset: 01900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1900000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: CreateProcess
String ID: D
API String ID: 963392458-2746444292
Opcode ID: a782293119ad2c684ee7f4e1b7c6ce7e54987cc35907e67b60f32668cf9ab6a9
Instruction ID: af88d8471419a42312f12ad2aae23f1018f18c00ecce2bb14c0705a1704fa59c
Opcode Fuzzy Hash: a782293119ad2c684ee7f4e1b7c6ce7e54987cc35907e67b60f32668cf9ab6a9
Instruction Fuzzy Hash: 0901FF71500308AFDB25DBE0CC49FFE777CAB44701F508549A61A9A1C0EA74A648CB55

Uniqueness

Uniqueness Score: -1.00%

Function 019012FD Relevance: 3.4, APIs: 2, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01901B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01901B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01901B73
TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 01901E7C

Memory Dump Source

Source File: 00000000.00000002.2015781313.0000000001900000.00000040.00001000.00020000.00000000.sdmp, Offset: 01900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1900000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadTerminateThreadWow64
String ID:
API String ID: 572931308-0
Opcode ID: 1410da97c1c912e366cdd2316cb6e2da26cba2f02901dc8eb5c106db15075d5a
Instruction ID: 749057a44620a9340b1af539371b695c9c9ad26bfb46b3c5d889f83c94d714c1
Opcode Fuzzy Hash: 1410da97c1c912e366cdd2316cb6e2da26cba2f02901dc8eb5c106db15075d5a
Instruction Fuzzy Hash: 7312DE24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F81CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 007C3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 007C3908

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: f581e03c7a8f7e987a57c4a5a8e90964553bcc1df6d5c9502572ca0343bd820b
Instruction ID: 2911a6f6d5dcfe648347823d47dcbb842dc7815cc925c37a7e28ecda6d1ec9ca
Opcode Fuzzy Hash: f581e03c7a8f7e987a57c4a5a8e90964553bcc1df6d5c9502572ca0343bd820b
Instruction Fuzzy Hash: 1E314C705047019FD721EF24D889B97BBF8FB49708F04096EF59987250E779AA44CB52

Uniqueness

Uniqueness Score: -1.00%

Function 007C5745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,007C949C,?,00008000), ref: 007C5773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,007C949C,?,00008000), ref: 00804052

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 348795e31f3e23cdf4fdba176fa7359dbd20cb4b5465e24393eacf53f43fe7cf
Instruction ID: b9949a9906a9d1cb8a4a5c0cc9b1c8492a4018bf54af2f74077197fd30107e99
Opcode Fuzzy Hash: 348795e31f3e23cdf4fdba176fa7359dbd20cb4b5465e24393eacf53f43fe7cf
Instruction Fuzzy Hash: 40015631185725B6E3714A26DC0EF977F58EF027B1F148318BA5C6E1E0C7B95494CB90

Uniqueness

Uniqueness Score: -1.00%

Function 007C6E14 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000002,?,?,?,?,007C9879,?,?,?), ref: 007C6E33
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,007C9879,?,?,?), ref: 007C6E69

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: c93472c6e426f862fd2cc7f827077fb2a6aaa02a2342c94c5384e44814cb1aeb
Instruction ID: a5464361675da2b8d92061cb1a60e7295f017db8875bd845b0f734f3f0a7502e
Opcode Fuzzy Hash: c93472c6e426f862fd2cc7f827077fb2a6aaa02a2342c94c5384e44814cb1aeb
Instruction Fuzzy Hash: 9401D471300204BFEB18676A9C4BF7F7BADEB85700F14003EB106DA1E1E964AC004620

Uniqueness

Uniqueness Score: -1.00%

Function 007CB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 007CBB4E

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 57bfc4447849b73bc684eef7b984a675993fbdd927eb70389a90174b48965cba
Instruction ID: 268623ebc21e7483f4b3376d7817008d3fcdd4e8d3ef4fd5f2ca0c7bb4c193a6
Opcode Fuzzy Hash: 57bfc4447849b73bc684eef7b984a675993fbdd927eb70389a90174b48965cba
Instruction Fuzzy Hash: 1A325770A00209EFDB24DF54C895FAAB7B9FF44314F18805EE915AB361D7B8AD81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 007C4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 007C4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,007C4EDD,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4E9C
Part of subcall function 007C4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 007C4EAE
Part of subcall function 007C4E90: FreeLibrary.KERNEL32(00000000,?,?,007C4EDD,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4EFD

Part of subcall function 007C4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00803CDE,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4E62
Part of subcall function 007C4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 007C4E74
Part of subcall function 007C4E59: FreeLibrary.KERNEL32(00000000,?,?,00803CDE,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4E87

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 79854615fb722de735ebd22abdff0bd0bf51d8c0065df83419c421235e4f04f9
Instruction ID: 2ef5f14424b6eed17ece98477c23933e679b092b49d5cdd0444040d6d73d00d4
Opcode Fuzzy Hash: 79854615fb722de735ebd22abdff0bd0bf51d8c0065df83419c421235e4f04f9
Instruction Fuzzy Hash: 8D112332600305EADB10EB60DC2AFAD77A5AF40710F10842DF442E61C1EEB9AA449B90

Uniqueness

Uniqueness Score: -1.00%

Function 007F8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 007F8440

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: cb488dd69ccc24184284455ac54777f00ae5d3461d38e1c4dfeef1f1dd264e29
Instruction ID: 0c977caf22b3412f986230ffa549b95e20432214a39e06f3dc072f595c170273
Opcode Fuzzy Hash: cb488dd69ccc24184284455ac54777f00ae5d3461d38e1c4dfeef1f1dd264e29
Instruction Fuzzy Hash: 5911187590410EAFCB05DF58E9419AE7BF5FF48314F144059F908AB312DB31DA11CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 007C9A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,007C543F,?,00010000,00000000,00000000,00000000,00000000), ref: 007C9A9C

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 8717fc6e7c6612309388054ed2990f1f30d4bb352926869c6799f084327c4e75
Instruction ID: 33448ca7a7deeebdca1af6a126bf747252de5f589a89d78142b64f478a0acbae
Opcode Fuzzy Hash: 8717fc6e7c6612309388054ed2990f1f30d4bb352926869c6799f084327c4e75
Instruction Fuzzy Hash: 37114C31204705AFD760CF15C888F6AB7F9EF44754F10C42EEA9B8A651C774E945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 007EE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 45546a8bc570fe10392127206bba3d3268b3180ec5b887669ee8dfe662f4a0f5
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: EEF0F932512A54D7C6313B679C09B6A33989F56334F100B15F620932D2DB7CE80285A6

Uniqueness

Uniqueness Score: -1.00%

Function 007F3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00891444,?,007DFDF5,?,?,007CA976,00000010,00891440,007C13FC,?,007C13C6,?,007C1129), ref: 007F3852

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 25af23fe168060a7cdc5fa170f32f329af7bbf25080e5fe4683ea8483bc26ef9
Instruction ID: a4fd2732631dac0ff22c91ca100ef3f7b04b8b3c6f3ae6e853b2fbbc473c8a9e
Opcode Fuzzy Hash: 25af23fe168060a7cdc5fa170f32f329af7bbf25080e5fe4683ea8483bc26ef9
Instruction Fuzzy Hash: B2E0E53210526CEAE62126779D08BBA3648AB42BF0F090022BE0592780DB1DDD0191F0

Uniqueness

Uniqueness Score: -1.00%

Function 007C4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4F6D

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 9a882ec4366c1fa8cbe56f35ddd088e8c538caf29c91659b37c5d805d514c57b
Instruction ID: 5fbd48d89e97c6e2f76f7da1b9427d0e72e52ad64ac658987b502e8432390a92
Opcode Fuzzy Hash: 9a882ec4366c1fa8cbe56f35ddd088e8c538caf29c91659b37c5d805d514c57b
Instruction Fuzzy Hash: ACF03971105B52CFDB349F64D4A4E22BBE4BF14329328897EE1EA82621CB399844DF10

Uniqueness

Uniqueness Score: -1.00%

Function 007C2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007C2DC4

Part of subcall function 007C6B57: _wcslen.LIBCMT ref: 007C6B6A

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 89dc7052873e29eab298e13f37f4ab690df68fc700b3b6f44faf7901f0a8ea50
Instruction ID: 4debc470f996a3e11a30a9bd83078f4ffbda616f3686f6456bd38a8e89e70e07
Opcode Fuzzy Hash: 89dc7052873e29eab298e13f37f4ab690df68fc700b3b6f44faf7901f0a8ea50
Instruction Fuzzy Hash: 07E0CD726002245BCB10D6589C09FDA77DDEFC8790F040075FD09E7248DE64AD808551

Uniqueness

Uniqueness Score: -1.00%

Function 00832693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 008326B5

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: fa2639c41a671e499a1827481e93be8af94f719411968c5168e0e027a23607d4
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: 83E04FB0609B009FDF395A28A8627B777E8EF49300F00086EF69BC2252E57268458B4D

Uniqueness

Uniqueness Score: -1.00%

Function 007C2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 007C3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 007C3908

Part of subcall function 007CD730: GetInputState.USER32 ref: 007CD807

SetCurrentDirectoryW.KERNEL32(?), ref: 007C2B6B

Part of subcall function 007C30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 007C314E

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 38166f2fb5e45727f83646e84c10fa20de9272ec530cc9781cd99a01787a91be
Instruction ID: 68e163206d2bfc5a02e74e6600c579bcb78b9f39c1e7479f58926ab4ad24cbc1
Opcode Fuzzy Hash: 38166f2fb5e45727f83646e84c10fa20de9272ec530cc9781cd99a01787a91be
Instruction Fuzzy Hash: D2E0262230430486CE04BB70985EFBDB38AABD5311F00443EF14383163CE2C898A4351

Uniqueness

Uniqueness Score: -1.00%

Function 0080039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00800704,?,?,00000000,?,00800704,00000000,0000000C), ref: 008003B7

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d2eb18a98d635a953a0ed2615c65e600c1168331c8264732a9e76fbd7bfa57ac
Instruction ID: 5d050a0c656f8ed9a8026c00e2989806ecdb4d961cbd6743bfefc38030d6a30f
Opcode Fuzzy Hash: d2eb18a98d635a953a0ed2615c65e600c1168331c8264732a9e76fbd7bfa57ac
Instruction Fuzzy Hash: D5D06C3204020DBFDF028F84DD06EDA3BAAFB48714F014040BE1856020C736E821AB90

Uniqueness

Uniqueness Score: -1.00%

Function 007C1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 007C1CBC

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 7247f474cee23eaaaf44ee1b64d6a6effc902ddcffec0a35d9e4a20e29bc3c98
Instruction ID: ad29ef87f67f7163155c2409e449ff87e6ac1f62e69bf18863f76f80ede139d5
Opcode Fuzzy Hash: 7247f474cee23eaaaf44ee1b64d6a6effc902ddcffec0a35d9e4a20e29bc3c98
Instruction Fuzzy Hash: DAC0923A280305AFF614ABD0BC4EF107764B348B01F488002F60DA96E3D3B62820EA50

Uniqueness

Uniqueness Score: -1.00%

Function 0083744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 007C5745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,007C949C,?,00008000), ref: 007C5773

GetLastError.KERNEL32(00000002,00000000), ref: 008376DE

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 88f9ef56bfbfec613919f0e45275077aef34ccc1d2550a76f11697f6a26b90e7
Instruction ID: 4782a2e0fbda9d376fb435293f59a37ed23de730e41d820ae465cd8735fb7711
Opcode Fuzzy Hash: 88f9ef56bfbfec613919f0e45275077aef34ccc1d2550a76f11697f6a26b90e7
Instruction Fuzzy Hash: 44815A70208701DFCB24EF28C4A6B69B7E1FF99314F04451DF8969B2A2DB34E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 007DFC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 007DFD1F

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: b7388a05acd092c146063079422f1be93cc10a186690ebe2202d57e224d96bf6
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: B731F274A00109DBC718DF69D490969FBB2FF49304B2886A6E80ACB756D735EDD1CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 019022FC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01902311

Memory Dump Source

Source File: 00000000.00000002.2015781313.0000000001900000.00000040.00001000.00020000.00000000.sdmp, Offset: 01900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1900000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 4e14a56980887a729f56e254785252e0ff8805da29a7f71fa90bacb23c2b7c18
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 33E09A7494010EAFDB01EFA4D54969E7BB4EF04701F1005A1FD0596681DA309A548A62

Uniqueness

Uniqueness Score: -1.00%

Function 01902300 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01902311

Memory Dump Source

Source File: 00000000.00000002.2015781313.0000000001900000.00000040.00001000.00020000.00000000.sdmp, Offset: 01900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1900000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: b5b72568ff629211afc1f4818a7bfa8562ab6e0ba816a331d472b19984f29c31
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 00E0E67494010EDFDB01EFB4D54D69E7FB4EF04701F100561FD05D2281D6309D508A62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00859576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0085961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0085965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0085969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008596C9
SendMessageW.USER32 ref: 008596F2
GetKeyState.USER32(00000011), ref: 0085978B
GetKeyState.USER32(00000009), ref: 00859798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 008597AE
GetKeyState.USER32(00000010), ref: 008597B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008597E9
SendMessageW.USER32 ref: 00859810
SendMessageW.USER32(?,00001030,?,00857E95), ref: 00859918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0085992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00859941
SetCapture.USER32(?), ref: 0085994A
ClientToScreen.USER32(?,?), ref: 008599AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 008599BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008599D6
ReleaseCapture.USER32 ref: 008599E1
GetCursorPos.USER32(?), ref: 00859A19
ScreenToClient.USER32(?,?), ref: 00859A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00859A80
SendMessageW.USER32 ref: 00859AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00859AEB
SendMessageW.USER32 ref: 00859B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00859B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00859B4A
GetCursorPos.USER32(?), ref: 00859B68
ScreenToClient.USER32(?,?), ref: 00859B75
GetParent.USER32(?), ref: 00859B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00859BFA
SendMessageW.USER32 ref: 00859C2B
ClientToScreen.USER32(?,?), ref: 00859C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00859CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00859CDE
SendMessageW.USER32 ref: 00859D01
ClientToScreen.USER32(?,?), ref: 00859D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00859D82

Part of subcall function 007D9944: GetWindowLongW.USER32(?,000000EB), ref: 007D9952

GetWindowLongW.USER32(?,000000F0), ref: 00859E05

Strings

F, xrefs: 00859D07
@GUI_DRAGID, xrefs: 0085997D

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: e2fc6c36f30d0f4fd7dddbf76f09c9b018e2cfb7dd94b104ec40b2de4a91bd53
Instruction ID: 7495d863705b04013d9cd65f269129a0830b2da7067333c66d2fa462d714347d
Opcode Fuzzy Hash: e2fc6c36f30d0f4fd7dddbf76f09c9b018e2cfb7dd94b104ec40b2de4a91bd53
Instruction Fuzzy Hash: 9C428A34204301EFDB21CF64C948AAABBE5FF58356F14061EFA99C72A1E731A958DF41

Uniqueness

Uniqueness Score: -1.00%

Function 00854873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 008548F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00854908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00854927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0085494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0085495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0085497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 008549AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 008549D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00854A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00854A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00854A7E
IsMenu.USER32(?), ref: 00854A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00854AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00854B20
GetWindowLongW.USER32(?,000000F0), ref: 00854B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00854BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00854C82
wsprintfW.USER32 ref: 00854CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00854CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00854CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00854D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00854D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00854D5A

Strings

%d/%02d/%02d, xrefs: 00854CA8

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 511e67e86a4fe07e5b5e73b50bf0712fab09effa147d992e2b1ea7ee342c357f
Instruction ID: d1f01ec65d889646e4bbe05b457d179a2dfe5ac21c69df3b6d093944e8465031
Opcode Fuzzy Hash: 511e67e86a4fe07e5b5e73b50bf0712fab09effa147d992e2b1ea7ee342c357f
Instruction Fuzzy Hash: BB12D271500318AFEB258F28CC49FAE7BF4FF45319F105119F916EA2A1DB789989CB50

Uniqueness

Uniqueness Score: -1.00%

Function 007DF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 007DF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0081F474
IsIconic.USER32(00000000), ref: 0081F47D
ShowWindow.USER32(00000000,00000009), ref: 0081F48A
SetForegroundWindow.USER32(00000000), ref: 0081F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0081F4AA
GetCurrentThreadId.KERNEL32 ref: 0081F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0081F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0081F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0081F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0081F4DE
SetForegroundWindow.USER32(00000000), ref: 0081F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0081F4F6
keybd_event.USER32(00000012,00000000), ref: 0081F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0081F50B
keybd_event.USER32(00000012,00000000), ref: 0081F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0081F519
keybd_event.USER32(00000012,00000000), ref: 0081F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0081F528
keybd_event.USER32(00000012,00000000), ref: 0081F52D
SetForegroundWindow.USER32(00000000), ref: 0081F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0081F557

Strings

Shell_TrayWnd, xrefs: 0081F46F

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: adc3e80ab14f2537985b3e29ef81caf63afa988af821e34e49eef7232a3576e0
Instruction ID: 4788ae02cdb41e003dd86e4f6a54a942c696b004a71c4ba8466ccbb75e742ea2
Opcode Fuzzy Hash: adc3e80ab14f2537985b3e29ef81caf63afa988af821e34e49eef7232a3576e0
Instruction Fuzzy Hash: 74315D71A40318BFEB216BB55C4AFBF7EADFB44B51F10006AFA01E61D1D6B45940AEA0

Uniqueness

Uniqueness Score: -1.00%

Function 00821201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 008216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0082170D
Part of subcall function 008216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0082173A
Part of subcall function 008216C3: GetLastError.KERNEL32 ref: 0082174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00821286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 008212A8
CloseHandle.KERNEL32(?), ref: 008212B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008212D1
GetProcessWindowStation.USER32 ref: 008212EA
SetProcessWindowStation.USER32(00000000), ref: 008212F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00821310

Part of subcall function 008210BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008211FC), ref: 008210D4
Part of subcall function 008210BF: CloseHandle.KERNEL32(?,?,008211FC), ref: 008210E9

Strings

default, xrefs: 0082130B
winsta0, xrefs: 008212CC
, xrefs: 0082125A

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: ad4bab6992e8e4c333a7608cca5ddec34af76030537ba66492d9e7f597cca4f5
Instruction ID: 189d737593fb3265f54c5bf4c5e4f8c9a02d118bdda8bc135b7505aaa275f402
Opcode Fuzzy Hash: ad4bab6992e8e4c333a7608cca5ddec34af76030537ba66492d9e7f597cca4f5
Instruction Fuzzy Hash: 93818C71900318AFDF109FA4EC89BEE7BBAFF14704F244129F915E61A0C7358A84CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00820B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00821114
Part of subcall function 008210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00820B9B,?,?,?), ref: 00821120
Part of subcall function 008210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00820B9B,?,?,?), ref: 0082112F
Part of subcall function 008210F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00820B9B,?,?,?), ref: 00821136
Part of subcall function 008210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0082114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00820BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00820C00
GetLengthSid.ADVAPI32(?), ref: 00820C17
GetAce.ADVAPI32(?,00000000,?), ref: 00820C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00820C6D
GetLengthSid.ADVAPI32(?), ref: 00820C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00820C8C
HeapAlloc.KERNEL32(00000000), ref: 00820C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00820CB4
CopySid.ADVAPI32(00000000), ref: 00820CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00820CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00820D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00820D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00820D45
HeapFree.KERNEL32(00000000), ref: 00820D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00820D55
HeapFree.KERNEL32(00000000), ref: 00820D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00820D65
HeapFree.KERNEL32(00000000), ref: 00820D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00820D78
HeapFree.KERNEL32(00000000), ref: 00820D7F

Part of subcall function 00821193: GetProcessHeap.KERNEL32(00000008,00820BB1,?,00000000,?,00820BB1,?), ref: 008211A1
Part of subcall function 00821193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00820BB1,?), ref: 008211A8
Part of subcall function 00821193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00820BB1,?), ref: 008211B7

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: d54d874cb22441d75da3f9d84193c316e3ba45def43ab320dd0fb61cc4c78d87
Instruction ID: 641ec00acecd121221b228d8797cec1371a6dd794b0a548683ee64548230cec5
Opcode Fuzzy Hash: d54d874cb22441d75da3f9d84193c316e3ba45def43ab320dd0fb61cc4c78d87
Instruction Fuzzy Hash: E671597290131AAFEF10DFA4EC48BAEBBB8FF04311F144615E914E6292D775AA45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0083EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0085CC08), ref: 0083EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0083EB37
GetClipboardData.USER32(0000000D), ref: 0083EB43
CloseClipboard.USER32 ref: 0083EB4F
GlobalLock.KERNEL32(00000000), ref: 0083EB87
CloseClipboard.USER32 ref: 0083EB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 0083EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0083EBC9
GetClipboardData.USER32(00000001), ref: 0083EBD1
GlobalLock.KERNEL32(00000000), ref: 0083EBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 0083EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0083EC38
GetClipboardData.USER32(0000000F), ref: 0083EC44
GlobalLock.KERNEL32(00000000), ref: 0083EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0083EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0083EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0083ECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 0083ECF3
CountClipboardFormats.USER32 ref: 0083ED14
CloseClipboard.USER32 ref: 0083ED59

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 36abdb4d2a39b6330269198a73a9f2e54dc725056de46f732a980c56ef7416bb
Instruction ID: e53a546f8c9999e7fcb6413386186fc18c786240257333908dad08d23a8e1097
Opcode Fuzzy Hash: 36abdb4d2a39b6330269198a73a9f2e54dc725056de46f732a980c56ef7416bb
Instruction Fuzzy Hash: B6618734204305AFD310EF24D899F6AB7A4FB84715F14455DF856EB2E2CB39E906CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0083698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008369BE
FindClose.KERNEL32(00000000), ref: 00836A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00836A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00836A75

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00836AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00836ADF

Strings

%4d, xrefs: 00836BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00836B32
%4d%02d%02d%02d%02d%02d, xrefs: 00836B6A
%02d, xrefs: 00836C00, 00836C0A, 00836C5A, 00836CAA, 00836CFA, 00836D4A
%03d, xrefs: 00836DA2

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 63611f617388664a2a8f7d1aa471fe835d2ce0f3f2a01d8cb9ebf50e6612b545
Instruction ID: 13a79d0c0e8ede26f898829a0e932fa5790bc2b96aec77f9a5c52a65340df2e5
Opcode Fuzzy Hash: 63611f617388664a2a8f7d1aa471fe835d2ce0f3f2a01d8cb9ebf50e6612b545
Instruction Fuzzy Hash: 86D14072508344AEC314EBA4C889EABB7ECFF88704F04491DF585D7291EB78DA44CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00839642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00839663
GetFileAttributesW.KERNEL32(?), ref: 008396A1
SetFileAttributesW.KERNEL32(?,?), ref: 008396BB
FindNextFileW.KERNEL32(00000000,?), ref: 008396D3
FindClose.KERNEL32(00000000), ref: 008396DE
FindFirstFileW.KERNEL32(*.*,?), ref: 008396FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0083974A
SetCurrentDirectoryW.KERNEL32(00886B7C), ref: 00839768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00839772
FindClose.KERNEL32(00000000), ref: 0083977F
FindClose.KERNEL32(00000000), ref: 0083978F

Strings

*.*, xrefs: 008396F5

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 421aa47c148791589dc627f242d3916e2e33d2fd84a34e030788c84d137eb0da
Instruction ID: 8c1203cdcf71c2b285037030e75e581a967151d7c819585205e83cd7fd5d188b
Opcode Fuzzy Hash: 421aa47c148791589dc627f242d3916e2e33d2fd84a34e030788c84d137eb0da
Instruction Fuzzy Hash: 2E31DF3264131AAEDB10AFB4DC49ADE37ACFF89321F104055E955E21A0EBB8DE448E90

Uniqueness

Uniqueness Score: -1.00%

Function 0083979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 008397BE
FindNextFileW.KERNEL32(00000000,?), ref: 00839819
FindClose.KERNEL32(00000000), ref: 00839824
FindFirstFileW.KERNEL32(*.*,?), ref: 00839840
SetCurrentDirectoryW.KERNEL32(?), ref: 00839890
SetCurrentDirectoryW.KERNEL32(00886B7C), ref: 008398AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 008398B8
FindClose.KERNEL32(00000000), ref: 008398C5
FindClose.KERNEL32(00000000), ref: 008398D5

Part of subcall function 0082DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0082DB00

Strings

*.*, xrefs: 0083983B

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 6f1178124a721a8f52b334c02247c60d2dafa025c82928853da0e31eff09bea3
Instruction ID: 449ec07277ee5a4cdeea5c1978d4eee385714cd02eadaa958147d32036fdcebf
Opcode Fuzzy Hash: 6f1178124a721a8f52b334c02247c60d2dafa025c82928853da0e31eff09bea3
Instruction Fuzzy Hash: 3231B33150131D6EDB10AFA4DC48ADE77ACFF86325F104165E990E21A0DBB9DD44CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00838195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00838257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00838267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00838273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00838310
SetCurrentDirectoryW.KERNEL32(?), ref: 00838324
SetCurrentDirectoryW.KERNEL32(?), ref: 00838356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0083838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00838395

Strings

*.*, xrefs: 0083839B

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 03f29ab38121bcebfaffb890135444379567170c65a41e80f9e8d763868ce2c4
Instruction ID: 80521cf6fc8dd3a4c1a98dc36ca99412a0248162cc372135e43c3ebea490ea4e
Opcode Fuzzy Hash: 03f29ab38121bcebfaffb890135444379567170c65a41e80f9e8d763868ce2c4
Instruction Fuzzy Hash: 336145725043459FCB10EF64D845AAEB3E8FF89314F04892EF989C7251EB39E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0082D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 007C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007C3A97,?,?,007C2E7F,?,?,?,00000000), ref: 007C3AC2

Part of subcall function 0082E199: GetFileAttributesW.KERNEL32(?,0082CF95), ref: 0082E19A

FindFirstFileW.KERNEL32(?,?), ref: 0082D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0082D1DD
MoveFileW.KERNEL32(?,?), ref: 0082D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0082D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0082D237

Part of subcall function 0082D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0082D21C,?,?), ref: 0082D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0082D253
FindClose.KERNEL32(00000000), ref: 0082D264

Strings

\*.*, xrefs: 0082D0CD, 0082D0D6, 0082D0EB

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 24186872c4590a091d124eb0753dd35f15ebdf2670069b5f3f7c20ca383c5d27
Instruction ID: 9fe4b491271b290dcad34dc5d42572d1cca295e1e6d1081bed61c7cd83211849
Opcode Fuzzy Hash: 24186872c4590a091d124eb0753dd35f15ebdf2670069b5f3f7c20ca383c5d27
Instruction Fuzzy Hash: E4613B3180121DEACF05EBA0E956EEDBBB5FF15305F208169E401B7191EB35AF49CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0083ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0083ED91
EmptyClipboard.USER32 ref: 0083ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0083EDAC
CloseClipboard.USER32 ref: 0083EEA3

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 0e7c19d3b466dbeadc6d753668fcd6fbda10d6c330901570fb48b6f1e5d26c76
Instruction ID: fb1518ab664c1fdc34a772a98ec5f27192b69b53bafff1a7ba1903821226887f
Opcode Fuzzy Hash: 0e7c19d3b466dbeadc6d753668fcd6fbda10d6c330901570fb48b6f1e5d26c76
Instruction Fuzzy Hash: D5415A35604611AFE721DF19D888B2ABBE5FF84319F14809DE4198B6A2C779ED42CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0082E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 008216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0082170D
Part of subcall function 008216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0082173A
Part of subcall function 008216C3: GetLastError.KERNEL32 ref: 0082174A

ExitWindowsEx.USER32(?,00000000), ref: 0082E932

Strings

, xrefs: 0082E920
, xrefs: 0082E95C
SeShutdownPrivilege, xrefs: 0082E902
@, xrefs: 0082E925

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 8dcf975e2b9081bf01cfdfed69f9e263a867fd40f78e9c567a917a2081925c78
Instruction ID: 5071fd7efcbfa037d2953aaceb0d7643c6aeea112462caad5b8c042c399538a1
Opcode Fuzzy Hash: 8dcf975e2b9081bf01cfdfed69f9e263a867fd40f78e9c567a917a2081925c78
Instruction Fuzzy Hash: E8012672610334AFEF1426B8BC8ABBF765CF714745F150423FC12E21D1E6A45CC08698

Uniqueness

Uniqueness Score: -1.00%

Function 00841204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00841276
WSAGetLastError.WSOCK32 ref: 00841283
bind.WSOCK32(00000000,?,00000010), ref: 008412BA
WSAGetLastError.WSOCK32 ref: 008412C5
closesocket.WSOCK32(00000000), ref: 008412F4
listen.WSOCK32(00000000,00000005), ref: 00841303
WSAGetLastError.WSOCK32 ref: 0084130D
closesocket.WSOCK32(00000000), ref: 0084133C

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 9472d9678ec0d39e0cc8d7a695e916621de3202bd08b681fa75d9848e943e7ff
Instruction ID: e31c1f9b46b11e0b3bc09208e31a0e3681fe6d348abf86600727df05a71ed020
Opcode Fuzzy Hash: 9472d9678ec0d39e0cc8d7a695e916621de3202bd08b681fa75d9848e943e7ff
Instruction Fuzzy Hash: 0F416C316002149FDB10DF64C488B2ABBE5FF46319F18819CE856CB392C775EC81CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 007FB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007FB9D4
_free.LIBCMT ref: 007FB9F8
_free.LIBCMT ref: 007FBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00863700), ref: 007FBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0089121C,000000FF,00000000,0000003F,00000000,?,?), ref: 007FBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00891270,000000FF,?,0000003F,00000000,?), ref: 007FBC36
_free.LIBCMT ref: 007FBD4B

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 22814db96b57b7ac7d10278d505dec51c32e51069708450d642cb5d09cfa0bb7
Instruction ID: 97dd219ba3d637d4252c21f76e7b2626a093dffbc6b6a9b921c71ddaa9a5642a
Opcode Fuzzy Hash: 22814db96b57b7ac7d10278d505dec51c32e51069708450d642cb5d09cfa0bb7
Instruction Fuzzy Hash: 43C12671A0420DEFCB20EF69DC45ABABBA9EF45310F18419AE690D7352E7389E41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0082D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 007C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007C3A97,?,?,007C2E7F,?,?,?,00000000), ref: 007C3AC2

Part of subcall function 0082E199: GetFileAttributesW.KERNEL32(?,0082CF95), ref: 0082E19A

FindFirstFileW.KERNEL32(?,?), ref: 0082D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0082D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0082D481
FindClose.KERNEL32(00000000), ref: 0082D498
FindClose.KERNEL32(00000000), ref: 0082D4A1

Strings

\*.*, xrefs: 0082D3F2

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: f080ed14bcdcb35b92ca70182a4d171dba9eec06ea348799033a864e714e2559
Instruction ID: 615641e02b6d5943bc765685a787c11ed9b49c04e975da90cbdd587b567bf55b
Opcode Fuzzy Hash: f080ed14bcdcb35b92ca70182a4d171dba9eec06ea348799033a864e714e2559
Instruction Fuzzy Hash: E9318D31008355AFC200EF64D89ADAFBBE8FE91305F404A1DF4D593191EB38AA098B67

Uniqueness

Uniqueness Score: -1.00%

Function 007FE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 007FE645

Strings

1#QNAN, xrefs: 007FF84B
1#SNAN, xrefs: 007FF844
1#IND, xrefs: 007FF83D
1#INF, xrefs: 007FF852

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: c5deeb7c77019a7774bbe88b8a3b5b5c4587b165bb169d06e2f2a11e16b92876
Instruction ID: 5969104409e1c4813c0d08e527fed1c62a003be1c4700c6778469268557cdac6
Opcode Fuzzy Hash: c5deeb7c77019a7774bbe88b8a3b5b5c4587b165bb169d06e2f2a11e16b92876
Instruction Fuzzy Hash: E9C23972E0862C8FDB25DE289D447EAB7B5EF48304F1441EAD54DE7251EB78AE818F40

Uniqueness

Uniqueness Score: -1.00%

Function 0083648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008364DC
CoInitialize.OLE32(00000000), ref: 00836639
CoCreateInstance.OLE32(0085FCF8,00000000,00000001,0085FB68,?), ref: 00836650
CoUninitialize.OLE32 ref: 008368D4

Strings

.lnk, xrefs: 008364BA, 00836524, 008365E0

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 82dc1d7d0d5d69a94595fe6ed57ca5565697ca02c35e80f0e59637992db5096a
Instruction ID: 7884699bc9dbb1309ca1fcbc40d1f855f8448ad8baa7ef460a9ca958ba153c3f
Opcode Fuzzy Hash: 82dc1d7d0d5d69a94595fe6ed57ca5565697ca02c35e80f0e59637992db5096a
Instruction Fuzzy Hash: 40D13971508201AFC314EF24C885E6BB7E8FF98704F14896DF595CB291EB74E945CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 008422DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 008422E8

Part of subcall function 0083E4EC: GetWindowRect.USER32(?,?), ref: 0083E504

GetDesktopWindow.USER32 ref: 00842312
GetWindowRect.USER32(00000000), ref: 00842319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00842355
GetCursorPos.USER32(?), ref: 00842381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 008423DF

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: dd9985e5f5a9c662794e70c46682f5fa83c8b5e0c6fbeb9c4fe3f70b4ae4e12e
Instruction ID: 810de2bb071db58134cd9a79b7a1d84c68972a2eb8331a1207d564cb2832a679
Opcode Fuzzy Hash: dd9985e5f5a9c662794e70c46682f5fa83c8b5e0c6fbeb9c4fe3f70b4ae4e12e
Instruction Fuzzy Hash: 2031DE72508319AFC720DF58D849B5BBBA9FF88314F400919F985D7291DB34EA48CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00839B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00839B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00839C8B

Part of subcall function 00833874: GetInputState.USER32 ref: 008338CB
Part of subcall function 00833874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00833966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00839BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00839C75

Strings

*.*, xrefs: 00839B5D

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 56b5ef8e84294f5d511796ba9384d546c47c1ad99c760b3d7a06fa023f13132d
Instruction ID: 69db7511985cfd3faa8176fa24c7d23496105801718cfbc4fbe21910bf6d2b42
Opcode Fuzzy Hash: 56b5ef8e84294f5d511796ba9384d546c47c1ad99c760b3d7a06fa023f13132d
Instruction Fuzzy Hash: 1041607190420A9FCF14DF64C889AEEBBB8FF45311F144159E855E2191EB749E85CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 007D997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 007D9A4E
GetSysColor.USER32(0000000F), ref: 007D9B23
SetBkColor.GDI32(?,00000000), ref: 007D9B36

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 9a1fc3f79f46ad1b95f674a0a4bbb3676a9e2d975e24e7bf8a9a3190ed163666
Instruction ID: 1b73b3625ebed584ce1ae6604f681e1587e7f5820f09ef493e7543b32790ef7d
Opcode Fuzzy Hash: 9a1fc3f79f46ad1b95f674a0a4bbb3676a9e2d975e24e7bf8a9a3190ed163666
Instruction Fuzzy Hash: 26A1F871208544FEE725AA2C8C5DDBB2ABDFF82340F19421FF602D67D1DA299D41D272

Uniqueness

Uniqueness Score: -1.00%

Function 00841806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0084304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0084307A
Part of subcall function 0084304E: _wcslen.LIBCMT ref: 0084309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0084185D
WSAGetLastError.WSOCK32 ref: 00841884
bind.WSOCK32(00000000,?,00000010), ref: 008418DB
WSAGetLastError.WSOCK32 ref: 008418E6
closesocket.WSOCK32(00000000), ref: 00841915

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: a85dc9b2d2efb2be5bea299e1687def5d80fa6576a38b8651a1e72d8afbe4b87
Instruction ID: 61198057010e9236d6574a5c344dcb625fd313f0edb6d14203b91329a2a66c33
Opcode Fuzzy Hash: a85dc9b2d2efb2be5bea299e1687def5d80fa6576a38b8651a1e72d8afbe4b87
Instruction Fuzzy Hash: 1951A271A00214AFDB10AF24C88AF2A7BE5EB45718F08805CF9069F3D3CB75AD41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00851C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00851CC0
IsWindowEnabled.USER32 ref: 00851CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00851CDB
IsIconic.USER32 ref: 00851CE9
IsZoomed.USER32 ref: 00851CF7

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 566262696248e5dbd4b84308ccf8380cb6f03908bd29f573eae3ec66d5e55e12
Instruction ID: a2c8ba8d8b7389793ea3d61c618eb7c2403768451809dc1f898e63d3d1324611
Opcode Fuzzy Hash: 566262696248e5dbd4b84308ccf8380cb6f03908bd29f573eae3ec66d5e55e12
Instruction Fuzzy Hash: 3B2180317402119FDB218F1AC888F6A7BA5FF95316B19805CEC4ACB351DB76ED46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 007C8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00805DF0
VUUU, xrefs: 007C83E8
VUUU, xrefs: 007C83FA
ERCP, xrefs: 007C813C
VUUU, xrefs: 007C843C

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: d5db4372e0aee6701f3b6b3dd530d48b965a06d5988562dca25ebcf03d5abf77
Instruction ID: 855aa1bd3fe9e0a5295425c7cbfc0bcbb782bcc33d7bb17cdbd45d181824176f
Opcode Fuzzy Hash: d5db4372e0aee6701f3b6b3dd530d48b965a06d5988562dca25ebcf03d5abf77
Instruction Fuzzy Hash: 23A26D70A0061ACBDFA4CF58C844BAEB7B1FB54310F2481AED815E7285EB749D91CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0084A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0084A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0084A6BA

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0084A79C
CloseHandle.KERNEL32(00000000), ref: 0084A7AB

Part of subcall function 007DCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00803303,?), ref: 007DCE8A

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 79d2fd1d973c005c0f291dd785fdd0d83466c8164c8766abc8e3f67b380a387b
Instruction ID: 523f56c5f873a8b90e4cba52363b5b4912c4fe2d6dc45e9f15c2af0e2b729e7d
Opcode Fuzzy Hash: 79d2fd1d973c005c0f291dd785fdd0d83466c8164c8766abc8e3f67b380a387b
Instruction Fuzzy Hash: 03511971508700AFD714EF24D88AE6BBBE8FF89754F40492DF58597251EB34E904CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0082AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0082AAAC
SetKeyboardState.USER32(00000080), ref: 0082AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0082AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0082AB88

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 7961dd6c03edbb8bbcabffe87d8a2aaec5cc53b7caf6bcd33daf9b3c5cfc52c7
Instruction ID: a02fd9947cc954108be2aa766d480f81aafd8a272a73d776fd8b9a39641ec691
Opcode Fuzzy Hash: 7961dd6c03edbb8bbcabffe87d8a2aaec5cc53b7caf6bcd33daf9b3c5cfc52c7
Instruction Fuzzy Hash: C031E574A40368AFEB398A68AC05BFA7BA6FF54330F04421AE581D61D1D37589C5CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0083CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0083CE89
GetLastError.KERNEL32(?,00000000), ref: 0083CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0083CEFE

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 505f6baef74b47720ec97be026b45bbfa2ca4e2f84ab05acb96e2a8e76e59272
Instruction ID: 5eba52340d0fc9f931780444160074eef5f12488900a4afcc3e2f90fd306d652
Opcode Fuzzy Hash: 505f6baef74b47720ec97be026b45bbfa2ca4e2f84ab05acb96e2a8e76e59272
Instruction Fuzzy Hash: 42219DB1500705DFD720DF65C948BA677F8FB80759F10481EE546E2151EB74EE058BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00828298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 008282AA

Strings

|, xrefs: 008282DA
(, xrefs: 008282F0

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 5e620968ba342028dd613876ddba7a69a617278c155b5dd6abd3bc3e00d4a013
Instruction ID: 5fd54d3f3e2a233959e17e8c95f6f0ab3db150e36e67f9bbeee596cd98948580
Opcode Fuzzy Hash: 5e620968ba342028dd613876ddba7a69a617278c155b5dd6abd3bc3e00d4a013
Instruction Fuzzy Hash: 8B323474A01615DFCB28CF59D484A6AB7F0FF48710B15C46EE49ADB3A1EB70E981CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00835C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00835CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00835D17
FindClose.KERNEL32(?), ref: 00835D5F

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 1a7f06781fa7bad7fb78e92020f8500023fa971856637beb5ff7ed01e048c634
Instruction ID: 1105f6ec51c421ccc5d586200b0f04816739a7d7706ddbae902bc132fe05ee9f
Opcode Fuzzy Hash: 1a7f06781fa7bad7fb78e92020f8500023fa971856637beb5ff7ed01e048c634
Instruction Fuzzy Hash: B7517675604A019FC714DF28C498E9AB7E4FF89328F14856EE95ACB3A1CB34ED05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 007F2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 007F271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 007F2724
UnhandledExceptionFilter.KERNEL32(?), ref: 007F2731

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 10ebc894270e1cf23958aa9440172fbd19f18fc6110de857bbe4e9572936bc2f
Instruction ID: d3409b1ffeda1eb06b8e2ccdcd170fff83586d350365fc7d66be42ba85b96cd4
Opcode Fuzzy Hash: 10ebc894270e1cf23958aa9440172fbd19f18fc6110de857bbe4e9572936bc2f
Instruction Fuzzy Hash: EC31C27490131CEBCB21DF69DC88798BBB8BF08310F5041EAE90CA6261E7749F818F55

Uniqueness

Uniqueness Score: -1.00%

Function 008351CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008351DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00835238
SetErrorMode.KERNEL32(00000000), ref: 008352A1

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: c350885e730d845385a917e1e28c1a91fe6195b6eb7335b25f5deb7f7d038e58
Instruction ID: b4a7c69fe31ad45d214a0b248457badc58ee157461de6ac5e7cabe4c04b15324
Opcode Fuzzy Hash: c350885e730d845385a917e1e28c1a91fe6195b6eb7335b25f5deb7f7d038e58
Instruction Fuzzy Hash: B6313075A00618DFDB00DF54D888FAEBBB5FF49314F088099E8059B352DB35E856CB91

Uniqueness

Uniqueness Score: -1.00%

Function 008216C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 007DFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 007E0668
Part of subcall function 007DFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 007E0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0082170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0082173A
GetLastError.KERNEL32 ref: 0082174A

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 9bb548874180adaa1dc7724e5725d245c5eb575fcc1b447d327d1b389a4a104a
Instruction ID: c5c4bebdd359da7738e28f175c0f787eef01f1c78b5dbc3fa96756cf843a8d3f
Opcode Fuzzy Hash: 9bb548874180adaa1dc7724e5725d245c5eb575fcc1b447d327d1b389a4a104a
Instruction Fuzzy Hash: 1E11C4B1500308AFD7189F54EC8AD6BB7F9FB44714B20852EE05693241EB74BC418A20

Uniqueness

Uniqueness Score: -1.00%

Function 0082D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0082D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0082D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0082D650

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 908b57d00a773d566cfa060b9d8cc19afa5c85d2f184e77ffdfafcfd60531cb1
Instruction ID: 8ca2fb64506ee0136a5deb8e8dc1e0e369a1d18b870986b2ad6dbcb79faf95ea
Opcode Fuzzy Hash: 908b57d00a773d566cfa060b9d8cc19afa5c85d2f184e77ffdfafcfd60531cb1
Instruction Fuzzy Hash: B2115A75A01328BFDB108B94AC44BAFBFBCEB45B50F108111F914E7290C2744A018BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00821663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0082168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 008216A1
FreeSid.ADVAPI32(?), ref: 008216B1

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 88633034a830d78e39222853eed5c69aae2afe0f298de041f93ca422e5f8d130
Instruction ID: 9d117cfbce64223219f6fad3f8e8cda687736454418c79dfb69858b7830316e9
Opcode Fuzzy Hash: 88633034a830d78e39222853eed5c69aae2afe0f298de041f93ca422e5f8d130
Instruction Fuzzy Hash: 30F0F471950309FFDF00DFE49C89AAEBBBCFB08606F504565E501E2181E774AA448A50

Uniqueness

Uniqueness Score: -1.00%

Function 007E4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(007F28E9,?,007E4CBE,007F28E9,008888B8,0000000C,007E4E15,007F28E9,00000002,00000000,?,007F28E9), ref: 007E4D09
TerminateProcess.KERNEL32(00000000,?,007E4CBE,007F28E9,008888B8,0000000C,007E4E15,007F28E9,00000002,00000000,?,007F28E9), ref: 007E4D10
ExitProcess.KERNEL32 ref: 007E4D22

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: a96f1d5e7553ab0fc3254b67230d91c62c2f0c21eb247eb8758fc0829c45234b
Instruction ID: 4d675a6f6074e444ac3f4da08f511a38663f9cd9817dd074c722d9faf71263d5
Opcode Fuzzy Hash: a96f1d5e7553ab0fc3254b67230d91c62c2f0c21eb247eb8758fc0829c45234b
Instruction Fuzzy Hash: 0CE09231101688AFCB11AF65DD09A983B69FB85782B104054FA058A222CB39D942CA80

Uniqueness

Uniqueness Score: -1.00%

Function 007FC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 007FC36C

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 3421ba6684a3fe4febd347a3dd756ee8f566c1f6f2419d67a8bd0fdce8b1b199
Instruction ID: 370dd48423118ef907aa6bb45a3cfbda90c07b2896799114157edbe7bbda3162
Opcode Fuzzy Hash: 3421ba6684a3fe4febd347a3dd756ee8f566c1f6f2419d67a8bd0fdce8b1b199
Instruction Fuzzy Hash: 0F41267290021DAFCB209FB9DD49EBB77B8FB84354F1042A9FA15D7280E6759D81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0081D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0081D28C

Strings

X64, xrefs: 0081D2A8

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 3f6fc09f3eb1d1cdebf608075141b4334536ab542e9a732197ccb1418ee70475
Instruction ID: 56d72ad8b44ce74ed4dcec98351b227a4968666cccc3ed16a6f493636c2dca3d
Opcode Fuzzy Hash: 3f6fc09f3eb1d1cdebf608075141b4334536ab542e9a732197ccb1418ee70475
Instruction Fuzzy Hash: 7ED0C9B480121DEECF90CB90DC88DD9B3BCFB14305F100152F106E2140D77895488F10

Uniqueness

Uniqueness Score: -1.00%

Function 007ECAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: dbe4d6b337ddd621e0805d54e63a0751eb1e42788515ae04d0a86829f8a7c18f
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: C0024D76E012599FDF15CFA9C8806ADFBF1FF48314F258169E919EB380D735A9028B90

Uniqueness

Uniqueness Score: -1.00%

Function 008368EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00836918
FindClose.KERNEL32(00000000), ref: 00836961

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 5f50fcd9df2ceff515cb41240a528f378118e50811e49e0290395f5f2695e825
Instruction ID: ad3a254000084adc0876b2f50f9d1c212c33c4a503dc35e345705abc8a4fa975
Opcode Fuzzy Hash: 5f50fcd9df2ceff515cb41240a528f378118e50811e49e0290395f5f2695e825
Instruction Fuzzy Hash: 7D117C31604200AFC710DF29D488B16BBE5FF85329F14C69DE8698B6A2DB34EC05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 008337B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00844891,?,?,00000035,?), ref: 008337E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00844891,?,?,00000035,?), ref: 008337F4

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: a51af313349052161755deb9e673d7d2f57ec76187e8424c5cbd3ec1fedd7e5e
Instruction ID: 546a499f8df207b88de0e17828b69375eca521a82fe90ac08822eb561bd65a1f
Opcode Fuzzy Hash: a51af313349052161755deb9e673d7d2f57ec76187e8424c5cbd3ec1fedd7e5e
Instruction Fuzzy Hash: 30F0E5B06043296AEB6017768C4DFEB3BAEFFC4761F000179F609D2291D9609904CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 0082B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0082B25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 0082B270

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 7203c404b4134019538a385ef0c67f8396eb36deb092c1b1c0b5e07b5e63e5ab
Instruction ID: 70e296ba3ac1022db4c4ea49949c0891c8b6b2d659e79fa57c9789c6e2d2e816
Opcode Fuzzy Hash: 7203c404b4134019538a385ef0c67f8396eb36deb092c1b1c0b5e07b5e63e5ab
Instruction Fuzzy Hash: E2F01D7180434DAFDB059FA4D805BAE7FB4FF0830AF008009F955A6192D3798651DF94

Uniqueness

Uniqueness Score: -1.00%

Function 008210BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008211FC), ref: 008210D4
CloseHandle.KERNEL32(?,?,008211FC), ref: 008210E9

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 7f377d287a7c8ef99e59127bf605b87461baea169addd93ea9e01d7dbc5cc768
Instruction ID: 8e83b5361f1b60d1c76ef1a3f9c9782daf363eb95e84eaf1fa1c36f7ff5ffe18
Opcode Fuzzy Hash: 7f377d287a7c8ef99e59127bf605b87461baea169addd93ea9e01d7dbc5cc768
Instruction Fuzzy Hash: DCE04F32004B10EEEB252B51FC09E7377A9FB04311B20882EF4A6805B1DB666CD0DB50

Uniqueness

Uniqueness Score: -1.00%

Function 007CCAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00810C40

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: b7964e0761ab0e2adc9d7be52480d2b0a7e80e7c66f34641f963921d13c14a8c
Instruction ID: b8f8c33736bc61efb6316647eb3851e7af3d790174372cd01af59c327f49bff3
Opcode Fuzzy Hash: b7964e0761ab0e2adc9d7be52480d2b0a7e80e7c66f34641f963921d13c14a8c
Instruction Fuzzy Hash: 3F323671900218EBCF15DF94C885FEDB7B9FF05304F24405DE80AAB292D779AA86DB61

Uniqueness

Uniqueness Score: -1.00%

Function 007F676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,007F6766,?,?,00000008,?,?,007FFEFE,00000000), ref: 007F6998

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 96976965fcd31b6f519bf0a073c56310222f5672dcc040bdae502360a404bc10
Instruction ID: 6569668c9d9d397e55e9b3cc102d63331883ab5f6ea39449290bbb9682802bfd
Opcode Fuzzy Hash: 96976965fcd31b6f519bf0a073c56310222f5672dcc040bdae502360a404bc10
Instruction Fuzzy Hash: E1B128716106099FD719CF28C48AB657BA0FF45364F25C65CEA9ACF3A2C339E991CB40

Uniqueness

Uniqueness Score: -1.00%

Function 007DB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0081851F

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: ee7103c07059894ae5d0c61919d29b6fe19a2247ad80c6c9f67cd2291da6c6a2
Instruction ID: 3466f9e085206b3a6971243648f2a1d2a272acfa3cf7fd3807c81a80fc74ca8c
Opcode Fuzzy Hash: ee7103c07059894ae5d0c61919d29b6fe19a2247ad80c6c9f67cd2291da6c6a2
Instruction Fuzzy Hash: C7124C71900229DFCB24CF58C881AEEB7B5FF48710F15819AE849EB355EB349E81DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0083EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0083EABD

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: dfed2d944e567649ee5aeacb47d8230a7a143eb3fdd6bf239e72312f5d71267f
Instruction ID: d987e6ad258b909dae03e3b3ee334f162fad595c613ccb9e32d7c56a3581d5a1
Opcode Fuzzy Hash: dfed2d944e567649ee5aeacb47d8230a7a143eb3fdd6bf239e72312f5d71267f
Instruction Fuzzy Hash: 32E01A322002159FC710EF59D809E9AB7E9FFA8760F00841EFC49C7391DA74A8418B90

Uniqueness

Uniqueness Score: -1.00%

Function 007E09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,007E03EE), ref: 007E09DA

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 58b9af771e2ca188bea57c2b146403731b525caf99fee8bfdf429199e74383ef
Instruction ID: 4b289d58ed6846241651945082a97c771a076513493dd050ca59505ecc453a3e
Opcode Fuzzy Hash: 58b9af771e2ca188bea57c2b146403731b525caf99fee8bfdf429199e74383ef
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 007E781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 007E798B

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: d20d3b89a437ce60f300e36af216d74fff09c1750bbd99148567e1c9af7f25d7
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: E751777160F7C59BDB3C856B889E7BE23899F2E340F180519D886CB283CA1DEE41D352

Uniqueness

Uniqueness Score: -1.00%

Function 007F6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 610e053a570f798a8a2ffa9050d003e615fa56b4fba81d478a5092db2b9fae90
Instruction ID: 8d1415c0e17fe7c24809d06659b54e72ee9fd42b64e0377910cb7435289fed6d
Opcode Fuzzy Hash: 610e053a570f798a8a2ffa9050d003e615fa56b4fba81d478a5092db2b9fae90
Instruction Fuzzy Hash: E2326622D29F454DD7279634CC22335A249BFB73C5F16D737F81AB5AAAEB69C4838100

Uniqueness

Uniqueness Score: -1.00%

Function 007DCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c3e9f35c5e6b671ddba8c16e4d4504c8120f1e6c5e87e7c9a17949c20caee8d
Instruction ID: 558f59ca05792296efc4bde2406d830102d2dd11313ea56df4543f0a42932f63
Opcode Fuzzy Hash: 5c3e9f35c5e6b671ddba8c16e4d4504c8120f1e6c5e87e7c9a17949c20caee8d
Instruction Fuzzy Hash: 8C321271A8411A8BCF29CE28C4906FD7BB9FF45314F28856BD98ACB291D234DDC1DB51

Uniqueness

Uniqueness Score: -1.00%

Function 007C7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efdc0a6060e1e83312e8e2416d3a349a8142d29788739739220a0cbc4a9b8364
Instruction ID: 1cb511f9e291a912e35b85d0020bd061200ceb4f2ab9015e5bf701a1d8e7af71
Opcode Fuzzy Hash: efdc0a6060e1e83312e8e2416d3a349a8142d29788739739220a0cbc4a9b8364
Instruction Fuzzy Hash: D6227CB0A04609DBDF14CFA8D885AAEB7B5FF44300F14452DE816E7291EB3AAD54CF64

Uniqueness

Uniqueness Score: -1.00%

Function 007C91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23dcb5c7e5d19adfca8a7d2a4722b655e9c9a0982d23b4768113a3a3a8d03525
Instruction ID: 923189a5879ce87944714379cdb0fb087de765304a21c893fcaf168451a9f816
Opcode Fuzzy Hash: 23dcb5c7e5d19adfca8a7d2a4722b655e9c9a0982d23b4768113a3a3a8d03525
Instruction Fuzzy Hash: CD02C3B1A00209EBDB44DF64DC85BAEB7B1FF44304F108569E946DB3D1EB35AA60CB91

Uniqueness

Uniqueness Score: -1.00%

Function 007E1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 11a7d0590290f14b716a3450ea77b2777c41190593857819553e80f56ea0afd8
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: C491997260A0E34ADB29863F853603DFFE15A563A235A079DE4F2CB1C5FE38D954D620

Uniqueness

Uniqueness Score: -1.00%

Function 007E19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: bfbd99ed2bf3ca4a59d6312b8bbe197e2a4933f05481fa678a265031adf7912c
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: FB91657220A0E34ADB2D427B857603DFFE15A963A135A47AED4F3CA1C1FD38D554D620

Uniqueness

Uniqueness Score: -1.00%

Function 007E7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ddf15903a37f5009b7e07001d006686b85c40c43cbca49ab7037a8aa9e2a19
Instruction ID: cbca08b55e3726d1b66965a8f28016edaecd5df014110778c3408711f9d90cd4
Opcode Fuzzy Hash: 52ddf15903a37f5009b7e07001d006686b85c40c43cbca49ab7037a8aa9e2a19
Instruction Fuzzy Hash: 42618DB160A7C996DA3C992F8C95BBF3398DF4D700F20492DE842CB291D61D9E42C366

Uniqueness

Uniqueness Score: -1.00%

Function 007E7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61c20ed4cbb62b745bed122d529e757d2ea092871c71529f1f75c13b279ea01e
Instruction ID: cd4aa90e27dfe2710018755f352da717dcac4fd342adc2214a301464c976b726
Opcode Fuzzy Hash: 61c20ed4cbb62b745bed122d529e757d2ea092871c71529f1f75c13b279ea01e
Instruction Fuzzy Hash: 42618C7130A7C9A6DE3CCA2B4C95BBF2389DF4E704F100959E942DF281DA1EAD42C356

Uniqueness

Uniqueness Score: -1.00%

Function 007E1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 46f0a54b4f3c58ac6cb6e4740ce65050a7bbe078d11bf0596ebea0b19d85c8df
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: F881867260A0E34ADB2D423B857643EFFE15A963B135A079DD4F2CB1C2EE38D554D620

Uniqueness

Uniqueness Score: -1.00%

Function 01903640 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015781313.0000000001900000.00000040.00001000.00020000.00000000.sdmp, Offset: 01900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1900000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: beaa36a4242b0d729487fb872805de47375bccf9536c9bf29a6e27b94131d077
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: ED41C271D1051CEFCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00832046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50c1a38ae5d457dc15b97de159f7575df8f929a98325d2ab8a8a4596eda4d9fb
Instruction ID: ec68498554b605cf039629a24612ed0b9eb664e3e3914c88a43fb8e0b05bb0f5
Opcode Fuzzy Hash: 50c1a38ae5d457dc15b97de159f7575df8f929a98325d2ab8a8a4596eda4d9fb
Instruction Fuzzy Hash: 0B21AB326215118BD72CDE79C82267E73E5F764310F19852EE4A7C77D0DE359904CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01903530 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015781313.0000000001900000.00000040.00001000.00020000.00000000.sdmp, Offset: 01900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1900000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 4cbb49958dbb5ddddba4aedccdbb1c39978456b07145ba01b9df714f62875ab4
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: BF019278A00109EFCB45DF98C5909AEF7B5FB48310F608699D809A7751D731AE41DB80

Uniqueness

Uniqueness Score: -1.00%

Function 019034D0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015781313.0000000001900000.00000040.00001000.00020000.00000000.sdmp, Offset: 01900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1900000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 690f1c99fe6d7942f599dd8911f08a356c35a37c5a904c04162e35195eb0b4b8
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 5C019278A00109EFCB49DF98C5909AEF7B5FB48310F608599D809A7741D731EE41DB80

Uniqueness

Uniqueness Score: -1.00%

Function 01901ED0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015781313.0000000001900000.00000040.00001000.00020000.00000000.sdmp, Offset: 01900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1900000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Uniqueness

Uniqueness Score: -1.00%

Function 00842ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00842B30
DeleteObject.GDI32(00000000), ref: 00842B43
DestroyWindow.USER32 ref: 00842B52
GetDesktopWindow.USER32 ref: 00842B6D
GetWindowRect.USER32(00000000), ref: 00842B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00842CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00842CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00842CF8
GetClientRect.USER32(00000000,?), ref: 00842D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00842D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00842D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00842D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00842D80
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00842D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00842D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00842DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00842DA8
GlobalFree.KERNEL32(00000000), ref: 00842DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00842DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0085FC38,00000000), ref: 00842DDB
GlobalFree.KERNEL32(00000000), ref: 00842DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00842E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00842E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00842E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0084303F

Strings

AutoIt v3, xrefs: 00842CF2
, xrefs: 00842FC5
static, xrefs: 00842D3A, 00842E91
DISPLAY, xrefs: 00842EA2

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 8d9c176df576b11fb12cc5be776d6dd48d6324532d14457f18fb19c54485d619
Instruction ID: bac7b0a61116de4fa1221f45754291edfb99ed31310837df42f0f63bb99e4c95
Opcode Fuzzy Hash: 8d9c176df576b11fb12cc5be776d6dd48d6324532d14457f18fb19c54485d619
Instruction Fuzzy Hash: BD023771900209EFDB14DFA4DC89EAE7BB9FB48711F048159F915AB2A1DB78AD01CF60

Uniqueness

Uniqueness Score: -1.00%

Function 008570D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0085712F
GetSysColorBrush.USER32(0000000F), ref: 00857160
GetSysColor.USER32(0000000F), ref: 0085716C
SetBkColor.GDI32(?,000000FF), ref: 00857186
SelectObject.GDI32(?,?), ref: 00857195
InflateRect.USER32(?,000000FF,000000FF), ref: 008571C0
GetSysColor.USER32(00000010), ref: 008571C8
CreateSolidBrush.GDI32(00000000), ref: 008571CF
FrameRect.USER32(?,?,00000000), ref: 008571DE
DeleteObject.GDI32(00000000), ref: 008571E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00857230
FillRect.USER32(?,?,?), ref: 00857262
GetWindowLongW.USER32(?,000000F0), ref: 00857284

Part of subcall function 008573E8: GetSysColor.USER32(00000012), ref: 00857421
Part of subcall function 008573E8: SetTextColor.GDI32(?,?), ref: 00857425
Part of subcall function 008573E8: GetSysColorBrush.USER32(0000000F), ref: 0085743B
Part of subcall function 008573E8: GetSysColor.USER32(0000000F), ref: 00857446
Part of subcall function 008573E8: GetSysColor.USER32(00000011), ref: 00857463
Part of subcall function 008573E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00857471
Part of subcall function 008573E8: SelectObject.GDI32(?,00000000), ref: 00857482
Part of subcall function 008573E8: SetBkColor.GDI32(?,00000000), ref: 0085748B
Part of subcall function 008573E8: SelectObject.GDI32(?,?), ref: 00857498
Part of subcall function 008573E8: InflateRect.USER32(?,000000FF,000000FF), ref: 008574B7
Part of subcall function 008573E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008574CE
Part of subcall function 008573E8: GetWindowLongW.USER32(00000000,000000F0), ref: 008574DB

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: cf4c9166ffe574330998350fc3ffd2ad1491b1cbffa8e1f68296cb7b504372ee
Instruction ID: 613af097dd048f79602dde4377ab3607ecc6dfae2ddd3f88496ef5504128bd9c
Opcode Fuzzy Hash: cf4c9166ffe574330998350fc3ffd2ad1491b1cbffa8e1f68296cb7b504372ee
Instruction Fuzzy Hash: D2A19072008701AFDB019F64DC48A5BBBA9FB49322F104A19F9A2D61E1E779E948CF51

Uniqueness

Uniqueness Score: -1.00%

Function 007D8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 007D8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00816AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00816AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00816F43

Part of subcall function 007D8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,007D8BE8,?,00000000,?,?,?,?,007D8BBA,00000000,?), ref: 007D8FC5

SendMessageW.USER32(?,00001053), ref: 00816F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00816F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00816FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00816FB7

Strings

0, xrefs: 00816DCF

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: c3b5572a834f7ebb10586694c2ab6671e69d7004183675473ba3599cc32d288f
Instruction ID: 7714bac147c9fe0fdeeab4b91ff80050bbffb42616accee3f0715a61dce54d6b
Opcode Fuzzy Hash: c3b5572a834f7ebb10586694c2ab6671e69d7004183675473ba3599cc32d288f
Instruction Fuzzy Hash: 3F129C30204201DFDB65DF24D888BA5BBF9FF44311F58456AE485CB261DB35E8A2DF92

Uniqueness

Uniqueness Score: -1.00%

Function 00842711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0084273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0084286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 008428A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 008428B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00842900
GetClientRect.USER32(00000000,?), ref: 0084290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00842955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00842964
GetStockObject.GDI32(00000011), ref: 00842974
SelectObject.GDI32(00000000,00000000), ref: 00842978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00842988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00842991
DeleteDC.GDI32(00000000), ref: 0084299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 008429C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 008429DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00842A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00842A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00842A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00842A77
GetStockObject.GDI32(00000011), ref: 00842A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00842A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00842A97

Strings

AutoIt v3, xrefs: 008428F8
static, xrefs: 0084294F, 00842A71
DISPLAY, xrefs: 0084295A
msctls_progress32, xrefs: 00842A13

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: e1f576ec30ccbcc831cb241bac210fa42b2e2981c165b36a55fc6f984f0b99e0
Instruction ID: 6ac38a78566d360cebea23bc96c49bb84e08a12921675d66f08985a8a889a2a9
Opcode Fuzzy Hash: e1f576ec30ccbcc831cb241bac210fa42b2e2981c165b36a55fc6f984f0b99e0
Instruction Fuzzy Hash: 47B13A71A40219AFEB14DF68DC8AFAE7BB9FB08715F004159F915E7290DB78AD40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00834ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00834AED
GetDriveTypeW.KERNEL32(?,0085CB68,?,\\.\,0085CC08), ref: 00834BCA
SetErrorMode.KERNEL32(00000000,0085CB68,?,\\.\,0085CC08), ref: 00834D36

Strings

ATAPI, xrefs: 00834C91
Network, xrefs: 00834C02
1394, xrefs: 00834C9F
PhysicalDrive, xrefs: 00834B76
Fibre, xrefs: 00834CAD
SSD, xrefs: 00834C4A
FileBackedVirtual, xrefs: 00834CEC
SAS, xrefs: 00834CC9
SATA, xrefs: 00834CD0
Fixed, xrefs: 00834C09
Unknown, xrefs: 00834BED, 00834C83
iSCSI, xrefs: 00834CC2
Virtual, xrefs: 00834CE5
CDROM, xrefs: 00834BFB
\\.\, xrefs: 00834B3F
ATA, xrefs: 00834C98
RAID, xrefs: 00834CBB
USB, xrefs: 00834CB4
MMC, xrefs: 00834CDE
Removable, xrefs: 00834C10, 00834C15
RAMDisk, xrefs: 00834BF4
SCSI, xrefs: 00834C8A
SSA, xrefs: 00834CA6

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 0c4e2900f506a46f576bb863c48a62ac30786e7256529912e7b718f52fe51936
Instruction ID: 855fe11cbfef22b4d75f868a83d3eee09bb7f09193d7fbd345608dd7cf203110
Opcode Fuzzy Hash: 0c4e2900f506a46f576bb863c48a62ac30786e7256529912e7b718f52fe51936
Instruction Fuzzy Hash: C4619330605209DBCB14EF64CA85D69B7A1FB84304F24A419F816EB752EB3AFD52DBC1

Uniqueness

Uniqueness Score: -1.00%

Function 008573E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00857421
SetTextColor.GDI32(?,?), ref: 00857425
GetSysColorBrush.USER32(0000000F), ref: 0085743B
GetSysColor.USER32(0000000F), ref: 00857446
CreateSolidBrush.GDI32(?), ref: 0085744B
GetSysColor.USER32(00000011), ref: 00857463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00857471
SelectObject.GDI32(?,00000000), ref: 00857482
SetBkColor.GDI32(?,00000000), ref: 0085748B
SelectObject.GDI32(?,?), ref: 00857498
InflateRect.USER32(?,000000FF,000000FF), ref: 008574B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008574CE
GetWindowLongW.USER32(00000000,000000F0), ref: 008574DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0085752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00857554
InflateRect.USER32(?,000000FD,000000FD), ref: 00857572
DrawFocusRect.USER32(?,?), ref: 0085757D
GetSysColor.USER32(00000011), ref: 0085758E
SetTextColor.GDI32(?,00000000), ref: 00857596
DrawTextW.USER32(?,008570F5,000000FF,?,00000000), ref: 008575A8
SelectObject.GDI32(?,?), ref: 008575BF
DeleteObject.GDI32(?), ref: 008575CA
SelectObject.GDI32(?,?), ref: 008575D0
DeleteObject.GDI32(?), ref: 008575D5
SetTextColor.GDI32(?,?), ref: 008575DB
SetBkColor.GDI32(?,?), ref: 008575E5

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: f3376bb53dfa6ac1cc055a71dfeaad18f84d3e2ac7882c40d247c728f6d41d66
Instruction ID: 95e4528ffd98773882fec507af1f19da99e66a7dae2ea0ee99f28d6cc61fcd2f
Opcode Fuzzy Hash: f3376bb53dfa6ac1cc055a71dfeaad18f84d3e2ac7882c40d247c728f6d41d66
Instruction Fuzzy Hash: 2B615C72900718AFDF019FA4DC49EAEBFB9FB08362F118115F915AB2A1E7749940CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00850FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00851128
GetDesktopWindow.USER32 ref: 0085113D
GetWindowRect.USER32(00000000), ref: 00851144
GetWindowLongW.USER32(?,000000F0), ref: 00851199
DestroyWindow.USER32(?), ref: 008511B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 008511ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0085120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0085121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00851232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00851245
IsWindowVisible.USER32(00000000), ref: 008512A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 008512BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 008512D0
GetWindowRect.USER32(00000000,?), ref: 008512E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0085130E
GetMonitorInfoW.USER32(00000000,?), ref: 00851328
CopyRect.USER32(?,?), ref: 0085133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 008513AA

Strings

0, xrefs: 008510D3
tooltips_class32, xrefs: 008511E6
(, xrefs: 0085131B

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: c31e7adf7dbf44aa55bc4ff14a1f303fede16c5cc7bac940fd59adc217c5801f
Instruction ID: 9d0e937be3b844490c2fe1ee3641613475bdcd92d2dae75dcc5c0b340e1c6413
Opcode Fuzzy Hash: c31e7adf7dbf44aa55bc4ff14a1f303fede16c5cc7bac940fd59adc217c5801f
Instruction Fuzzy Hash: F9B16971604341AFDB04DF64C889B6ABBE4FF88355F00891CF999DB2A1D775E848CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00850241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008502E5
_wcslen.LIBCMT ref: 0085031F
_wcslen.LIBCMT ref: 00850389
_wcslen.LIBCMT ref: 008503F1
_wcslen.LIBCMT ref: 00850475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 008504C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00850504

Part of subcall function 007DF9F2: _wcslen.LIBCMT ref: 007DF9FD

Part of subcall function 0082223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00822258
Part of subcall function 0082223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0082228A

Strings

VIEWCHANGE, xrefs: 00850675
SELECTINVERT, xrefs: 0085057E
GETSUBITEMCOUNT, xrefs: 00850384, 0085039F
DESELECT, xrefs: 0085059C
GETSELECTED, xrefs: 008505E1
GETSELECTEDCOUNT, xrefs: 00850470, 0085048B
FINDITEM, xrefs: 00850627
ISSELECTED, xrefs: 008504DD
GETITEMCOUNT, xrefs: 00850316, 00850337
SELECT, xrefs: 00850548
GETTEXT, xrefs: 008503EC, 00850407
SELECTCLEAR, xrefs: 0085052D
SELECTALL, xrefs: 00850515

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 4cbf2bfa232cc36519693051ea6965cdb1624c3507a1def24578bfd55e67900e
Instruction ID: bf0aac0a4af1b11eb98ab7a33f3d1ed5a5a9d19a398e9243037498ebd695f185
Opcode Fuzzy Hash: 4cbf2bfa232cc36519693051ea6965cdb1624c3507a1def24578bfd55e67900e
Instruction Fuzzy Hash: A6E18C312083059FC714EF24C55196AB3E6FF98319B14496DF896EB3A2DB34ED49CB82

Uniqueness

Uniqueness Score: -1.00%

Function 007D8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007D8968
GetSystemMetrics.USER32(00000007), ref: 007D8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007D899B
GetSystemMetrics.USER32(00000008), ref: 007D89A3
GetSystemMetrics.USER32(00000004), ref: 007D89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 007D89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 007D89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 007D8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 007D8A3C
GetClientRect.USER32(00000000,000000FF), ref: 007D8A5A
GetStockObject.GDI32(00000011), ref: 007D8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 007D8A81

Part of subcall function 007D912D: GetCursorPos.USER32(?), ref: 007D9141
Part of subcall function 007D912D: ScreenToClient.USER32(00000000,?), ref: 007D915E
Part of subcall function 007D912D: GetAsyncKeyState.USER32(00000001), ref: 007D9183
Part of subcall function 007D912D: GetAsyncKeyState.USER32(00000002), ref: 007D919D

SetTimer.USER32(00000000,00000000,00000028,007D90FC), ref: 007D8AA8

Strings

AutoIt v3 GUI, xrefs: 007D8A20

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 242b7a713c3fd7bc7ed578763a6ba37bfdec7ed713254db2e7e5e1a452b2a71d
Instruction ID: efa9598c6257c2bc600d8fcf70ab0f4ef601b5a934fce723bd6618383dd9bf6d
Opcode Fuzzy Hash: 242b7a713c3fd7bc7ed578763a6ba37bfdec7ed713254db2e7e5e1a452b2a71d
Instruction Fuzzy Hash: 52B17E75A0020A9FDF14DFA8CC49BAE7BB5FB48315F14422AFA55E7290DB38A840CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00820D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00821114
Part of subcall function 008210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00820B9B,?,?,?), ref: 00821120
Part of subcall function 008210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00820B9B,?,?,?), ref: 0082112F
Part of subcall function 008210F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00820B9B,?,?,?), ref: 00821136
Part of subcall function 008210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0082114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00820DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00820E29
GetLengthSid.ADVAPI32(?), ref: 00820E40
GetAce.ADVAPI32(?,00000000,?), ref: 00820E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00820E96
GetLengthSid.ADVAPI32(?), ref: 00820EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00820EB5
HeapAlloc.KERNEL32(00000000), ref: 00820EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00820EDD
CopySid.ADVAPI32(00000000), ref: 00820EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00820F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00820F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00820F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00820F6E
HeapFree.KERNEL32(00000000), ref: 00820F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00820F7E
HeapFree.KERNEL32(00000000), ref: 00820F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00820F8E
HeapFree.KERNEL32(00000000), ref: 00820F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00820FA1
HeapFree.KERNEL32(00000000), ref: 00820FA8

Part of subcall function 00821193: GetProcessHeap.KERNEL32(00000008,00820BB1,?,00000000,?,00820BB1,?), ref: 008211A1
Part of subcall function 00821193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00820BB1,?), ref: 008211A8
Part of subcall function 00821193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00820BB1,?), ref: 008211B7

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: b82d427d22c0f5630cd0f011efd4089353a714539e81240059e0a1e1a129a1dc
Instruction ID: e8fd5a8f357dda4ca454edf5055c1e289083482d309abcadce38e1268c6ff566
Opcode Fuzzy Hash: b82d427d22c0f5630cd0f011efd4089353a714539e81240059e0a1e1a129a1dc
Instruction Fuzzy Hash: 4E71587290031AAFDF209FA4ED48BAEBBB8FF04311F144115F959E6192DB359A49CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0084C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0084C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0085CC08,00000000,?,00000000,?,?), ref: 0084C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0084C5A4
_wcslen.LIBCMT ref: 0084C5F4
_wcslen.LIBCMT ref: 0084C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0084C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0084C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0084C84D
RegCloseKey.ADVAPI32(?), ref: 0084C881
RegCloseKey.ADVAPI32(00000000), ref: 0084C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0084C960

Strings

REG_MULTI_SZ, xrefs: 0084C6F5
REG_EXPAND_SZ, xrefs: 0084C5CD
REG_DWORD, xrefs: 0084C804
REG_QWORD, xrefs: 0084C8C3
REG_SZ, xrefs: 0084C644
REG_BINARY, xrefs: 0084C913

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 87f9d3bf61069cc4fd4be5c2b38af3e5630a831d4e4255ce4b497af9dc25e154
Instruction ID: be2dd260acb22fb38b473eb4da6896b001c3d3eb43183bb3858c07a2195cdbe6
Opcode Fuzzy Hash: 87f9d3bf61069cc4fd4be5c2b38af3e5630a831d4e4255ce4b497af9dc25e154
Instruction Fuzzy Hash: 1D123335604204DFDB54DF14C885E2AB7E9FF88714F14889CF88A9B2A2DB35ED41CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0085091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008509C6
_wcslen.LIBCMT ref: 00850A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00850A54
_wcslen.LIBCMT ref: 00850A8A
_wcslen.LIBCMT ref: 00850B06
_wcslen.LIBCMT ref: 00850B81

Part of subcall function 007DF9F2: _wcslen.LIBCMT ref: 007DF9FD

Part of subcall function 00822BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00822BFA

Strings

GETTOTALCOUNT, xrefs: 008509F2, 00850A17
EXISTS, xrefs: 00850B7C, 00850B97
GETITEMCOUNT, xrefs: 00850C1E
SELECT, xrefs: 00850D11
EXPAND, xrefs: 00850BF8
GETTEXT, xrefs: 00850C97
CHECK, xrefs: 00850A85, 00850AA0
GETSELECTED, xrefs: 00850C4E
UNCHECK, xrefs: 00850D3E
ISCHECKED, xrefs: 00850CE1
COLLAPSE, xrefs: 00850B01, 00850B1C

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: c51dc83d486010271f7f126d6b0567284bd58b4e2e66e7241a66aa9cf673576d
Instruction ID: 069bf50da15b63899b403c40f4cfe979c524736a96c0bd3eeb07e5e1809b08bc
Opcode Fuzzy Hash: c51dc83d486010271f7f126d6b0567284bd58b4e2e66e7241a66aa9cf673576d
Instruction Fuzzy Hash: B4E157356083119FC714EF24C49092AB7E2FF98319B14895DF896AB362DB35ED49CF82

Uniqueness

Uniqueness Score: -1.00%

Function 0084C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0084B6AE,?,?), ref: 0084C9B5
_wcslen.LIBCMT ref: 0084C9F1
_wcslen.LIBCMT ref: 0084CA68
_wcslen.LIBCMT ref: 0084CA9E
_wcslen.LIBCMT ref: 0084CAF9
_wcslen.LIBCMT ref: 0084CB2F
_wcslen.LIBCMT ref: 0084CB7F

Strings

HKEY_CURRENT_USER, xrefs: 0084CBBD
HKCR, xrefs: 0084CB29, 0084CB2E
HKEY_LOCAL_MACHINE, xrefs: 0084CA62, 0084CA67
HKCC, xrefs: 0084CBAC
HKCU, xrefs: 0084CBCE
HKU, xrefs: 0084CBF0
HKEY_USERS, xrefs: 0084CBDF
HKLM, xrefs: 0084CA98, 0084CA9D
HKEY_CLASSES_ROOT, xrefs: 0084CAF3, 0084CAF8
HKEY_CURRENT_CONFIG, xrefs: 0084CB79, 0084CB7E

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 67eee131789614d5098ba0191f8899b16f4eae76c563fc53787b7cf22e82a1f7
Instruction ID: 2466a167981afbf23a6eeb048a47ef226ff5866224fda638ed2ab8feb5e560e5
Opcode Fuzzy Hash: 67eee131789614d5098ba0191f8899b16f4eae76c563fc53787b7cf22e82a1f7
Instruction Fuzzy Hash: 5D71167260212E8BCB60EE7CCD515BE33A9FF60764B250528FC66E7284EA35DD44C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0085833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0085835A
_wcslen.LIBCMT ref: 0085836E
_wcslen.LIBCMT ref: 00858391
_wcslen.LIBCMT ref: 008583B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 008583F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00855BF2), ref: 0085844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00858487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 008584CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00858501
FreeLibrary.KERNEL32(?), ref: 0085850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0085851D
DestroyIcon.USER32(?,?,?,?,?,00855BF2), ref: 0085852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00858549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00858555

Strings

.exe, xrefs: 00858388
.dll, xrefs: 008583AB
.icl, xrefs: 00858368

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 86b6ce909afbbb3c0a9d1292aadd631f5654f4cad30e1cb47e919773224aff60
Instruction ID: 1dc692e3f9c63079141f89cab4e051a1bed2853b7ff8af6e103b3bc514486003
Opcode Fuzzy Hash: 86b6ce909afbbb3c0a9d1292aadd631f5654f4cad30e1cb47e919773224aff60
Instruction Fuzzy Hash: C461AE71500319FEEB149F64CC85BBE77A8FB08B22F10454AFD15E61D1EB78A994CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 007C7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#ce, xrefs: 007C78ED
#requireadmin, xrefs: 007C77FF
#include, xrefs: 007C7847
Cannot parse #include, xrefs: 00805279
#comments-start, xrefs: 007C785F, 007C78B1
#comments-end, xrefs: 007C78D9
Unterminated group of comments, xrefs: 0080528C
', xrefs: 00805169
#pragma compile, xrefs: 007C77D3
#OnAutoItStartRegister, xrefs: 007C7817
", xrefs: 00805153
Bad directive syntax error, xrefs: 0080519A
#include-once, xrefs: 007C782F
#notrayicon, xrefs: 007C77E7
#cs, xrefs: 007C7873, 007C78C5

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 91b3eab75bd1a7abf67cccf642368dbf971bd91d3b3149b4f797d2a65e0070b6
Instruction ID: 329f013c8e33aff447018a4b260cf5543fe9fe30895c5b665ae13ff246ea91d8
Opcode Fuzzy Hash: 91b3eab75bd1a7abf67cccf642368dbf971bd91d3b3149b4f797d2a65e0070b6
Instruction Fuzzy Hash: 2781D471644609FBDB64AF60CD46FAF37A8FF14300F04402DF915AA296EB78DA15CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00825A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00825A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00825A40
SetWindowTextW.USER32(?,?), ref: 00825A57
GetDlgItem.USER32(?,000003EA), ref: 00825A6C
SetWindowTextW.USER32(00000000,?), ref: 00825A72
GetDlgItem.USER32(?,000003E9), ref: 00825A82
SetWindowTextW.USER32(00000000,?), ref: 00825A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00825AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00825AC3
GetWindowRect.USER32(?,?), ref: 00825ACC
_wcslen.LIBCMT ref: 00825B33
SetWindowTextW.USER32(?,?), ref: 00825B6F
GetDesktopWindow.USER32 ref: 00825B75
GetWindowRect.USER32(00000000), ref: 00825B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00825BD3
GetClientRect.USER32(?,?), ref: 00825BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00825C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00825C2F

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 0a276f5aa06b136a5988a4c09130079ca6db8a0b7968c0e205bba207cf1288d1
Instruction ID: da2a4ff784b034964ab7b0e343dfb26438f3a42255afddad2daab6eb8c45038b
Opcode Fuzzy Hash: 0a276f5aa06b136a5988a4c09130079ca6db8a0b7968c0e205bba207cf1288d1
Instruction Fuzzy Hash: BB718C31900B19AFDB20DFA8DE89AAEBBF5FF48715F104918E542E25A0D774E984CF50

Uniqueness

Uniqueness Score: -1.00%

Function 007E00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 007E00C6

Part of subcall function 007E00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0089070C,00000FA0,74939FAF,?,?,?,?,008023B3,000000FF), ref: 007E011C
Part of subcall function 007E00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,008023B3,000000FF), ref: 007E0127
Part of subcall function 007E00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,008023B3,000000FF), ref: 007E0138
Part of subcall function 007E00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 007E014E
Part of subcall function 007E00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 007E015C
Part of subcall function 007E00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 007E016A
Part of subcall function 007E00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 007E0195
Part of subcall function 007E00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 007E01A0

___scrt_fastfail.LIBCMT ref: 007E00E7

Part of subcall function 007E00A3: __onexit.LIBCMT ref: 007E00A9

Strings

kernel32.dll, xrefs: 007E0133
SleepConditionVariableCS, xrefs: 007E0154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 007E0122
InitializeConditionVariable, xrefs: 007E0148
WakeAllConditionVariable, xrefs: 007E0162

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 2e302204897b988ef97af9656817004b8e3b123d28ad178768dee9b9dcbe99dd
Instruction ID: 5704595f4cea1ef2d04ecadd4c61e76f99e4a50c2358933773f4e1ee9e9e5739
Opcode Fuzzy Hash: 2e302204897b988ef97af9656817004b8e3b123d28ad178768dee9b9dcbe99dd
Instruction Fuzzy Hash: 4F21A732646754AFD7116BA5AC09B6E37B4FB09B62F14012AF911E6391DBBC98408ED0

Uniqueness

Uniqueness Score: -1.00%

Function 008230F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0082318D
_wcslen.LIBCMT ref: 008231F8

Strings

NAME, xrefs: 00823335, 00823346
REGEXPCLASS, xrefs: 00823255, 00823266
CLASSNN, xrefs: 008231F3, 00823204
CLASS, xrefs: 00823188, 008231A5
TEXT, xrefs: 0082347C
INSTANCE, xrefs: 00823453

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 02ef06e8c079e2b8f2932daddd329d916d51f623c2b0075f1e7d9ea5d6c040ff
Instruction ID: d37f5b5df863e973662a72d95a5611262eb30f3f5741d805b2730c2a7fd05f8a
Opcode Fuzzy Hash: 02ef06e8c079e2b8f2932daddd329d916d51f623c2b0075f1e7d9ea5d6c040ff
Instruction Fuzzy Hash: 94E1E232A00626EBCB14EFA8D465AEDBBB4FF14714F54811AE556F3240DB38AFC58790

Uniqueness

Uniqueness Score: -1.00%

Function 008344C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0085CC08), ref: 00834527
_wcslen.LIBCMT ref: 0083453B
_wcslen.LIBCMT ref: 00834599
_wcslen.LIBCMT ref: 008345F4
_wcslen.LIBCMT ref: 0083463F
_wcslen.LIBCMT ref: 008346A7

Part of subcall function 007DF9F2: _wcslen.LIBCMT ref: 007DF9FD

GetDriveTypeW.KERNEL32(?,00886BF0,00000061), ref: 00834743

Strings

removable, xrefs: 008345EA, 008345EF
all, xrefs: 00834531, 00834536
unknown, xrefs: 00834708
cdrom, xrefs: 0083458F, 00834594
ramdisk, xrefs: 008346F1
fixed, xrefs: 00834635, 0083463A
network, xrefs: 0083469D, 008346A2

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 3484166220c0fa6df35975e944ed1725e60799aef3c072f8575c0494c138b9d2
Instruction ID: cf47882f041c04211554472462418021f935d3f08fa77f7029befdf8c78dc129
Opcode Fuzzy Hash: 3484166220c0fa6df35975e944ed1725e60799aef3c072f8575c0494c138b9d2
Instruction Fuzzy Hash: 85B110316083029FC710EF28C895A6AB7E5FFE5764F50591DF496C7292E734E844CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0084AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0084B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0084B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0084B1D4
_wcslen.LIBCMT ref: 0084B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0084B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0084B236
_wcslen.LIBCMT ref: 0084B332

Part of subcall function 008305A7: GetStdHandle.KERNEL32(000000F6), ref: 008305C6

_wcslen.LIBCMT ref: 0084B34B
_wcslen.LIBCMT ref: 0084B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0084B3B6
GetLastError.KERNEL32(00000000), ref: 0084B407
CloseHandle.KERNEL32(?), ref: 0084B439
CloseHandle.KERNEL32(00000000), ref: 0084B44A
CloseHandle.KERNEL32(00000000), ref: 0084B45C
CloseHandle.KERNEL32(00000000), ref: 0084B46E
CloseHandle.KERNEL32(?), ref: 0084B4E3

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 1b20c46a3af280c37577123d2bbcb1a90abda67dcdb567f10a3d1ee40dd4c152
Instruction ID: 67d26ea0b7cf247574ad894151ec6a8a7cdb6b4d58bb11d169c773b28d5663d7
Opcode Fuzzy Hash: 1b20c46a3af280c37577123d2bbcb1a90abda67dcdb567f10a3d1ee40dd4c152
Instruction Fuzzy Hash: C6F16531608244DFC724EF24C895B2ABBE5FF84314F14855DF8999B2A2CB35EC40CB92

Uniqueness

Uniqueness Score: -1.00%

Function 007C326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00891990), ref: 00802F8D
GetMenuItemCount.USER32(00891990), ref: 0080303D
GetCursorPos.USER32(?), ref: 00803081
SetForegroundWindow.USER32(00000000), ref: 0080308A
TrackPopupMenuEx.USER32(00891990,00000000,?,00000000,00000000,00000000), ref: 0080309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008030A9

Strings

0, xrefs: 007C327D

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 308021bd3d145a16e1964af9e8a1ea759cce1fa4d29240c18f0435be9ce00830
Instruction ID: 858fe4a1ab6d46897904f843d0255b8a38af4c403606ae0e591ec51fc73b42de
Opcode Fuzzy Hash: 308021bd3d145a16e1964af9e8a1ea759cce1fa4d29240c18f0435be9ce00830
Instruction Fuzzy Hash: A1713870640316BEEB218F68DC4DF9ABF68FF04364F20421AF915A61E0C7B5AD10CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00856CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00856DEB

Part of subcall function 007C6B57: _wcslen.LIBCMT ref: 007C6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00856E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00856E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00856E94
DestroyWindow.USER32(?), ref: 00856EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,007C0000,00000000), ref: 00856EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00856EFD
GetDesktopWindow.USER32 ref: 00856F16
GetWindowRect.USER32(00000000), ref: 00856F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00856F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00856F4D

Part of subcall function 007D9944: GetWindowLongW.USER32(?,000000EB), ref: 007D9952

Strings

tooltips_class32, xrefs: 00856E58, 00856EDD
0, xrefs: 00856D98

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 633f95788dab64a658ff63a0fd8a6e3982aeaee4b81c52d4c47e79f9f2330755
Instruction ID: 234091d1ffdf65cfcecc9ad01ea8c6df89d5ab738ba6ea19db615baa92533b52
Opcode Fuzzy Hash: 633f95788dab64a658ff63a0fd8a6e3982aeaee4b81c52d4c47e79f9f2330755
Instruction Fuzzy Hash: 2F717870504345AFDB21DF18D848FAABBE9FB98306F94051EF989C7260DB74A91ACF11

Uniqueness

Uniqueness Score: -1.00%

Function 0085911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2

DragQueryPoint.SHELL32(?,?), ref: 00859147

Part of subcall function 00857674: ClientToScreen.USER32(?,?), ref: 0085769A
Part of subcall function 00857674: GetWindowRect.USER32(?,?), ref: 00857710
Part of subcall function 00857674: PtInRect.USER32(?,?,00858B89), ref: 00857720

SendMessageW.USER32(?,000000B0,?,?), ref: 008591B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 008591BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 008591DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00859225
SendMessageW.USER32(?,000000B0,?,?), ref: 0085923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00859255
SendMessageW.USER32(?,000000B1,?,?), ref: 00859277
DragFinish.SHELL32(?), ref: 0085927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00859371

Strings

@GUI_DRAGID, xrefs: 008592E9
@GUI_DRAGFILE, xrefs: 00859320
@GUI_DROPID, xrefs: 0085929E

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: afabefc31699d937d1b77eb523e8dcf6c9747ad1183791a4da3c80a2f70b1478
Instruction ID: b9df979530ebeaa32944a4d3e3553421cc417edf425a0381945d297f1595e5ea
Opcode Fuzzy Hash: afabefc31699d937d1b77eb523e8dcf6c9747ad1183791a4da3c80a2f70b1478
Instruction Fuzzy Hash: 9F616C71108301AFC701EF64DC89EAFBBE9FF89751F40091EF695922A1DB349A49CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0083C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0083C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0083C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0083C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0083C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0083C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0083C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0083C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0083C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0083C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0083C5F0
InternetCloseHandle.WININET(00000000), ref: 0083C5FB

Strings

, xrefs: 0083C575

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: b2e8e2b4826ad9d462f0fa6bce5c9480974e6fe27e27f174932ef5e4847f9763
Instruction ID: a86021cee42dfcff71bd508984dad9678aa1c3bbfd5620b8809d3aa25f86cb83
Opcode Fuzzy Hash: b2e8e2b4826ad9d462f0fa6bce5c9480974e6fe27e27f174932ef5e4847f9763
Instruction Fuzzy Hash: C15138B1500708BFDB219F64C988AAB7BBCFB88755F00451AF946E6610DB74E944DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0085856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00858592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008585A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008585AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008585BA
GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008585C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008585D7
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008585E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008585E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008585F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0085FC38,?), ref: 00858611
GlobalFree.KERNEL32(00000000), ref: 00858621
GetObjectW.GDI32(?,00000018,?), ref: 00858641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00858671
DeleteObject.GDI32(?), ref: 00858699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 008586AF

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 28986443417416e9eb61899d6ad1fdd9aefc32d5aa9d0abe95a8d9f9b7d4f5fd
Instruction ID: 6372ee05ddc3f96681af8d8353cef5d8a9b0e7c0d4b095abf6c02dfeed293cff
Opcode Fuzzy Hash: 28986443417416e9eb61899d6ad1fdd9aefc32d5aa9d0abe95a8d9f9b7d4f5fd
Instruction Fuzzy Hash: 36410775600308EFDB119FA5CC48EAABBB8FF99B16F104059F90AE7260DB349945CF60

Uniqueness

Uniqueness Score: -1.00%

Function 008314BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00831502
VariantCopy.OLEAUT32(?,?), ref: 0083150B
VariantClear.OLEAUT32(?), ref: 00831517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 008315FB
VarR8FromDec.OLEAUT32(?,?), ref: 00831657
VariantInit.OLEAUT32(?), ref: 00831708
SysFreeString.OLEAUT32(?), ref: 0083178C
VariantClear.OLEAUT32(?), ref: 008317D8
VariantClear.OLEAUT32(?), ref: 008317E7
VariantInit.OLEAUT32(00000000), ref: 00831823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00831625
Default, xrefs: 008316AF

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: dbb1e585b509660ed7b1c9615fef8a48bd49b92c2cfb0598e7ec164c8dc612cb
Instruction ID: 5683be3c03ffecb98681da6544804c34960198e479f667bb01ece32e6949bd75
Opcode Fuzzy Hash: dbb1e585b509660ed7b1c9615fef8a48bd49b92c2cfb0598e7ec164c8dc612cb
Instruction Fuzzy Hash: 2CD1B171A00219EBDF109F65D88DB79B7B5FF84B04F14845AE806EB280DB38EC45DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0084B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

Part of subcall function 0084C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0084B6AE,?,?), ref: 0084C9B5
Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084C9F1
Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084CA68
Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0084B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0084B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0084B80A
RegCloseKey.ADVAPI32(?), ref: 0084B87E
RegCloseKey.ADVAPI32(?), ref: 0084B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0084B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0084B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0084B922
FreeLibrary.KERNEL32(00000000), ref: 0084B983
RegCloseKey.ADVAPI32(00000000), ref: 0084B994

Strings

advapi32.dll, xrefs: 0084B8ED
RegDeleteKeyExW, xrefs: 0084B8FE

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 6453ef7f7004ee4d0f858dbe0daa2827cf62d5ae30ed2c58a33d68b00d18b83a
Instruction ID: 0d022db7736114b4ca8787039d2c3ef67ee60df971509f30600908e32e9679ca
Opcode Fuzzy Hash: 6453ef7f7004ee4d0f858dbe0daa2827cf62d5ae30ed2c58a33d68b00d18b83a
Instruction Fuzzy Hash: 11C17B31208245EFD714DF24C499F2ABBE5FF84318F18855CE59A8B2A2CB35ED46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0084255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008425D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 008425E8
CreateCompatibleDC.GDI32(?), ref: 008425F4
SelectObject.GDI32(00000000,?), ref: 00842601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0084266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 008426AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 008426D0
SelectObject.GDI32(?,?), ref: 008426D8
DeleteObject.GDI32(?), ref: 008426E1
DeleteDC.GDI32(?), ref: 008426E8
ReleaseDC.USER32(00000000,?), ref: 008426F3

Strings

(, xrefs: 0084268D

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 5c43413ee84e23012ed105bbd59c29d0c68bee394c42e8f78a18f2f0e7793dc1
Instruction ID: d819e80876ad1845c5597e58cb96f3e1e0157af874c4bfc45156416322ecbe84
Opcode Fuzzy Hash: 5c43413ee84e23012ed105bbd59c29d0c68bee394c42e8f78a18f2f0e7793dc1
Instruction Fuzzy Hash: 1461C275D00619EFCF04CFA8D884AAEBBB5FF48310F20852AE955A7250E774A951CF54

Uniqueness

Uniqueness Score: -1.00%

Function 007FDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 007FDAA1

Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD659
Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD66B
Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD67D
Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD68F
Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD6A1
Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD6B3
Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD6C5
Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD6D7
Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD6E9
Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD6FB
Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD70D
Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD71F
Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD731

_free.LIBCMT ref: 007FDA96

Part of subcall function 007F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000), ref: 007F29DE
Part of subcall function 007F29C8: GetLastError.KERNEL32(00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000,00000000), ref: 007F29F0

_free.LIBCMT ref: 007FDAB8
_free.LIBCMT ref: 007FDACD
_free.LIBCMT ref: 007FDAD8
_free.LIBCMT ref: 007FDAFA
_free.LIBCMT ref: 007FDB0D
_free.LIBCMT ref: 007FDB1B
_free.LIBCMT ref: 007FDB26
_free.LIBCMT ref: 007FDB5E
_free.LIBCMT ref: 007FDB65
_free.LIBCMT ref: 007FDB82
_free.LIBCMT ref: 007FDB9A

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: a32cb01b92a63c2380454e4c83bf4aaba876aa326e018c79af99fe61a41ea6d6
Instruction ID: 799829d14c0927f6fe4ddb61f0c2f570c4dafb790b3ec564e3d1d76f330ca4fb
Opcode Fuzzy Hash: a32cb01b92a63c2380454e4c83bf4aaba876aa326e018c79af99fe61a41ea6d6
Instruction Fuzzy Hash: 2A315B71644209DFEB31AA78E849B7A77EAFF00311F114519E648E73A2DA79BC418B24

Uniqueness

Uniqueness Score: -1.00%

Function 0082365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0082369C
_wcslen.LIBCMT ref: 008236A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00823797
GetClassNameW.USER32(?,?,00000400), ref: 0082380C
GetDlgCtrlID.USER32(?), ref: 0082385D
GetWindowRect.USER32(?,?), ref: 00823882
GetParent.USER32(?), ref: 008238A0
ScreenToClient.USER32(00000000), ref: 008238A7
GetClassNameW.USER32(?,?,00000100), ref: 00823921
GetWindowTextW.USER32(?,?,00000400), ref: 0082395D

Strings

%s%u, xrefs: 00823734

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 69e2b7ba4c80add8fbb917325c4f7d224fa81c228ce40308d310342b16c1e8a5
Instruction ID: 9979dd12483b1417e44b77402b45ae15511227801ef39de92be695d03c182df0
Opcode Fuzzy Hash: 69e2b7ba4c80add8fbb917325c4f7d224fa81c228ce40308d310342b16c1e8a5
Instruction Fuzzy Hash: D791D171204726AFD718DF24D8A5FAAF7E9FF45340F008529F999C2190DB38EA85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00824954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00824994
GetWindowTextW.USER32(?,?,00000400), ref: 008249DA
_wcslen.LIBCMT ref: 008249EB
CharUpperBuffW.USER32(?,00000000), ref: 008249F7
_wcsstr.LIBVCRUNTIME ref: 00824A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00824A64
GetWindowTextW.USER32(?,?,00000400), ref: 00824A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00824AE6
GetClassNameW.USER32(?,?,00000400), ref: 00824B20
GetWindowRect.USER32(?,?), ref: 00824B8B

Strings

ThumbnailClass, xrefs: 00824A6F, 00824AF1

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: d517923fc514db12ed1325e499c8db71a616e65658b4dcea2ccce06cbac1415e
Instruction ID: 15a45442942fa4ad80686347ec42b88f27cfa446d0fbeeebe2c1198aeb70c367
Opcode Fuzzy Hash: d517923fc514db12ed1325e499c8db71a616e65658b4dcea2ccce06cbac1415e
Instruction Fuzzy Hash: A391BD7100432A9FDB04DF54E885BAA77E8FF84314F049469FD86DA096EB34ED85CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00858D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00858D5A
GetFocus.USER32 ref: 00858D6A
GetDlgCtrlID.USER32(00000000), ref: 00858D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00858E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00858ECF
GetMenuItemCount.USER32(?), ref: 00858EEC
GetMenuItemID.USER32(?,00000000), ref: 00858EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00858F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00858F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00858FA1

Strings

0, xrefs: 00858E9F

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 54b2f2117120532687064fbe8e47a92ea94cc5c6ace8f419ad98d628ccf38fc8
Instruction ID: 793dbcae710509eafbeead28c842877fb50cd406dd57fd32af0bde830010cdfe
Opcode Fuzzy Hash: 54b2f2117120532687064fbe8e47a92ea94cc5c6ace8f419ad98d628ccf38fc8
Instruction Fuzzy Hash: 30819C71508301EFDB10DF24C885AABBBEAFB88355F04095AFD85E7291DB30D908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0082DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0082DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0082DC46
_wcslen.LIBCMT ref: 0082DC50
_wcsstr.LIBVCRUNTIME ref: 0082DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0082DCBC

Strings

04090000, xrefs: 0082DCF2
StringFileInfo\, xrefs: 0082DC8F
\VarFileInfo\Translation, xrefs: 0082DCB4
DefaultLangCodepage, xrefs: 0082DD1F
%u.%u.%u.%u, xrefs: 0082DD9A

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: a386867116b18b4217fb03e19f739249b5ae75ded6a71faf90c527b0c6195cc0
Instruction ID: aab70a7a07a8eb06ce43e9ccc781235c6df8036d02e0cce7cae7bc2de571aa10
Opcode Fuzzy Hash: a386867116b18b4217fb03e19f739249b5ae75ded6a71faf90c527b0c6195cc0
Instruction Fuzzy Hash: 22412772940315BBDB10A7759C0BEFF3B6CFF49710F10006AFA01E6282EB7999418BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0084CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0084CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0084CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0084CD48

Part of subcall function 0084CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0084CCAA
Part of subcall function 0084CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0084CCBD
Part of subcall function 0084CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0084CCCF
Part of subcall function 0084CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0084CD05
Part of subcall function 0084CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0084CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0084CCF3

Strings

advapi32.dll, xrefs: 0084CCB8
RegDeleteKeyExW, xrefs: 0084CCC9

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 97d0a2d76dd8784f48c33537185f1c91d91a49f8940922e683c2c2709f459dbe
Instruction ID: 5a3a70278185d0505df676f476b1c4b9e4a69468dbe61879715e0740be9cd488
Opcode Fuzzy Hash: 97d0a2d76dd8784f48c33537185f1c91d91a49f8940922e683c2c2709f459dbe
Instruction Fuzzy Hash: D8318A7190222DBFDB609BA4DC88EFFBB7CFF05751F000165A906E2250DA389A45DAA0

Uniqueness

Uniqueness Score: -1.00%

Function 0082E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0082E6B4

Part of subcall function 007DE551: timeGetTime.WINMM(?,?,0082E6D4), ref: 007DE555

Sleep.KERNEL32(0000000A), ref: 0082E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0082E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0082E727
SetActiveWindow.USER32 ref: 0082E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0082E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0082E773
Sleep.KERNEL32(000000FA), ref: 0082E77E
IsWindow.USER32 ref: 0082E78A
EndDialog.USER32(00000000), ref: 0082E79B

Strings

BUTTON, xrefs: 0082E719

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 40603e76ed9141183f64af181ad9181df79d571ffcf7264cc563300a834cc780
Instruction ID: 7750904e7cf03c79a9a900e97f083272da8c5932e67320f1dc8372e8009db7c3
Opcode Fuzzy Hash: 40603e76ed9141183f64af181ad9181df79d571ffcf7264cc563300a834cc780
Instruction Fuzzy Hash: 5F219370304315BFEB11AFA4FC89A253BA9F77474AF140426F516C16A2DB79AC40DF29

Uniqueness

Uniqueness Score: -1.00%

Function 0082E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0082EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0082EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0082EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0082EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0082EAA7

Strings

play PlayMe wait, xrefs: 0082EA91
alias PlayMe, xrefs: 0082EA36
close PlayMe, xrefs: 0082EA6E, 0082EA9B
play PlayMe, xrefs: 0082EAA2
open , xrefs: 0082EA0C
status PlayMe mode, xrefs: 0082EA58

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 8040dba88ddd6feb1b42121799290e454fd85895c398a2634fadda5f714b9508
Instruction ID: 909c664c36aee1055bccee6e58921691cca18a42e9ca7c5be003a4f512dac22a
Opcode Fuzzy Hash: 8040dba88ddd6feb1b42121799290e454fd85895c398a2634fadda5f714b9508
Instruction Fuzzy Hash: B1114F21A90269B9D720B7A1EC4AEFF6B7CFBD1B40F40042DB811E21D1EA741955C6B0

Uniqueness

Uniqueness Score: -1.00%

Function 00825CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00825CE2
GetWindowRect.USER32(00000000,?), ref: 00825CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00825D59
GetDlgItem.USER32(?,00000002), ref: 00825D69
GetWindowRect.USER32(00000000,?), ref: 00825D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00825DCF
GetDlgItem.USER32(?,000003E9), ref: 00825DDD
GetWindowRect.USER32(00000000,?), ref: 00825DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00825E31
GetDlgItem.USER32(?,000003EA), ref: 00825E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00825E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00825E67

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: e60f5b204fa3bc6f7c361c2a2b9c15a1571896c9e5d4a240d00f31af1a96171f
Instruction ID: a825481e42e4ee0583d0b35df4a1637e335da7e1a8ed97395723ffe22a448f53
Opcode Fuzzy Hash: e60f5b204fa3bc6f7c361c2a2b9c15a1571896c9e5d4a240d00f31af1a96171f
Instruction Fuzzy Hash: 5D511C71A40719AFDF18CF68DD89AAEBBB5FB48301F108129F915E6290D774AE40CF50

Uniqueness

Uniqueness Score: -1.00%

Function 007D8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,007D8BE8,?,00000000,?,?,?,?,007D8BBA,00000000,?), ref: 007D8FC5

DestroyWindow.USER32(?), ref: 007D8C81
KillTimer.USER32(00000000,?,?,?,?,007D8BBA,00000000,?), ref: 007D8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00816973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,007D8BBA,00000000,?), ref: 008169A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,007D8BBA,00000000,?), ref: 008169B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,007D8BBA,00000000), ref: 008169D4
DeleteObject.GDI32(00000000), ref: 008169E6

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 924c510b89e18d7630f5885df56e2fe598f5fa2cd97d91a417e3eca4dfac5c4a
Instruction ID: 66c070590683f01a8e02922216fd15755c2179afa99ddbf1d4ee31971ad0d14b
Opcode Fuzzy Hash: 924c510b89e18d7630f5885df56e2fe598f5fa2cd97d91a417e3eca4dfac5c4a
Instruction Fuzzy Hash: B961BE30116711DFCF61AF18D948B69BBF5FF40312F18455EE0869AAA0CB39A8D0CF62

Uniqueness

Uniqueness Score: -1.00%

Function 007D9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 007D9944: GetWindowLongW.USER32(?,000000EB), ref: 007D9952

GetSysColor.USER32(0000000F), ref: 007D9862

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 8354f674605d4d9aaa764e2e003c6cf41fb3118096b32c4a92bb75686c21ba59
Instruction ID: 89a8da4ea17af5fba55641aa0171cca1bb136aaf8ef594253daf6327f1eeacc0
Opcode Fuzzy Hash: 8354f674605d4d9aaa764e2e003c6cf41fb3118096b32c4a92bb75686c21ba59
Instruction Fuzzy Hash: 714173311447449FDB205F389C88BB93B75FB46771F14461AFAA2872E1D7399D41EB10

Uniqueness

Uniqueness Score: -1.00%

Function 008296E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0080F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00829717
LoadStringW.USER32(00000000,?,0080F7F8,00000001), ref: 00829720

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0080F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00829742
LoadStringW.USER32(00000000,?,0080F7F8,00000001), ref: 00829745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00829866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0082984A
Error: , xrefs: 0082981D
^ ERROR, xrefs: 008297FB
Line %d:, xrefs: 008297A0
Line %d (File "%s"):, xrefs: 0082978F

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 46368d359991ff8bf58532c44a7f40bd333f8994475d1ace1853d870ed6062a7
Instruction ID: a63d61bb1e4dcbf13ddcc244630ff7125b06ecf622f86473747527d33cfa57a2
Opcode Fuzzy Hash: 46368d359991ff8bf58532c44a7f40bd333f8994475d1ace1853d870ed6062a7
Instruction Fuzzy Hash: 13412072900219AADB14FBE0DD4AEEEB778FF15340F10016DF605B2192EA396F58CB61

Uniqueness

Uniqueness Score: -1.00%

Function 008206DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 007C6B57: _wcslen.LIBCMT ref: 007C6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008207A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008207BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008207DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00820804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0082082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00820837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0082083C

Strings

\IPC$, xrefs: 00820784
\CLSID, xrefs: 00820724
SOFTWARE\Classes\, xrefs: 0082070E

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: fefe9afe509ce04db1dfcaa396debbf837e1e0f9c8d201ba045034de2f11b93c
Instruction ID: 277844d0c6a75b7824f6206a978221fa0e9c68246054ac012ee4004225347a27
Opcode Fuzzy Hash: fefe9afe509ce04db1dfcaa396debbf837e1e0f9c8d201ba045034de2f11b93c
Instruction Fuzzy Hash: 9B41E572C10629EBDF11EBA4EC89DEEB778FF04350B144129E915A31A1EB349E44CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00843C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00843C5C
CoInitialize.OLE32(00000000), ref: 00843C8A
CoUninitialize.OLE32 ref: 00843C94
_wcslen.LIBCMT ref: 00843D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00843DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00843ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00843F0E
CoGetObject.OLE32(?,00000000,0085FB98,?), ref: 00843F2D
SetErrorMode.KERNEL32(00000000), ref: 00843F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00843FC4
VariantClear.OLEAUT32(?), ref: 00843FD8

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: b9928ea1d35e83802f28362078610ce62c7508060c525350fb870e8d5dd73388
Instruction ID: 10ed1c152e1e8150ef98d16cf97f3e01085463f68055e0b426330cd43389dd55
Opcode Fuzzy Hash: b9928ea1d35e83802f28362078610ce62c7508060c525350fb870e8d5dd73388
Instruction Fuzzy Hash: 94C10271608309AFD700DF68C884A2AB7E9FF89748F10491DF98ADB251DB31EE05CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00837A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00837AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00837B8F
SHGetDesktopFolder.SHELL32(?), ref: 00837BA3
CoCreateInstance.OLE32(0085FD08,00000000,00000001,00886E6C,?), ref: 00837BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00837C74
CoTaskMemFree.OLE32(?,?), ref: 00837CCC
SHBrowseForFolderW.SHELL32(?), ref: 00837D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00837D7A
CoTaskMemFree.OLE32(00000000), ref: 00837D81
CoTaskMemFree.OLE32(00000000), ref: 00837DD6
CoUninitialize.OLE32 ref: 00837DDC

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 059190fe67f7c91d2edceee5378a1fe6e825b555440d9284d5abbb41155d1a37
Instruction ID: 45703d74833cb90b1a4e78e3331c85caeaaef3ae057fe053bfb3d7d3b36dc2f1
Opcode Fuzzy Hash: 059190fe67f7c91d2edceee5378a1fe6e825b555440d9284d5abbb41155d1a37
Instruction Fuzzy Hash: CFC1F975A04209AFCB14DF64C888DAEBBF9FF48314F1484A9E915DB261D734ED45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0085541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00855504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00855515
CharNextW.USER32(00000158), ref: 00855544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00855585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0085559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008555AC

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 47b9eb042593ba04f8ad3881938046bac9bf856324bf3471141dac6cee42f93b
Instruction ID: ce0baee2529dc9f555b080a54a6cda9198babec5c233fa2831781b2c68e1b0f9
Opcode Fuzzy Hash: 47b9eb042593ba04f8ad3881938046bac9bf856324bf3471141dac6cee42f93b
Instruction Fuzzy Hash: 4861BE74904608EFDF109F94DC94AFE7BB9FB09326F104049F925E7290D7388A88DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0081FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0081FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0081FB08
VariantInit.OLEAUT32(?), ref: 0081FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0081FB3A
VariantCopy.OLEAUT32(?,?), ref: 0081FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0081FBA1
VariantClear.OLEAUT32(?), ref: 0081FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0081FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0081FBCC
VariantClear.OLEAUT32(?), ref: 0081FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0081FBE9

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 999acc51bacd6e7522329eeb7053191a2890ca53bdcef62dc5dadbf4833e0d4e
Instruction ID: cf4e7148e3654ce18ab9b46974321c116c9a5858023687b3b6937a2853979c83
Opcode Fuzzy Hash: 999acc51bacd6e7522329eeb7053191a2890ca53bdcef62dc5dadbf4833e0d4e
Instruction Fuzzy Hash: AE413075A00219DFCB00DF68C858DEDBBB9FF48355F008069E955E7262C734A946CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00829C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00829CA1
GetAsyncKeyState.USER32(000000A0), ref: 00829D22
GetKeyState.USER32(000000A0), ref: 00829D3D
GetAsyncKeyState.USER32(000000A1), ref: 00829D57
GetKeyState.USER32(000000A1), ref: 00829D6C
GetAsyncKeyState.USER32(00000011), ref: 00829D84
GetKeyState.USER32(00000011), ref: 00829D96
GetAsyncKeyState.USER32(00000012), ref: 00829DAE
GetKeyState.USER32(00000012), ref: 00829DC0
GetAsyncKeyState.USER32(0000005B), ref: 00829DD8
GetKeyState.USER32(0000005B), ref: 00829DEA

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 4495177f3da183ba72ff16683d249c37b8d727e7d6b8a96bb66909db7a7a9e5c
Instruction ID: 58ce416ef76860571ea2aabbdc67a421fa7e25b5264796330d426ef78be52059
Opcode Fuzzy Hash: 4495177f3da183ba72ff16683d249c37b8d727e7d6b8a96bb66909db7a7a9e5c
Instruction Fuzzy Hash: 4641D6345047D96DFF308664E8043B5BEE0FF11344F04805EDAC6965C2EBE499C8DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0084055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 008405BC
inet_addr.WSOCK32(?), ref: 0084061C
gethostbyname.WSOCK32(?), ref: 00840628
IcmpCreateFile.IPHLPAPI ref: 00840636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 008406C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 008406E5
IcmpCloseHandle.IPHLPAPI(?), ref: 008407B9
WSACleanup.WSOCK32 ref: 008407BF

Strings

Ping, xrefs: 00840676

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 64e354fdc82b39265b8f2ee4411412d2c495ab94220618b710d7e6754dc776e2
Instruction ID: 679abf5bfe679ffc303341b132986380dab7af22b02d539f9e44e502d5ff3876
Opcode Fuzzy Hash: 64e354fdc82b39265b8f2ee4411412d2c495ab94220618b710d7e6754dc776e2
Instruction Fuzzy Hash: 8E9157356043059FD320DF15C889F1ABBE0FB88318F1585A9E66ADB6A2C735ED41CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00848CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00848CF3

Part of subcall function 00828E54: _wcslen.LIBCMT ref: 00828E77

_wcslen.LIBCMT ref: 00848D4E
_wcslen.LIBCMT ref: 00848D9C
_wcslen.LIBCMT ref: 00848DDC
_wcslen.LIBCMT ref: 00848E6E

Strings

cdecl, xrefs: 00848D48, 00848D4D
winapi, xrefs: 00848D96, 00848D9B
none, xrefs: 00848E65, 00848E6A
stdcall, xrefs: 00848DD6, 00848DDB

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: ab5ca4eb60bf2e9c477cf90e91529d65e130be5c818d4dfd095efff00a6fe6f1
Instruction ID: cac2f49caa7152924ea0bd40af5d7af20fe5438fc059fd7dea5e2ac9f15f188e
Opcode Fuzzy Hash: ab5ca4eb60bf2e9c477cf90e91529d65e130be5c818d4dfd095efff00a6fe6f1
Instruction Fuzzy Hash: E6519031A0111ADBCF24EFACC9409BEB7A5FF64724B214229E926E72C5EB35DD40C790

Uniqueness

Uniqueness Score: -1.00%

Function 0084372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00843774
CoUninitialize.OLE32 ref: 0084377F
CoCreateInstance.OLE32(?,00000000,00000017,0085FB78,?), ref: 008437D9
IIDFromString.OLE32(?,?), ref: 0084384C
VariantInit.OLEAUT32(?), ref: 008438E4
VariantClear.OLEAUT32(?), ref: 00843936

Strings

NULL Pointer assignment, xrefs: 0084381E
Invalid parameter, xrefs: 00843865
Failed to create object, xrefs: 008437E4, 0084389A

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: aeb995adcbeb73302d1a8a1b71bb5288492ca255acfaac6daf2772b776784cc6
Instruction ID: 3abb555afe6fdc8937a07397e016269bd4f1e5401c81806859e4ea36363c6c67
Opcode Fuzzy Hash: aeb995adcbeb73302d1a8a1b71bb5288492ca255acfaac6daf2772b776784cc6
Instruction Fuzzy Hash: 7F616AB0608315AFD310DF54C889B6ABBE8FF49715F100829F995DB291D774EE48CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00833388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 008333CF

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 008333F0

Strings

Error: , xrefs: 008334D1
Incorrect parameters to object property !, xrefs: 008334AB
"%s" (%d) : ==> %s:%s%s, xrefs: 00833504
^ ERROR , xrefs: 0083349E
"%s" (%d) : ==> %s:, xrefs: 00833522
Line %d (File "%s"):, xrefs: 00833443, 0083345C

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 8c11d9549bd51f87184d04dc85ccb752c26af71e6ca54eeb460480ca885648c8
Instruction ID: abd8cabedb6422c54157ca4a478dbdcfe090c768ebcdebc30cdddb9f1a2ff19e
Opcode Fuzzy Hash: 8c11d9549bd51f87184d04dc85ccb752c26af71e6ca54eeb460480ca885648c8
Instruction Fuzzy Hash: A951BE3190020AEADF14EBA0DD4AEEEB7B8FF14340F104169F505B2192EB392F58DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0082B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0082B5FC
_wcslen.LIBCMT ref: 0082B608
_wcslen.LIBCMT ref: 0082B64D
_wcslen.LIBCMT ref: 0082B68C
_wcslen.LIBCMT ref: 0082B6C7

Strings

REMOVE, xrefs: 0082B602, 0082B607
APPEND, xrefs: 0082B6C1, 0082B6C6
EXISTS, xrefs: 0082B686, 0082B68B
KEYS, xrefs: 0082B647, 0082B64C

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 63b35fbdc7f8c79a3abf3c88ceb918a9d51fc2079d64b42445433dc9eb5f6824
Instruction ID: 4af1de377458b904db5fb1ee7578e6c1d393765d68e8528c99939f7488ec2bb3
Opcode Fuzzy Hash: 63b35fbdc7f8c79a3abf3c88ceb918a9d51fc2079d64b42445433dc9eb5f6824
Instruction Fuzzy Hash: B741A532A021369BCB206FBD98905BE77A5FB70758B244229E562D7284F735CDC1C790

Uniqueness

Uniqueness Score: -1.00%

Function 00835393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008353A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00835416
GetLastError.KERNEL32 ref: 00835420
SetErrorMode.KERNEL32(00000000,READY), ref: 008354A7

Strings

READONLY, xrefs: 00835452
NOTREADY, xrefs: 0083544B
UNKNOWN, xrefs: 00835444
READY, xrefs: 00835460, 00835468
INVALID, xrefs: 00835459

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 5e1b3656d63530f551a156777de2e7aa76b694ba14acd260c30c022279b63cda
Instruction ID: 1c6a831d21927122c3cae6bc8082f60cf8a9117d572e8f6e9990cf660a6c1cf8
Opcode Fuzzy Hash: 5e1b3656d63530f551a156777de2e7aa76b694ba14acd260c30c022279b63cda
Instruction Fuzzy Hash: 523180B5A006089FC714DF68C488FAABBB4FF85309F148069E905DB292E775DD86CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00853C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00853C79
SetMenu.USER32(?,00000000), ref: 00853C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00853D10
IsMenu.USER32(?), ref: 00853D24
CreatePopupMenu.USER32 ref: 00853D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00853D5B
DrawMenuBar.USER32 ref: 00853D63

Strings

0, xrefs: 00853C54
F, xrefs: 00853D4E

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 887ae02a88bd71a121b2cff82650506b25d3eefca3231ebff1208438bbfc3c69
Instruction ID: 5b634b9ff1332377d7e3c97e6f8531e1a76c1122273166e9f8dd85372b5f997e
Opcode Fuzzy Hash: 887ae02a88bd71a121b2cff82650506b25d3eefca3231ebff1208438bbfc3c69
Instruction Fuzzy Hash: 82415775A01309EFDB14CFA4D844BAABBB5FF49392F140029ED46A7360D734AA18CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00853A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00853A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00853AA0
GetWindowLongW.USER32(?,000000F0), ref: 00853AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00853AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00853B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00853BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00853BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00853BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00853BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00853C13

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 234ab90af00932a804482343aef1084e8fe9ae74e39771d01afef405a77df36c
Instruction ID: 39c229bde0c697f8fb87be3bc3fbbd7d2b035bc408bf926c02d46fcaf21aa115
Opcode Fuzzy Hash: 234ab90af00932a804482343aef1084e8fe9ae74e39771d01afef405a77df36c
Instruction Fuzzy Hash: 1E617875A00208AFDB11DFA8CC85EEEB7B8FB09750F14409AFA15E72A1C774AE45DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0082B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0082B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0082A1E1,?,00000001), ref: 0082B165
GetWindowThreadProcessId.USER32(00000000), ref: 0082B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0082A1E1,?,00000001), ref: 0082B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0082B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0082A1E1,?,00000001), ref: 0082B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0082A1E1,?,00000001), ref: 0082B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0082A1E1,?,00000001), ref: 0082B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0082A1E1,?,00000001), ref: 0082B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0082A1E1,?,00000001), ref: 0082B21D

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 6f5ca538e1c18e2d5d56aa47f4ff50773ebfaefa1df3285ba931a4293339c1a7
Instruction ID: 3fbca6b2dc2f573d0c75c1525bed491b914aa24aad457baf715d49fd1b3ff6f5
Opcode Fuzzy Hash: 6f5ca538e1c18e2d5d56aa47f4ff50773ebfaefa1df3285ba931a4293339c1a7
Instruction Fuzzy Hash: A63189B5511714EFDB10AF64EC48B6E7BA9FB61312F14400AFA02D6191D7B89A80CF64

Uniqueness

Uniqueness Score: -1.00%

Function 007F2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 007F2C94

Part of subcall function 007F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000), ref: 007F29DE
Part of subcall function 007F29C8: GetLastError.KERNEL32(00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000,00000000), ref: 007F29F0

_free.LIBCMT ref: 007F2CA0
_free.LIBCMT ref: 007F2CAB
_free.LIBCMT ref: 007F2CB6
_free.LIBCMT ref: 007F2CC1
_free.LIBCMT ref: 007F2CCC
_free.LIBCMT ref: 007F2CD7
_free.LIBCMT ref: 007F2CE2
_free.LIBCMT ref: 007F2CED
_free.LIBCMT ref: 007F2CFB

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7b75c0e7b2429211e8078bde9c561d54c2d89f3ec88833cdb2bd27df62978d69
Instruction ID: 148bf57f52749e1f80555ee72404c39cbf539e99d82ee78528d34da244b03d05
Opcode Fuzzy Hash: 7b75c0e7b2429211e8078bde9c561d54c2d89f3ec88833cdb2bd27df62978d69
Instruction Fuzzy Hash: 5A11807614010DEFCB02EF94D886CAD3BA5BF05350F5144A5FA48AB332DA75EA519F90

Uniqueness

Uniqueness Score: -1.00%

Function 007C1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 007C1459
OleUninitialize.OLE32(?,00000000), ref: 007C14F8
UnregisterHotKey.USER32(?), ref: 007C16DD
DestroyWindow.USER32(?), ref: 008024B9
FreeLibrary.KERNEL32(?), ref: 0080251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0080254B

Strings

close all, xrefs: 007C1454

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 069d0cd04b25a5a72161a21e91d395a8e21316c928f6d120e086577efbb3f756
Instruction ID: 4f998ad388822f8d1dce0816f23c7ba0ddc1379386d95f8d8037e256af11762e
Opcode Fuzzy Hash: 069d0cd04b25a5a72161a21e91d395a8e21316c928f6d120e086577efbb3f756
Instruction Fuzzy Hash: C7D16931601212CFCB59EF14C899F29F7A4FF05710F5442ADE94AAB292DB35AD22CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00837DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00837FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00837FC1
GetFileAttributesW.KERNEL32(?), ref: 00837FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00838005
SetCurrentDirectoryW.KERNEL32(?), ref: 00838017
SetCurrentDirectoryW.KERNEL32(?), ref: 00838060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 008380B0

Strings

*.*, xrefs: 00838066

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 0393c9e2577b0b11ec52b0ae67b62c6bde619ef40cf6c8c3b614681eafffcb60
Instruction ID: 18ea1dee8fadd51b538f60904bdd7673d6c1bf29969d97ac1c4da601d3e05785
Opcode Fuzzy Hash: 0393c9e2577b0b11ec52b0ae67b62c6bde619ef40cf6c8c3b614681eafffcb60
Instruction Fuzzy Hash: 75817DB2508345DBCB34EF14C894AAAB3E8FBC8714F14486EF885D7250EB79DD458B92

Uniqueness

Uniqueness Score: -1.00%

Function 007C5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 007C5C7A

Part of subcall function 007C5D0A: GetClientRect.USER32(?,?), ref: 007C5D30
Part of subcall function 007C5D0A: GetWindowRect.USER32(?,?), ref: 007C5D71
Part of subcall function 007C5D0A: ScreenToClient.USER32(?,?), ref: 007C5D99

GetDC.USER32 ref: 008046F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00804708
SelectObject.GDI32(00000000,00000000), ref: 00804716
SelectObject.GDI32(00000000,00000000), ref: 0080472B
ReleaseDC.USER32(?,00000000), ref: 00804733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 008047C4

Strings

U, xrefs: 00804693

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: cfd3eb0f1f8b6aa1d693881df3a001e3861b63f9482b759d13e9408ee52497e2
Instruction ID: ce6abef5fbf266bc86b5a3458114e8310efb7b12000445c9182520b3e11f88a4
Opcode Fuzzy Hash: cfd3eb0f1f8b6aa1d693881df3a001e3861b63f9482b759d13e9408ee52497e2
Instruction Fuzzy Hash: DF71F170500209DFCF618F64CD84EBA3BB1FF4A315F185269EE519A2A6D7369881DF60

Uniqueness

Uniqueness Score: -1.00%

Function 0083359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 008335E4

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

LoadStringW.USER32(00892390,?,00000FFF,?), ref: 0083360A

Strings

Error: , xrefs: 008336EF
^ ERROR, xrefs: 008336C9
"%s" (%d) : ==> %s:%s%s, xrefs: 00833724
"%s" (%d) : ==> %s:, xrefs: 00833742
Line %d (File "%s"):, xrefs: 0083366B

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: ecee116e0739371d9298d38b3b360d59f6b16837960df311462c52e91b943f6f
Instruction ID: ad8d2e08a3e4e001e93e7c25c4fb0c91338eff452f960f4ecd1827d2dde71829
Opcode Fuzzy Hash: ecee116e0739371d9298d38b3b360d59f6b16837960df311462c52e91b943f6f
Instruction Fuzzy Hash: DF516D7190021AFADF14EBA0DC4AEEDBB78FF14340F144129F515B21A1EB381A98DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00858B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2

Part of subcall function 007D912D: GetCursorPos.USER32(?), ref: 007D9141
Part of subcall function 007D912D: ScreenToClient.USER32(00000000,?), ref: 007D915E
Part of subcall function 007D912D: GetAsyncKeyState.USER32(00000001), ref: 007D9183
Part of subcall function 007D912D: GetAsyncKeyState.USER32(00000002), ref: 007D919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00858B6B
ImageList_EndDrag.COMCTL32 ref: 00858B71
ReleaseCapture.USER32 ref: 00858B77
SetWindowTextW.USER32(?,00000000), ref: 00858C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00858C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00858CFF

Strings

@GUI_DRAGFILE, xrefs: 00858C9A
@GUI_DROPID, xrefs: 00858C51

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 4be564f28861ffc741d72d4dd3b497698d96ce4f90a7736b9892bacdf1aeac27
Instruction ID: 6c29c2614dd13b6dbda373de9008d52255541dd91e76d59b288dbadacd7a6155
Opcode Fuzzy Hash: 4be564f28861ffc741d72d4dd3b497698d96ce4f90a7736b9892bacdf1aeac27
Instruction Fuzzy Hash: 6F517C71104304AFDB00EF24DC5AFAA77E4FB84715F44062EF956A72A1DB749D08CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0083C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0083C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0083C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0083C2CA
GetLastError.KERNEL32 ref: 0083C322
SetEvent.KERNEL32(?), ref: 0083C336
InternetCloseHandle.WININET(00000000), ref: 0083C341

Strings

, xrefs: 0083C2BB

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 62069151e0132c7c2778360bfa362ffcb3f4d01cfb748e1ef172c66bccae6949
Instruction ID: 6412d31e1343938fdaabcf3b6f47eeed56a73ad4d9907122ef4fa7cea6b2ea44
Opcode Fuzzy Hash: 62069151e0132c7c2778360bfa362ffcb3f4d01cfb748e1ef172c66bccae6949
Instruction Fuzzy Hash: 52314DB1600708AFDB219F65DC88AAB7BFCFB89745F14851DF446E6200DB34DD059BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0082989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00803AAF,?,?,Bad directive syntax error,0085CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 008298BC
LoadStringW.USER32(00000000,?,00803AAF,?), ref: 008298C3

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00829987

Strings

Error: , xrefs: 00829955
., xrefs: 0082996D
%s (%d) : ==> %s.: %s %s, xrefs: 008298F1
Line %d:, xrefs: 00829912
Line %d (File "%s"):, xrefs: 0082992D

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 1f1a3fba22dcf1b714b8bdf5cc9490acbec906fc5dbd901f3c6d2856531527e2
Instruction ID: ec59cfcd30ed32bce4f2491fa1bd39d6a9e0e23edde665cbc686ab7efa9a5cf8
Opcode Fuzzy Hash: 1f1a3fba22dcf1b714b8bdf5cc9490acbec906fc5dbd901f3c6d2856531527e2
Instruction Fuzzy Hash: AF21803190031AEBCF11AF90DC0AEEE7779FF18304F04445EF529A61A2EB399668CB11

Uniqueness

Uniqueness Score: -1.00%

Function 0082209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 008220AB
GetClassNameW.USER32(00000000,?,00000100), ref: 008220C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0082214D

Strings

smallicons, xrefs: 00822115
list, xrefs: 0082212F
largeicons, xrefs: 008220E1
SHELLDLL_DefView, xrefs: 008220CC
details, xrefs: 008220FB

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: a9f5a792dc54f11396f29cd57d1abb4f5c0dd6c7534b22e965e57d3e19e56493
Instruction ID: 457452c497638deedea74084079feb82a7b57569c9a3c097be2f8d19aad2ccb1
Opcode Fuzzy Hash: a9f5a792dc54f11396f29cd57d1abb4f5c0dd6c7534b22e965e57d3e19e56493
Instruction Fuzzy Hash: 8211277A684716F9F6012221AC0ACE637DCFF18334B200026F704E40D1FF6978A15618

Uniqueness

Uniqueness Score: -1.00%

Function 007FCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 007FCEB7
_free.LIBCMT ref: 007FCF22
_free.LIBCMT ref: 007FCF48
_free.LIBCMT ref: 007FCF71
_free.LIBCMT ref: 007FCFA9
_free.LIBCMT ref: 007FCFDA
_free.LIBCMT ref: 007FD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 007FD09C
_free.LIBCMT ref: 007FD0B5

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 7f499602bd6a6e0557cae1bba3f6a1d69fdaddf647049b7ab8035206d1c0cc6a
Instruction ID: c5f044e4c979612d5c0d8d6c691afa57c06959d708f898b73044ebe8bcbe0b89
Opcode Fuzzy Hash: 7f499602bd6a6e0557cae1bba3f6a1d69fdaddf647049b7ab8035206d1c0cc6a
Instruction Fuzzy Hash: 8361287290430DAFDB22AFB49949679BBE5EF05320F04426EFB41A7382D63D9D019B50

Uniqueness

Uniqueness Score: -1.00%

Function 007D8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00816890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 008168A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008168B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 008168D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008168F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,007D8874,00000000,00000000,00000000,000000FF,00000000), ref: 00816901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0081691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,007D8874,00000000,00000000,00000000,000000FF,00000000), ref: 0081692D

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 6f58edd349530dc4748dd7c2b5755c61b182fa7bd101d4cd3cd32b1d25c521ea
Instruction ID: 35a7f22effe271234a2e4a27f2b0d7205f7cd8c0b0e06e82e41cf8501165d792
Opcode Fuzzy Hash: 6f58edd349530dc4748dd7c2b5755c61b182fa7bd101d4cd3cd32b1d25c521ea
Instruction Fuzzy Hash: 69518AB0600305EFDB20DF28CC95FAA7BB5FF48351F14452AF956D62A0EB74A990DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0083C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0083C182
GetLastError.KERNEL32 ref: 0083C195
SetEvent.KERNEL32(?), ref: 0083C1A9

Part of subcall function 0083C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0083C272
Part of subcall function 0083C253: GetLastError.KERNEL32 ref: 0083C322
Part of subcall function 0083C253: SetEvent.KERNEL32(?), ref: 0083C336
Part of subcall function 0083C253: InternetCloseHandle.WININET(00000000), ref: 0083C341

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 3c5f5ce8dcd88b892bae7295606955a3dae050b54e8220e570441d1ca6d32710
Instruction ID: 55a03792e8d970f7e1cb8b637689345fc726e385bf9329e2c6fdd7acb07f66be
Opcode Fuzzy Hash: 3c5f5ce8dcd88b892bae7295606955a3dae050b54e8220e570441d1ca6d32710
Instruction Fuzzy Hash: CC317871200705AFDB219FA9DC44A6BBBE9FF98301F00442DF956E6610DB34E814EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 008225A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00823A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00823A57
Part of subcall function 00823A3D: GetCurrentThreadId.KERNEL32 ref: 00823A5E
Part of subcall function 00823A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008225B3), ref: 00823A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 008225BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 008225DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 008225DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 008225E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00822601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00822605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0082260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00822623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00822627

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: f3729a2411a822b5660c9290ac5975a35eb63dbe1e2289509019801618d7d5ee
Instruction ID: aadd33f229d9ee95b329cb83597e25192174aed9aff3668e8486854835b64916
Opcode Fuzzy Hash: f3729a2411a822b5660c9290ac5975a35eb63dbe1e2289509019801618d7d5ee
Instruction Fuzzy Hash: AE01D431390724BBFB1067689C8AF593F99FB5EB12F100016F318EE1D1C9E624848E6A

Uniqueness

Uniqueness Score: -1.00%

Function 00821803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00821449,?,?,00000000), ref: 0082180C
HeapAlloc.KERNEL32(00000000,?,00821449,?,?,00000000), ref: 00821813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00821449,?,?,00000000), ref: 00821828
GetCurrentProcess.KERNEL32(?,00000000,?,00821449,?,?,00000000), ref: 00821830
DuplicateHandle.KERNEL32(00000000,?,00821449,?,?,00000000), ref: 00821833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00821449,?,?,00000000), ref: 00821843
GetCurrentProcess.KERNEL32(00821449,00000000,?,00821449,?,?,00000000), ref: 0082184B
DuplicateHandle.KERNEL32(00000000,?,00821449,?,?,00000000), ref: 0082184E
CreateThread.KERNEL32(00000000,00000000,00821874,00000000,00000000,00000000), ref: 00821868

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 21d88d27ecd1774a3c9566dddd3e4035c028c4a0abdc300d2e6ac9c4a8c947a1
Instruction ID: c9b630d17981d7986f3ee78d21fa1528d1a997e1db6ebe5b7e38d34d8272e93c
Opcode Fuzzy Hash: 21d88d27ecd1774a3c9566dddd3e4035c028c4a0abdc300d2e6ac9c4a8c947a1
Instruction Fuzzy Hash: 9101A8B5680708BFEA10ABA5DC4DF6B7BACFB89B11F404411FA05DB2A1CA749844CF20

Uniqueness

Uniqueness Score: -1.00%

Function 0084A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0082D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0082D501
Part of subcall function 0082D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0082D50F
Part of subcall function 0082D4DC: CloseHandle.KERNEL32(00000000), ref: 0082D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0084A16D
GetLastError.KERNEL32 ref: 0084A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0084A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0084A268
GetLastError.KERNEL32(00000000), ref: 0084A273
CloseHandle.KERNEL32(00000000), ref: 0084A2C4

Strings

SeDebugPrivilege, xrefs: 0084A18F

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: d1827643e29534127f5ae9649f141327f8b32fe10fd88224a56f6af397828716
Instruction ID: eb6881e024c5b5ab7fe1706f7e8a1a05c455af64474c84fd168dcbb4e315c2f8
Opcode Fuzzy Hash: d1827643e29534127f5ae9649f141327f8b32fe10fd88224a56f6af397828716
Instruction Fuzzy Hash: DD617B312442569FD724DF18C498F2ABBA1FF54318F18848CE4668F7A2C7B6ED45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00853886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00853925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0085393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00853954
_wcslen.LIBCMT ref: 00853999
SendMessageW.USER32(?,00001057,00000000,?), ref: 008539C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 008539F4

Strings

SysListView32, xrefs: 008538F7

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: b142457c139606c6a6d2d2ea0a80a6bf664eb0ea376de8e8074874bbc543a112
Instruction ID: cd63969a9a7897e7bf89b5248c65ba31ff5ede642a17bae90bea9d0bfb493fb5
Opcode Fuzzy Hash: b142457c139606c6a6d2d2ea0a80a6bf664eb0ea376de8e8074874bbc543a112
Instruction Fuzzy Hash: 21419571A00319ABEF219F64CC49FEA7BA9FF08395F10052AF954E7281D7759E84CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0082BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0082BCFD
IsMenu.USER32(00000000), ref: 0082BD1D
CreatePopupMenu.USER32 ref: 0082BD53
GetMenuItemCount.USER32(01965898), ref: 0082BDA4
InsertMenuItemW.USER32(01965898,?,00000001,00000030), ref: 0082BDCC

Strings

2, xrefs: 0082BD37
0, xrefs: 0082BCA8

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: f82b0dd104e58dfa16f17663b70b7898024c85092ba4fa8c7d1fbc892f06d1dd
Instruction ID: de5a772d43b379bae56b7f94c523db56320e00e86f5ed700f302b2e3eb224c78
Opcode Fuzzy Hash: f82b0dd104e58dfa16f17663b70b7898024c85092ba4fa8c7d1fbc892f06d1dd
Instruction Fuzzy Hash: BD51AD70A02329ABDB10CFA8E888BEEBBF4FF45354F148159E851D72D1E7749981CB61

Uniqueness

Uniqueness Score: -1.00%

Function 007E2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 007E2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 007E2D53
_ValidateLocalCookies.LIBCMT ref: 007E2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 007E2E0C
_ValidateLocalCookies.LIBCMT ref: 007E2E61

Strings

&H~, xrefs: 007E2DFE, 007E2E07, 007E2E18
csm, xrefs: 007E2DF6

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H~$csm
API String ID: 1170836740-3418752573
Opcode ID: c887d400749ae42c76fbd2a13e09c8f693649b1686cb1ccf9b9b6a8468c5c748
Instruction ID: d0d074d5457f3f40d52769fed0f9e79a1335d4f8535167e878daac8cc9d822c1
Opcode Fuzzy Hash: c887d400749ae42c76fbd2a13e09c8f693649b1686cb1ccf9b9b6a8468c5c748
Instruction Fuzzy Hash: CE41A934E02249EBCF10DF59CC49A9EBBB9BF48314F148155E9149B353D7799A12CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0082C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0082C913

Strings

question, xrefs: 0082C8CC
info, xrefs: 0082C8B4
stop, xrefs: 0082C8E4
warning, xrefs: 0082C8FC
blank, xrefs: 0082C895

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 0a87fa9c2af5e981d1ae4a9c41bbbb56ffa1539d5d091f14587f66eeffc7ca9d
Instruction ID: 72d82e15cff4d987e9a9eb35d4323dcf661ae38b10df57d546cd7a208b041e17
Opcode Fuzzy Hash: 0a87fa9c2af5e981d1ae4a9c41bbbb56ffa1539d5d091f14587f66eeffc7ca9d
Instruction Fuzzy Hash: 26112E3168931ABAE7006B54AC82CBE2B9CFF15324B50403AF500E6281E7A85DC05768

Uniqueness

Uniqueness Score: -1.00%

Function 0082ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0082ED2A
_wcslen.LIBCMT ref: 0082ED3B
_wcslen.LIBCMT ref: 0082ED79
_wcslen.LIBCMT ref: 0082EDAF
_wcslen.LIBCMT ref: 0082EDDF
_wcslen.LIBCMT ref: 0082EDEF
_wcslen.LIBCMT ref: 0082EE2B
_wcslen.LIBCMT ref: 0082EE5A

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 0e78d5b186ef999d215e9c1f8564f774860e72f32d783fecbb2b65b12c7c2029
Instruction ID: 7f4806df5adaee17ab1fc8458681e8bf1a51d50b100a644447daaaabd71efa52
Opcode Fuzzy Hash: 0e78d5b186ef999d215e9c1f8564f774860e72f32d783fecbb2b65b12c7c2029
Instruction Fuzzy Hash: F1417266C11258B5CB11EBF5888E9CF77ACFF49710F504462E614E3122EB38E655C3E9

Uniqueness

Uniqueness Score: -1.00%

Function 007DF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0081682C,00000004,00000000,00000000), ref: 007DF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0081682C,00000004,00000000,00000000), ref: 0081F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0081682C,00000004,00000000,00000000), ref: 0081F454

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 5d780a9bbb6da38b4795f5aa586e4318f437b26760a907e593e278b97cc8f049
Instruction ID: a2eac427a6189a2d23532ce8322ffced11f0765e2d626d7494f752f314a3e708
Opcode Fuzzy Hash: 5d780a9bbb6da38b4795f5aa586e4318f437b26760a907e593e278b97cc8f049
Instruction Fuzzy Hash: 3A410870A08780BECB399B2D88A876A7AB5FF55314F14403EE18BD6761C639B8C0CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00852D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00852D1B
GetDC.USER32(00000000), ref: 00852D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00852D2E
ReleaseDC.USER32(00000000,00000000), ref: 00852D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00852D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00852D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00855A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00852DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00852DE1

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 43ae84b9a0ef33d9f480f669aefe49aaa1e490f0b73ea10f39db50510924932a
Instruction ID: 465d927982271e0990244e69a0d33e4a28c51290bed385fb4df16cd2400b1a87
Opcode Fuzzy Hash: 43ae84b9a0ef33d9f480f669aefe49aaa1e490f0b73ea10f39db50510924932a
Instruction Fuzzy Hash: 60316B72201714BFEB118F548C8AFEB3FA9FB1A756F044055FE08DA291C6799C50CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00825622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00825637
_memcmp.LIBVCRUNTIME ref: 00825659
_memcmp.LIBVCRUNTIME ref: 00825671
_memcmp.LIBVCRUNTIME ref: 00825684
_memcmp.LIBVCRUNTIME ref: 0082569E
_memcmp.LIBVCRUNTIME ref: 008256B1
_memcmp.LIBVCRUNTIME ref: 008256C9
_memcmp.LIBVCRUNTIME ref: 008256E4

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 1bc43a31db38b938d5118ffc1f2be9829304ac0af1234a49ead3301be2818235
Instruction ID: a538a66cb5c5f305e6b1a26f352b1248adce2ce722fa71f30ce33d0e3e3af508
Opcode Fuzzy Hash: 1bc43a31db38b938d5118ffc1f2be9829304ac0af1234a49ead3301be2818235
Instruction Fuzzy Hash: 5321B371AC2A69BBD2149525AE82FBB235CFF34395F840030FE05DA686F738ED5481A5

Uniqueness

Uniqueness Score: -1.00%

Function 00844FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0084502E, 00845383
Not an Object type, xrefs: 00845007

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 3db5e5ee6a25ded876790519b51c7c205613a4e2cd1fbb24a5e3ed85560a8d2d
Instruction ID: 9f11ed61effe3b1202cb7047dc3749c7ef5e5d2999bcd30fffd3d6591bbfc6b6
Opcode Fuzzy Hash: 3db5e5ee6a25ded876790519b51c7c205613a4e2cd1fbb24a5e3ed85560a8d2d
Instruction Fuzzy Hash: 99D18C75A0061EAFDB10CFA8C881BAEB7B5FF48344F148469E915EB282E771DD45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00801522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,008017FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 008015CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,008017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00801651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,008017FB,?,008017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008016E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,008017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008016FB

Part of subcall function 007F3820: RtlAllocateHeap.NTDLL(00000000,?,00891444,?,007DFDF5,?,?,007CA976,00000010,00891440,007C13FC,?,007C13C6,?,007C1129), ref: 007F3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,008017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00801777
__freea.LIBCMT ref: 008017A2
__freea.LIBCMT ref: 008017AE

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 6340e59447d84d55aa3d9393bb76f65ac0c3860d81051305e6a9022f30376dd6
Instruction ID: bb0c76376fce074beb8107cf584df1b6695a30720795a44aae83973b680ad5b2
Opcode Fuzzy Hash: 6340e59447d84d55aa3d9393bb76f65ac0c3860d81051305e6a9022f30376dd6
Instruction Fuzzy Hash: 02919472E0021A9EDF608E64CC89AFE7BB5FF49724F184659E911EB2C5DB25DC40CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00844523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00844648
VariantInit.OLEAUT32(?), ref: 00844749
VariantClear.OLEAUT32(?), ref: 00844753
VariantClear.OLEAUT32(?), ref: 008447B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0084472C
Null Object assignment in FOR..IN loop, xrefs: 008445D8, 00844706, 008447BE

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 486305f125981dbdd4dfb69add620ae52b5f846a1cf1ed98f02d853a3eec1b51
Instruction ID: 5498833e78a6addc9177ad3ab499107db2c898db1db8898972eca4d579306ca4
Opcode Fuzzy Hash: 486305f125981dbdd4dfb69add620ae52b5f846a1cf1ed98f02d853a3eec1b51
Instruction Fuzzy Hash: 80918971A0021DABDF20CFA4C888FAEBBB8FF46714F109559E515EB281D7749946CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00831187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0083125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00831284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 008312A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008312D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0083135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008313C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00831430

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: a23838bb7f75a48bfbd6562bda8694b26f906296833ca976b356edda3c037942
Instruction ID: db9ad9cf690ed972d5f597f4c563a5db164328cda020265339807434eb02d3fc
Opcode Fuzzy Hash: a23838bb7f75a48bfbd6562bda8694b26f906296833ca976b356edda3c037942
Instruction Fuzzy Hash: 9191D271A002099FDF00DFA8C898BBEB7B5FF84B15F144429E911EB291DB78A941CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 007D948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 9b9e114eb9db3d60655231bf17aaae27173a497d8c63be46c8a40e4df4e7dca3
Instruction ID: 61d866f9acd12799a97bf74b5ff5cbe1d245edc3120e3526c09602fadbf8fb3f
Opcode Fuzzy Hash: 9b9e114eb9db3d60655231bf17aaae27173a497d8c63be46c8a40e4df4e7dca3
Instruction Fuzzy Hash: 14912971D40219EFCB10CFA9CC88AEEBBB8FF49320F14455AE516B7291D378A951CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00843947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0084396B
CharUpperBuffW.USER32(?,?), ref: 00843A7A
_wcslen.LIBCMT ref: 00843A8A
VariantClear.OLEAUT32(?), ref: 00843C1F

Part of subcall function 00830CDF: VariantInit.OLEAUT32(00000000), ref: 00830D1F
Part of subcall function 00830CDF: VariantCopy.OLEAUT32(?,?), ref: 00830D28
Part of subcall function 00830CDF: VariantClear.OLEAUT32(?), ref: 00830D34

Strings

AUTOIT.ERROR, xrefs: 00843A80, 00843A85
Incorrect Parameter format, xrefs: 008439A6, 00843BA1

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: cfd2d2616f658c1524ca117a0f78b4275e9f68386a68ce59d6f9757b2e7a725f
Instruction ID: e32b35823c0deebf4d2e883ffbf2b600287979f1dac293bcc334f990e347e6ed
Opcode Fuzzy Hash: cfd2d2616f658c1524ca117a0f78b4275e9f68386a68ce59d6f9757b2e7a725f
Instruction Fuzzy Hash: 139133746083099FC704EF28C48596AB7E5FF88314F14882EF88A9B351DB35EE45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00844BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0082000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0081FF41,80070057,?,?,?,0082035E), ref: 0082002B
Part of subcall function 0082000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0081FF41,80070057,?,?), ref: 00820046
Part of subcall function 0082000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0081FF41,80070057,?,?), ref: 00820054
Part of subcall function 0082000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0081FF41,80070057,?), ref: 00820064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00844C51
_wcslen.LIBCMT ref: 00844D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00844DCF
CoTaskMemFree.OLE32(?), ref: 00844DDA

Strings

NULL Pointer assignment, xrefs: 00844E23, 00844E52

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 07b0e55f923fe90e3b4606c5922d839fd81f9aa155096000c2e9026cedadecc5
Instruction ID: aa66dacace15bc8cb718323d6e8f127c38ea22e7319c9290ef5ec586c2490acc
Opcode Fuzzy Hash: 07b0e55f923fe90e3b4606c5922d839fd81f9aa155096000c2e9026cedadecc5
Instruction Fuzzy Hash: AC910171D0021DEFDF10DFA4D895AEEB7B9FF08314F10816AE915A7251EB34AA458FA0

Uniqueness

Uniqueness Score: -1.00%

Function 008520FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00852183
GetMenuItemCount.USER32(00000000), ref: 008521B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 008521DD
_wcslen.LIBCMT ref: 00852213
GetMenuItemID.USER32(?,?), ref: 0085224D
GetSubMenu.USER32(?,?), ref: 0085225B

Part of subcall function 00823A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00823A57
Part of subcall function 00823A3D: GetCurrentThreadId.KERNEL32 ref: 00823A5E
Part of subcall function 00823A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008225B3), ref: 00823A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 008522E3

Part of subcall function 0082E97B: Sleep.KERNEL32 ref: 0082E9F3

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: bc32a7187bfce630d27a17bc99cf50a0eba6fa6f9fce4b8c6b1ac2e11d285478
Instruction ID: e1be0b351cda687cc9927434cd9ff54796521a583a9b2ed18cf335b4c6d9744d
Opcode Fuzzy Hash: bc32a7187bfce630d27a17bc99cf50a0eba6fa6f9fce4b8c6b1ac2e11d285478
Instruction Fuzzy Hash: 0B718E75A00215EFCB10DF68C885AAEB7F1FF49311F148499E816EB351DB38AE458F90

Uniqueness

Uniqueness Score: -1.00%

Function 0082AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0082AEF9
GetKeyboardState.USER32(?), ref: 0082AF0E
SetKeyboardState.USER32(?), ref: 0082AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0082AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0082AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0082AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0082B020

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: e01d214a18312f96e23d9ba32c685ca4c431f7e567ce949b479f634b164d66da
Instruction ID: f2ab9d4218a2f0ad9c03138c5f79e4d342d687dc55fba7224f845ddc7176608a
Opcode Fuzzy Hash: e01d214a18312f96e23d9ba32c685ca4c431f7e567ce949b479f634b164d66da
Instruction Fuzzy Hash: C951B1A06047E53EFB3A42349945BBA7FE9FF06304F088489E1E5D54C2D7A9ACC4D752

Uniqueness

Uniqueness Score: -1.00%

Function 0082ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0082AD19
GetKeyboardState.USER32(?), ref: 0082AD2E
SetKeyboardState.USER32(?), ref: 0082AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0082ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0082ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0082AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0082AE38

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 74eaa447a0190d3c1cdf5af005973c15388e4a6c4e1809911fad57c039cf142f
Instruction ID: 8cedbc0c71b72bd2621151c3c16dcbd37962b288b772d8334de72e347d4d7c45
Opcode Fuzzy Hash: 74eaa447a0190d3c1cdf5af005973c15388e4a6c4e1809911fad57c039cf142f
Instruction Fuzzy Hash: 2A51D3A15047E53EFB3A82249C95B7ABEE8FF46300F088489E1D5D68C2D294ECC9D752

Uniqueness

Uniqueness Score: -1.00%

Function 007F542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00803CD6,?,?,?,?,?,?,?,?,007F5BA3,?,?,00803CD6,?,?), ref: 007F5470
__fassign.LIBCMT ref: 007F54EB
__fassign.LIBCMT ref: 007F5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00803CD6,00000005,00000000,00000000), ref: 007F552C
WriteFile.KERNEL32(?,00803CD6,00000000,007F5BA3,00000000,?,?,?,?,?,?,?,?,?,007F5BA3,?), ref: 007F554B
WriteFile.KERNEL32(?,?,00000001,007F5BA3,00000000,?,?,?,?,?,?,?,?,?,007F5BA3,?), ref: 007F5584

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: b72c8d1d5839da68faed5349454b5471767cc965807d32cdc4979730b5d5e446
Instruction ID: 8532078c2fd2b5b38892178fcf37f877d779258e6778e88addb82ca513a94113
Opcode Fuzzy Hash: b72c8d1d5839da68faed5349454b5471767cc965807d32cdc4979730b5d5e446
Instruction Fuzzy Hash: 52519F71A006499FDB10CFA8D845AEEBBFAEF09300F14411AE655E7391E634AA51CB60

Uniqueness

Uniqueness Score: -1.00%

Function 008410B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0084304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0084307A
Part of subcall function 0084304E: _wcslen.LIBCMT ref: 0084309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00841112
WSAGetLastError.WSOCK32 ref: 00841121
WSAGetLastError.WSOCK32 ref: 008411C9
closesocket.WSOCK32(00000000), ref: 008411F9

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 62a47c7d1431d029e73532b005952d7f92769cb7eb344e57a56dd93dfaaf57ae
Instruction ID: 554d4639b1706e12f6e5c2f3d32779a1eaee9752efc4d98230802471bbdc4bbd
Opcode Fuzzy Hash: 62a47c7d1431d029e73532b005952d7f92769cb7eb344e57a56dd93dfaaf57ae
Instruction Fuzzy Hash: 5A41D431600208AFDF109F24C889BA9BBE9FF45369F148059F919DB291D774ED81CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0082CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0082DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0082CF22,?), ref: 0082DDFD

Part of subcall function 0082DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0082CF22,?), ref: 0082DE16

lstrcmpiW.KERNEL32(?,?), ref: 0082CF45
MoveFileW.KERNEL32(?,?), ref: 0082CF7F
_wcslen.LIBCMT ref: 0082D005
_wcslen.LIBCMT ref: 0082D01B
SHFileOperationW.SHELL32(?), ref: 0082D061

Strings

\*.*, xrefs: 0082CFF3

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 2463bae54e259a78e0a37b522192157bfddf505f328cc4ee61113ec497664020
Instruction ID: da0c43342e0f4787e4395c3a453c37198e2cc1ab345bc73e0e74f3883c19175b
Opcode Fuzzy Hash: 2463bae54e259a78e0a37b522192157bfddf505f328cc4ee61113ec497664020
Instruction Fuzzy Hash: B84155719452299FDF12EBA4DA85EEDB7B8FF08340F1000E6E545EB142EF74A684CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00852DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00852E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00852E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00852E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00852EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00852EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00852EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00852F0B

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: a164dac699f67fb3d9715358ad526d03c0ab5ad91ce94326c2518688dced6dee
Instruction ID: 2d4f55938f6f6c95453e3dda2d76ab442f5f7f0100582a95d38f22c8cbea5dd2
Opcode Fuzzy Hash: a164dac699f67fb3d9715358ad526d03c0ab5ad91ce94326c2518688dced6dee
Instruction Fuzzy Hash: 2D31F230604255AFDB21DF58EC8AF653BE1FB9A712F5901A5F901CB2B2CB71B8449B41

Uniqueness

Uniqueness Score: -1.00%

Function 00827726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00827769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0082778F
SysAllocString.OLEAUT32(00000000), ref: 00827792
SysAllocString.OLEAUT32(?), ref: 008277B0
SysFreeString.OLEAUT32(?), ref: 008277B9
StringFromGUID2.OLE32(?,?,00000028), ref: 008277DE
SysAllocString.OLEAUT32(?), ref: 008277EC

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: f78012cc14d6843d8cf2c2d8de309b8c6aca3627fdc816c675bd41c29498f419
Instruction ID: e4fba6bcbcef34ad428fdebeb9315c039c077e5dccea0f0951a0599ff386c2d7
Opcode Fuzzy Hash: f78012cc14d6843d8cf2c2d8de309b8c6aca3627fdc816c675bd41c29498f419
Instruction Fuzzy Hash: 22219076604329AFDB10DFA9DC88CBB77ACFB097647448025FA15DB290D674DC818B64

Uniqueness

Uniqueness Score: -1.00%

Function 008277FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00827842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00827868
SysAllocString.OLEAUT32(00000000), ref: 0082786B
SysAllocString.OLEAUT32 ref: 0082788C
SysFreeString.OLEAUT32 ref: 00827895
StringFromGUID2.OLE32(?,?,00000028), ref: 008278AF
SysAllocString.OLEAUT32(?), ref: 008278BD

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: f2e5cfda159183883f0574ae27d9adf3f6cd82d9cf55496d6bfc65b814825d3a
Instruction ID: 6901ff76b9e1789b2c63dadbfe0ff5a2c9eec77c3a76f7154cfead02d2a552a3
Opcode Fuzzy Hash: f2e5cfda159183883f0574ae27d9adf3f6cd82d9cf55496d6bfc65b814825d3a
Instruction Fuzzy Hash: BD217435604228AFDB109FA9DC8CDAA77ECFB097607508135F915CB2A1D674DC81CB68

Uniqueness

Uniqueness Score: -1.00%

Function 008304D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 008304F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0083052E

Strings

nul, xrefs: 00830567

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: d2087d3a9427f597210d993f0db6f3b81ac8c2bbd96141c652ad79b475deb977
Instruction ID: e163939e10db7e051b5effb09a5c1821cc7a90caa99a1c5c10fcc616432454fa
Opcode Fuzzy Hash: d2087d3a9427f597210d993f0db6f3b81ac8c2bbd96141c652ad79b475deb977
Instruction Fuzzy Hash: 3B214C75500309AFDF209F69DC54A9A7BB4FF84725F204A19F8A1E72E0E7709950CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 008305A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 008305C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00830601

Strings

nul, xrefs: 00830639

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 18cc0819998b71c8a7b8909f290441e183b41c507ef1422241ed23ca4eccd62d
Instruction ID: 39853d01765f1aafac110bde4f354ea7b000bfff32f68dc8217a59583dd548df
Opcode Fuzzy Hash: 18cc0819998b71c8a7b8909f290441e183b41c507ef1422241ed23ca4eccd62d
Instruction Fuzzy Hash: 332195755003059FDB209F69CC15A9A77E8FFE5B25F200A19F8A1E72D4E7709860CF90

Uniqueness

Uniqueness Score: -1.00%

Function 008540AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007C600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 007C604C
Part of subcall function 007C600E: GetStockObject.GDI32(00000011), ref: 007C6060
Part of subcall function 007C600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 007C606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00854112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0085411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0085412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00854139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00854145

Strings

Msctls_Progress32, xrefs: 008540E3

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 0443d26079f5f24e42d7c802f38c4aed6b1e76811dba5c03a45f5cabecdc6a0f
Instruction ID: 1b8eb47718b7362f9d49c91e44d1afd5e88808585149b9dced74be19a6ccf51d
Opcode Fuzzy Hash: 0443d26079f5f24e42d7c802f38c4aed6b1e76811dba5c03a45f5cabecdc6a0f
Instruction Fuzzy Hash: BD1190B218021DBEEF119E64CC85EE77FADFF18798F105111BA18E2190C6769C619BA4

Uniqueness

Uniqueness Score: -1.00%

Function 007FD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007FD7A3: _free.LIBCMT ref: 007FD7CC

_free.LIBCMT ref: 007FD82D

Part of subcall function 007F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000), ref: 007F29DE
Part of subcall function 007F29C8: GetLastError.KERNEL32(00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000,00000000), ref: 007F29F0

_free.LIBCMT ref: 007FD838
_free.LIBCMT ref: 007FD843
_free.LIBCMT ref: 007FD897
_free.LIBCMT ref: 007FD8A2
_free.LIBCMT ref: 007FD8AD
_free.LIBCMT ref: 007FD8B8

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 8956c552c3231eaeca6cd31189136c557aecdf09ecc86ff17c0af1eb67743721
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 3811D07158170CEAD531FFB0CC4BFEB7BDD6F05700F404815B399AA6A2D669B9054A60

Uniqueness

Uniqueness Score: -1.00%

Function 0082DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0082DA74
LoadStringW.USER32(00000000), ref: 0082DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0082DA91
LoadStringW.USER32(00000000), ref: 0082DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0082DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0082DAB9

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: a943e74e9cd9758b72e2b4fd4559bd38a2cc5c2f25927f4a9e0040bdcb8c8a41
Instruction ID: 911b50cd9b55a526dcc1e754163492e4b9f128b59d2b195dce1b40862b0d9a8a
Opcode Fuzzy Hash: a943e74e9cd9758b72e2b4fd4559bd38a2cc5c2f25927f4a9e0040bdcb8c8a41
Instruction Fuzzy Hash: 3F0162F25003187FE710ABE49D89EEB376CF708306F404495B746E2041EA789E848F74

Uniqueness

Uniqueness Score: -1.00%

Function 0083096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0195E388,0195E388), ref: 0083097B
EnterCriticalSection.KERNEL32(0195E368,00000000), ref: 0083098D
TerminateThread.KERNEL32(00000000,000001F6), ref: 0083099B
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 008309A9
CloseHandle.KERNEL32(00000000), ref: 008309B8
InterlockedExchange.KERNEL32(0195E388,000001F6), ref: 008309C8
LeaveCriticalSection.KERNEL32(0195E368), ref: 008309CF

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 64072677c92868a2ad7608ed1a067b0fee388a7d3624dc176e23028ab899c9bf
Instruction ID: de54cd6122c0304fce091d4ca059bd18da45b45bc087406504ae3a5680c0b80f
Opcode Fuzzy Hash: 64072677c92868a2ad7608ed1a067b0fee388a7d3624dc176e23028ab899c9bf
Instruction Fuzzy Hash: 08F0C932442B12AFD7515BA4EE89BDABA69FF45703F802025F202948A1CB7994A5CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00841C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00841DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00841DE1
WSAGetLastError.WSOCK32 ref: 00841DF2
htons.WSOCK32(?,?,?,?,?), ref: 00841EDB
inet_ntoa.WSOCK32(?), ref: 00841E8C

Part of subcall function 008239E8: _strlen.LIBCMT ref: 008239F2

Part of subcall function 00843224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0083EC0C), ref: 00843240

_strlen.LIBCMT ref: 00841F35

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 2b62511d11bc2e8a3cf88f2e712140f79a1ba78b6996f218c5a67054088c07e5
Instruction ID: 86b3f3fbc2f8b9bbe834522f3fe5681261ff60ec7ef43ee8aad1927d4332bec1
Opcode Fuzzy Hash: 2b62511d11bc2e8a3cf88f2e712140f79a1ba78b6996f218c5a67054088c07e5
Instruction Fuzzy Hash: CDB1CE31204344AFCB24DF24C889F2ABBA5FF85318F54855CF4569B2A2DB35ED86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 007F01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 007F00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007F00D6
__allrem.LIBCMT ref: 007F00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007F010B
__allrem.LIBCMT ref: 007F0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007F0140

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: ed8eba516debf7e20e25c71bd34530234b0fa90510db3706a9678172983557d1
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 19810772601B0ADBEB209F69CC45B7E73E9EF45724F24453AF611D6782EB78D9008790

Uniqueness

Uniqueness Score: -1.00%

Function 007F61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,007E82D9,007E82D9,?,?,?,007F644F,00000001,00000001,8BE85006), ref: 007F6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,007F644F,00000001,00000001,8BE85006,?,?,?), ref: 007F62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 007F63D8
__freea.LIBCMT ref: 007F63E5

Part of subcall function 007F3820: RtlAllocateHeap.NTDLL(00000000,?,00891444,?,007DFDF5,?,?,007CA976,00000010,00891440,007C13FC,?,007C13C6,?,007C1129), ref: 007F3852

__freea.LIBCMT ref: 007F63EE
__freea.LIBCMT ref: 007F6413

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: eaaf6021a9a93cb59f66526b31929e39d02f2097c901a8d9bbb63a21ad703f57
Instruction ID: 6715f12537c7d57216114b8bdac2c7034369b8e75b393cbb4050d110aff48719
Opcode Fuzzy Hash: eaaf6021a9a93cb59f66526b31929e39d02f2097c901a8d9bbb63a21ad703f57
Instruction Fuzzy Hash: C051F072A0021AAFEB258F64CC85EBF77AAEF54750F154229FE05D7240EB38DC44D6A1

Uniqueness

Uniqueness Score: -1.00%

Function 0084BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

Part of subcall function 0084C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0084B6AE,?,?), ref: 0084C9B5
Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084C9F1
Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084CA68
Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0084BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0084BD25
RegCloseKey.ADVAPI32(00000000), ref: 0084BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0084BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0084BDF3
RegCloseKey.ADVAPI32(?), ref: 0084BDFF

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: f91fc499af65a356412b7af4efc73400c36691a70464e048b85955d525324c44
Instruction ID: f988809f679c0635ead9d6dbef5c888ea947a191ae3485fdf042b5734f62e7d5
Opcode Fuzzy Hash: f91fc499af65a356412b7af4efc73400c36691a70464e048b85955d525324c44
Instruction Fuzzy Hash: BE817B30208245EFD714DF24C895E2ABBE5FF84308F14899CF5598B2A2DB36ED45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0081F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0081F7B9
SysAllocString.OLEAUT32(00000001), ref: 0081F860
VariantCopy.OLEAUT32(0081FA64,00000000), ref: 0081F889
VariantClear.OLEAUT32(0081FA64), ref: 0081F8AD
VariantCopy.OLEAUT32(0081FA64,00000000), ref: 0081F8B1
VariantClear.OLEAUT32(?), ref: 0081F8BB

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 4ceeeca25f762584362b3ba9dd50b01425d8606a5d1d04193dcf8f786b21fd53
Instruction ID: 73e8122d6cefbca35046737789ff8a7271073ac84d1546510e992fca1a098e53
Opcode Fuzzy Hash: 4ceeeca25f762584362b3ba9dd50b01425d8606a5d1d04193dcf8f786b21fd53
Instruction Fuzzy Hash: 4251D731600314FACF10AB65D895BA9B7ACFF45714F14446BEA06DF293DB748C80CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0083910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 007C7620: _wcslen.LIBCMT ref: 007C7625

Part of subcall function 007C6B57: _wcslen.LIBCMT ref: 007C6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 008394E5
_wcslen.LIBCMT ref: 00839506
_wcslen.LIBCMT ref: 0083952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00839585

Strings

X, xrefs: 00839412

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 715eb459d40a2ed17e290633fdf8d66a27d6667a8c2d8f70ebb20fc4ecb28067
Instruction ID: 35e41e0421134ae870bef4a11cf93c82e201c3e807e16c8c31cef6d249249b5a
Opcode Fuzzy Hash: 715eb459d40a2ed17e290633fdf8d66a27d6667a8c2d8f70ebb20fc4ecb28067
Instruction Fuzzy Hash: 14E16B71608340DFC724EF24C885A6AB7E0FF84314F04896DE9999B3A2DB75ED45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 007D920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2

BeginPaint.USER32(?,?,?), ref: 007D9241
GetWindowRect.USER32(?,?), ref: 007D92A5
ScreenToClient.USER32(?,?), ref: 007D92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 007D92D3
EndPaint.USER32(?,?,?,?,?), ref: 007D9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 008171EA

Part of subcall function 007D9339: BeginPath.GDI32(00000000), ref: 007D9357

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 1a00b00203fde40182a5236aafc9bae5ebbc3e0046e28ed1cfe3c0a8fff1b369
Instruction ID: d61d1f1d733c9b3c4b5939b8cd8995f0406f0e548fea6f3f3908935a97a6d993
Opcode Fuzzy Hash: 1a00b00203fde40182a5236aafc9bae5ebbc3e0046e28ed1cfe3c0a8fff1b369
Instruction Fuzzy Hash: 77418C70108301AFDB11EF24CC88FAA7BB8FF55721F14062AFA95D72A1C735A845DB61

Uniqueness

Uniqueness Score: -1.00%

Function 008307EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0083080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00830847
EnterCriticalSection.KERNEL32(?), ref: 00830863
LeaveCriticalSection.KERNEL32(?), ref: 008308DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 008308F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00830921

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 8b4946fff475755f69e08b3b822cff2ae2590788140c9da5908cd9c0146b22f4
Instruction ID: d1e5b2c28ffabfba200ff7a1fac268246939e6d7570037f0eaf032b299d6da22
Opcode Fuzzy Hash: 8b4946fff475755f69e08b3b822cff2ae2590788140c9da5908cd9c0146b22f4
Instruction Fuzzy Hash: 0A415771900205EFDF14AF64DC85A6ABBB9FF44300F1440A9ED05EA296DB34DE64DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 008581DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0081F3AB,00000000,?,?,00000000,?,0081682C,00000004,00000000,00000000), ref: 0085824C
EnableWindow.USER32(00000000,00000000), ref: 00858272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 008582D1
ShowWindow.USER32(00000000,00000004), ref: 008582E5
EnableWindow.USER32(00000000,00000001), ref: 0085830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0085832F

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 938831d43b666dd30ccaaff32535fc2e85cf5160df0e072278d960e8e884d25f
Instruction ID: 2c6d77b5c18af4ec93a42cd992b7f24bb18de8c1c3a2baade0a7be2ee50a7b6c
Opcode Fuzzy Hash: 938831d43b666dd30ccaaff32535fc2e85cf5160df0e072278d960e8e884d25f
Instruction Fuzzy Hash: F5418234601645EFDF12DF25C899BE47FE1FB0A716F18416AE908DB262CB31A849CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00824C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00824C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00824CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00824CEA
_wcslen.LIBCMT ref: 00824D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00824D10
_wcsstr.LIBVCRUNTIME ref: 00824D1A

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 561e1cef34a4723ddd2dd8e69442007346458d2896bffff7f68e9e666e3f195f
Instruction ID: dd28442d4a90dabbddc1ca86ba346355c9f8b34949571d950fc34e65d50abc23
Opcode Fuzzy Hash: 561e1cef34a4723ddd2dd8e69442007346458d2896bffff7f68e9e666e3f195f
Instruction Fuzzy Hash: AA212931204214BBEB155B39FC09E7B7BECEF45750F10507EF805CA192EA65DD4086B0

Uniqueness

Uniqueness Score: -1.00%

Function 0083581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 007C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007C3A97,?,?,007C2E7F,?,?,?,00000000), ref: 007C3AC2

_wcslen.LIBCMT ref: 0083587B
CoInitialize.OLE32(00000000), ref: 00835995
CoCreateInstance.OLE32(0085FCF8,00000000,00000001,0085FB68,?), ref: 008359AE
CoUninitialize.OLE32 ref: 008359CC

Strings

.lnk, xrefs: 00835876, 008358C1, 00835985

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 05ba5da93f7d29b88756fbe5dca0d05eeae494bc12a93b99eeade28db4949847
Instruction ID: 01a7f1d309e52f12d0c1413fbf2e2a980b2261b0060e33a89e1d5fed89286de3
Opcode Fuzzy Hash: 05ba5da93f7d29b88756fbe5dca0d05eeae494bc12a93b99eeade28db4949847
Instruction Fuzzy Hash: 98D14E71608601DFC714EF24C488A2ABBE1FF89724F14885DF88A9B361DB35ED45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0082175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00820FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00820FCA
Part of subcall function 00820FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00820FD6
Part of subcall function 00820FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00820FE5
Part of subcall function 00820FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00820FEC
Part of subcall function 00820FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00821002

GetLengthSid.ADVAPI32(?,00000000,00821335), ref: 008217AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 008217BA
HeapAlloc.KERNEL32(00000000), ref: 008217C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 008217DA
GetProcessHeap.KERNEL32(00000000,00000000,00821335), ref: 008217EE
HeapFree.KERNEL32(00000000), ref: 008217F5

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 4320e387720e33bc5b4c77b4b4483f94086a1f4618c6520ad38e43c2bd2ccd93
Instruction ID: d6467e739118b6ca63200cc2b02f3d3322db7a341f4ef359ff5ff37d47d40001
Opcode Fuzzy Hash: 4320e387720e33bc5b4c77b4b4483f94086a1f4618c6520ad38e43c2bd2ccd93
Instruction Fuzzy Hash: 4B11AC31500715EFDF109FA4EC49BAE7BA9FB95356F204018F441D7255C739A984CF60

Uniqueness

Uniqueness Score: -1.00%

Function 008214CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008214FF
OpenProcessToken.ADVAPI32(00000000), ref: 00821506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00821515
CloseHandle.KERNEL32(00000004), ref: 00821520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0082154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00821563

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 5451372b3118de1686bd800bab08465259aed05bf198d302f985ff9cabc0125f
Instruction ID: c351abba588df93283ff7ce8143043d5209ab53554e2641ff34bd23c3dc7500b
Opcode Fuzzy Hash: 5451372b3118de1686bd800bab08465259aed05bf198d302f985ff9cabc0125f
Instruction Fuzzy Hash: 9D11597250030DAFDF118F98EE49BDE7BA9FF48705F144055FA05A2160C3758EA0DB60

Uniqueness

Uniqueness Score: -1.00%

Function 007E3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,007E3379,007E2FE5), ref: 007E3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 007E339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007E33B7
SetLastError.KERNEL32(00000000,?,007E3379,007E2FE5), ref: 007E3409

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0b98bf915467305a561e47f87454d1a2a471e75254fff87d9c7e976bc317da1b
Instruction ID: 0923b255494b954ba284a6af4be40a9ddf77b9f07f01be8fd864d7fb989e0aef
Opcode Fuzzy Hash: 0b98bf915467305a561e47f87454d1a2a471e75254fff87d9c7e976bc317da1b
Instruction Fuzzy Hash: 1501283220B791FFE726277B7C8D9662A94FB0D3B97300229F410872F1EF694D015664

Uniqueness

Uniqueness Score: -1.00%

Function 007F2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,007F5686,00803CD6,?,00000000,?,007F5B6A,?,?,?,?,?,007EE6D1,?,00888A48), ref: 007F2D78
_free.LIBCMT ref: 007F2DAB
_free.LIBCMT ref: 007F2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,007EE6D1,?,00888A48,00000010,007C4F4A,?,?,00000000,00803CD6), ref: 007F2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,007EE6D1,?,00888A48,00000010,007C4F4A,?,?,00000000,00803CD6), ref: 007F2DEC
_abort.LIBCMT ref: 007F2DF2

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 3ca95612453d670ada79c4dd5f70e01596be1c2535632a972a228c516dc73c74
Instruction ID: 96f3c6fbfbfef75f8e063bb7463c08bfe3b580a4776a3f79dc01745f4bab69a3
Opcode Fuzzy Hash: 3ca95612453d670ada79c4dd5f70e01596be1c2535632a972a228c516dc73c74
Instruction Fuzzy Hash: 81F0F435645B0CBBC2122738BC0EA7A2559BFC17A1B240118FB24D23A3EE2C88034561

Uniqueness

Uniqueness Score: -1.00%

Function 00858A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 007D9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 007D9693
Part of subcall function 007D9639: SelectObject.GDI32(?,00000000), ref: 007D96A2
Part of subcall function 007D9639: BeginPath.GDI32(?), ref: 007D96B9
Part of subcall function 007D9639: SelectObject.GDI32(?,00000000), ref: 007D96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00858A4E
LineTo.GDI32(?,00000003,00000000), ref: 00858A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00858A70
LineTo.GDI32(?,00000000,00000003), ref: 00858A80
EndPath.GDI32(?), ref: 00858A90
StrokePath.GDI32(?), ref: 00858AA0

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 2dcadd2afac4907f25f17f2155131f1d0b6e9805fbc3e54ddfedf4cdfe6ffcf4
Instruction ID: aef8c4a85c7e9390fee8d5e6de8eb9e53577ec1c876375995974dcea18daed1f
Opcode Fuzzy Hash: 2dcadd2afac4907f25f17f2155131f1d0b6e9805fbc3e54ddfedf4cdfe6ffcf4
Instruction Fuzzy Hash: 77110976000219FFDF129F90DC88EAA7F6DFB08391F048012FA199A1A1C7729D55DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 008251FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00825218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00825229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00825230
ReleaseDC.USER32(00000000,00000000), ref: 00825238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0082524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00825261

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 2a97616122b8baf5d1e1747bcb59c5199779ff1a0acce04ff68c77024f1ca849
Instruction ID: ffb38f04313ebeffced521fd80cd5bf6cac6b91875ea4586286f1811b7b8eec4
Opcode Fuzzy Hash: 2a97616122b8baf5d1e1747bcb59c5199779ff1a0acce04ff68c77024f1ca849
Instruction Fuzzy Hash: 09014F75A40718BFEB109BA69C49E5EBFB8FF48752F044065FA04E7281DA749900CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 007C1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 007C1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 007C1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 007C1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 007C1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 007C1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 007C1C22

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: dbcbe7ff841e91a5b37935c495e649e591fd34ea1319ecc12088192f330202e7
Instruction ID: 246239c133a2435621cac8e372caf596f171679365a37f04dd9651d48404ebb1
Opcode Fuzzy Hash: dbcbe7ff841e91a5b37935c495e649e591fd34ea1319ecc12088192f330202e7
Instruction Fuzzy Hash: 980144B0902B5ABDE3008F6A8C85A52FEA8FF19354F00411BA15C4BA42C7B5A864CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0082EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0082EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0082EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0082EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0082EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0082EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0082EB75

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 9baac0b712e47b49fd89a8e42dd11749470cb27b7fa543a695878befbaafd31e
Instruction ID: 80becd73c53bfe9a63cd898acf7954af3b4648e0219fa92bbbc42e97fceb4c9c
Opcode Fuzzy Hash: 9baac0b712e47b49fd89a8e42dd11749470cb27b7fa543a695878befbaafd31e
Instruction Fuzzy Hash: 29F01D72140758BFE6215B529C0DEEB7EBCFBCAB12F000159F601D119196A45A418AB5

Uniqueness

Uniqueness Score: -1.00%

Function 00817439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00817452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00817469
GetWindowDC.USER32(?), ref: 00817475
GetPixel.GDI32(00000000,?,?), ref: 00817484
ReleaseDC.USER32(?,00000000), ref: 00817496
GetSysColor.USER32(00000005), ref: 008174B0

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 6e24b8aaa6f16bb1da52d5f03d42de1a1c5120babb56ccd3e4effea8a17485b8
Instruction ID: b62b6cf5711cee6371131b2645bdd25bc28d526d32efd9f29cf866c5553c1873
Opcode Fuzzy Hash: 6e24b8aaa6f16bb1da52d5f03d42de1a1c5120babb56ccd3e4effea8a17485b8
Instruction Fuzzy Hash: 4A012431404315EFEB515FA4DC48BEA7BBAFF04322F650168FA16A21A1CB391E91EF50

Uniqueness

Uniqueness Score: -1.00%

Function 00821874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0082187F
UnloadUserProfile.USERENV(?,?), ref: 0082188B
CloseHandle.KERNEL32(?), ref: 00821894
CloseHandle.KERNEL32(?), ref: 0082189C
GetProcessHeap.KERNEL32(00000000,?), ref: 008218A5
HeapFree.KERNEL32(00000000), ref: 008218AC

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 6f8fdc14ca60018c1ee99ba8199211915442a9eabac216039539bddc0b275cd2
Instruction ID: ed697d00b4ccd78f69ababa5262be49e41ad9417f1c5cd0380e70bdb782557e0
Opcode Fuzzy Hash: 6f8fdc14ca60018c1ee99ba8199211915442a9eabac216039539bddc0b275cd2
Instruction Fuzzy Hash: C9E0C236044705BFDA015BA5ED0C94ABB69FB49B22B908220F22681570CB36A4A0DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0082C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007C7620: _wcslen.LIBCMT ref: 007C7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0082C6EE
_wcslen.LIBCMT ref: 0082C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0082C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0082C7CA

Strings

0, xrefs: 0082C6AF

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: ca42fffc91e6d8461144d01af7c16e3ac7fe3e2bdd9d11ed446a8501df3a9ee0
Instruction ID: b839aa9af4c6bd609105afce6772574700fabd64a9b0d53a051eabd899cf5d6b
Opcode Fuzzy Hash: ca42fffc91e6d8461144d01af7c16e3ac7fe3e2bdd9d11ed446a8501df3a9ee0
Instruction Fuzzy Hash: 4251BD716043219FD714AF28E889B7E77E8FF49314F040A2DF996E32A0DB64D984CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0084AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0084AEA3

Part of subcall function 007C7620: _wcslen.LIBCMT ref: 007C7625

GetProcessId.KERNEL32(00000000), ref: 0084AF38
CloseHandle.KERNEL32(00000000), ref: 0084AF67

Strings

@, xrefs: 0084AE72
<, xrefs: 0084AE6B

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: b8127a2d6283a4595f5fe566ba6976bec69407018df881e7cf491ca8d7a27a85
Instruction ID: 3d34a2c1e2d2c2cf2aae71a14285f540646f7546056359036c5d68317de7604a
Opcode Fuzzy Hash: b8127a2d6283a4595f5fe566ba6976bec69407018df881e7cf491ca8d7a27a85
Instruction Fuzzy Hash: 94712375A00619DFCB18DF54D488A9EBBB4FF08314F04849DE856AB3A2CB78ED45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0082719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00827206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0082723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0082724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 008272CF

Strings

DllGetClassObject, xrefs: 00827242

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: a7da78526891eddc245bd08a671a5b34b71731706634acfdcb6c91c91d81f32c
Instruction ID: dafed3950d79ed56f134074dc00c429f134a201e7ccec8a677c2bf8d6f4c6948
Opcode Fuzzy Hash: a7da78526891eddc245bd08a671a5b34b71731706634acfdcb6c91c91d81f32c
Instruction Fuzzy Hash: 35418CB1A04214EFDB15CF55D884A9A7BA9FF44314F1480ADFD06DF20AD7B4D984CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00821DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

Part of subcall function 00823CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00823CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00821E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00821E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00821EA9

Part of subcall function 007C6B57: _wcslen.LIBCMT ref: 007C6B6A

Strings

ComboBox, xrefs: 00821DF0
ListBox, xrefs: 00821E25

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 552c4e2711b087a43678413be4f5b56a98198e6ff0c072c34def46a034a53042
Instruction ID: 8aef3db14526e634adcd5a60c66c0cd8de73b256097eb29cde560c865018b5ab
Opcode Fuzzy Hash: 552c4e2711b087a43678413be4f5b56a98198e6ff0c072c34def46a034a53042
Instruction Fuzzy Hash: EA21E475A00204AEDB14AB64EC5DDFFB7B9FF65350B20412DF825E72E1DB384E498A20

Uniqueness

Uniqueness Score: -1.00%

Function 00852F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00852F8D
LoadLibraryW.KERNEL32(?), ref: 00852F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00852FA9
DestroyWindow.USER32(?), ref: 00852FB1

Strings

SysAnimate32, xrefs: 00852F68

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 2856b21e2b850bce291ea94f95510b88a47f0b8abdada190a61af1a352be1818
Instruction ID: 700c6373995f7a604c8979fbfa59a1e4cacb082810117871b227d161095b8f7f
Opcode Fuzzy Hash: 2856b21e2b850bce291ea94f95510b88a47f0b8abdada190a61af1a352be1818
Instruction Fuzzy Hash: 67218872204209ABEB205F64AC84EBB37B9FB5A366F100228FD50E6190DF71DC959B60

Uniqueness

Uniqueness Score: -1.00%

Function 007E4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,007E4D1E,007F28E9,?,007E4CBE,007F28E9,008888B8,0000000C,007E4E15,007F28E9,00000002), ref: 007E4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 007E4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,007E4D1E,007F28E9,?,007E4CBE,007F28E9,008888B8,0000000C,007E4E15,007F28E9,00000002,00000000), ref: 007E4DC3

Strings

CorExitProcess, xrefs: 007E4D98
mscoree.dll, xrefs: 007E4D86

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 94f42eb307fa197bc71cf7ee6ab79edaf17b53c291ff795cfa76e45032451cbb
Instruction ID: 5eab3dc45105511779dacae85799ceeb41043b155020d08b0f980085e18e742c
Opcode Fuzzy Hash: 94f42eb307fa197bc71cf7ee6ab79edaf17b53c291ff795cfa76e45032451cbb
Instruction Fuzzy Hash: DFF03C34A41308BFDB119F95DC49BAEBBA5FB48752F0000A4A905A6260CB795940CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0081D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0081D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0081D3BF
FreeLibrary.KERNEL32(00000000), ref: 0081D3E5

Strings

X64, xrefs: 0081D2A8
GetSystemWow64DirectoryW, xrefs: 0081D3B9

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 9aefed68fdd35fddbd1797ec64177a1b07e4ca42d7a95861b4a249b8996514bc
Instruction ID: 9e03b24b36164ccf41b693dab37765c7b542682c2c99731ac73739f200054e59
Opcode Fuzzy Hash: 9aefed68fdd35fddbd1797ec64177a1b07e4ca42d7a95861b4a249b8996514bc
Instruction Fuzzy Hash: F4F020B0845B218FCB7527208C88BEA332CFF11706B548056F822E2204EB78CCC48A92

Uniqueness

Uniqueness Score: -1.00%

Function 007C4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,007C4EDD,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 007C4EAE
FreeLibrary.KERNEL32(00000000,?,?,007C4EDD,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 007C4EA8
kernel32.dll, xrefs: 007C4E94

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 3a6901525f8551db5cc390adf1132ba30655313dc4f3bfdf41d1b953679c8bd1
Instruction ID: 0180438e53a295bcdb23e3c864451ac7b716d31d007c89b866b38b44a819bd33
Opcode Fuzzy Hash: 3a6901525f8551db5cc390adf1132ba30655313dc4f3bfdf41d1b953679c8bd1
Instruction Fuzzy Hash: 82E08C36A42B226F92322B25AC28F6B7758BF81F63B06011DFC00E2200DB6CCD0189A1

Uniqueness

Uniqueness Score: -1.00%

Function 007C4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00803CDE,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 007C4E74
FreeLibrary.KERNEL32(00000000,?,?,00803CDE,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4E87

Strings

kernel32.dll, xrefs: 007C4E5B
Wow64RevertWow64FsRedirection, xrefs: 007C4E6E

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: c5d2c762857d98098f18a95410e15c92e0279e9ed8e5b8a82b2b5beb340c2c58
Instruction ID: 6a58f582c8fbbc271a76b764b192986f5cc580a8ab61cd195e27b5bda36fdff3
Opcode Fuzzy Hash: c5d2c762857d98098f18a95410e15c92e0279e9ed8e5b8a82b2b5beb340c2c58
Instruction Fuzzy Hash: 6DD01235542B615B56221B297C28E8B7B19FF85F62306051DBD05E2215CF6CCD01CAD0

Uniqueness

Uniqueness Score: -1.00%

Function 0084A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0084A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0084A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0084A468
CloseHandle.KERNEL32(?), ref: 0084A63D

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 2a9d481a94646aacb5785e1438b92d6be4d15ce863e0db6d4cd9cde0a196f2a3
Instruction ID: a165496444ab38ac5aadd734e97772b8cb717549b1b0d72639ff175e330b9823
Opcode Fuzzy Hash: 2a9d481a94646aacb5785e1438b92d6be4d15ce863e0db6d4cd9cde0a196f2a3
Instruction Fuzzy Hash: A5A18C71644300AFD724DF24D886F2AB7E5EB88714F14885DF59ADB392DBB4EC418B82

Uniqueness

Uniqueness Score: -1.00%

Function 007FBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00863700), ref: 007FBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0089121C,000000FF,00000000,0000003F,00000000,?,?), ref: 007FBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00891270,000000FF,?,0000003F,00000000,?), ref: 007FBC36
_free.LIBCMT ref: 007FBB7F

Part of subcall function 007F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000), ref: 007F29DE
Part of subcall function 007F29C8: GetLastError.KERNEL32(00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000,00000000), ref: 007F29F0

_free.LIBCMT ref: 007FBD4B

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 5bad8f0a52cbf4c4c78ecb6a807fde021fc1f3abc69d4237cba5fbfd1348ae92
Instruction ID: 806d0be767eae83d2427b2f94dc5722631d5f1bc667d5c6a364846eda804a2b5
Opcode Fuzzy Hash: 5bad8f0a52cbf4c4c78ecb6a807fde021fc1f3abc69d4237cba5fbfd1348ae92
Instruction Fuzzy Hash: 7E51A47190420DEFCB10EFA9DC859BAB7B8FF44350B14426AE664D7391EB749D41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0082E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0082DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0082CF22,?), ref: 0082DDFD

Part of subcall function 0082DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0082CF22,?), ref: 0082DE16

Part of subcall function 0082E199: GetFileAttributesW.KERNEL32(?,0082CF95), ref: 0082E19A

lstrcmpiW.KERNEL32(?,?), ref: 0082E473
MoveFileW.KERNEL32(?,?), ref: 0082E4AC
_wcslen.LIBCMT ref: 0082E5EB
_wcslen.LIBCMT ref: 0082E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0082E650

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: d54dd183a97b3656b170c3ee45de45c815997cf8226ec77215b4f181a5de4462
Instruction ID: 4f4fbf2e2602a0c7717cef155ad2ba019bfd4525c5b30858794b72332d4d42f6
Opcode Fuzzy Hash: d54dd183a97b3656b170c3ee45de45c815997cf8226ec77215b4f181a5de4462
Instruction Fuzzy Hash: 185163B24087959BC724EB94DC859DFB3DCEF84340F40492EF689D3151EF74A588876A

Uniqueness

Uniqueness Score: -1.00%

Function 0084B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

Part of subcall function 0084C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0084B6AE,?,?), ref: 0084C9B5
Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084C9F1
Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084CA68
Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0084BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0084BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0084BB63
RegCloseKey.ADVAPI32(?,?), ref: 0084BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0084BBB3

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 6376b65f580723461e721cb34ba60c0bea5fba50d48516a23111035333cb7cae
Instruction ID: 6698f8772486a672c83b1ebd6f79e21d69370b4746a05896393e3d2245df9f7b
Opcode Fuzzy Hash: 6376b65f580723461e721cb34ba60c0bea5fba50d48516a23111035333cb7cae
Instruction Fuzzy Hash: E061AE31208245EFD714DF24C895E2ABBE5FF84318F14895CF4998B2A2DB35ED45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00828BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00828BCD
VariantClear.OLEAUT32 ref: 00828C3E
VariantClear.OLEAUT32 ref: 00828C9D
VariantClear.OLEAUT32(?), ref: 00828D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00828D3B

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: c22fff47b16a4003b207e863d9d578ed6f009878c319bdf0ffbf20b2f16a5957
Instruction ID: 1aa78ab92a93ed75bb40975a9d72e5bff6dbe6e35c0b4762806b6d2fc4c9bedd
Opcode Fuzzy Hash: c22fff47b16a4003b207e863d9d578ed6f009878c319bdf0ffbf20b2f16a5957
Instruction Fuzzy Hash: E65188B5A01219EFDB10CF68D884EAAB7F8FF89314B118559E909DB350E734E951CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00838AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00838BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00838BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00838C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00838C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00838C5F

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: d1ccaa886135d6a249c997ba9373975884721910945bfc3c2f582a799bdb2fa3
Instruction ID: 568ba8311af31cc400d7af912b04a6b00a9afbed80b3b0e41bdf1ecb21702514
Opcode Fuzzy Hash: d1ccaa886135d6a249c997ba9373975884721910945bfc3c2f582a799bdb2fa3
Instruction Fuzzy Hash: E7510535A00215DFCB05DF64C885E69BBF5FF48314F088459E849AB362DB39ED51DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00848EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00848F40
GetProcAddress.KERNEL32(00000000,?), ref: 00848FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00848FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00849032
FreeLibrary.KERNEL32(00000000), ref: 00849052

Part of subcall function 007DF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00831043,?,7529E610), ref: 007DF6E6
Part of subcall function 007DF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0081FA64,00000000,00000000,?,?,00831043,?,7529E610,?,0081FA64), ref: 007DF70D

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: eb279ca31c8d671271ab012eb6556ce324ca57ec3db90dd5b63197321a70cd40
Instruction ID: 5becd9a1cbb0874eaddc89060dc2ca36eb3b778e715a3416e103641f3666c16f
Opcode Fuzzy Hash: eb279ca31c8d671271ab012eb6556ce324ca57ec3db90dd5b63197321a70cd40
Instruction Fuzzy Hash: CE511735600609DFC715DF68C498DADBBF1FF49314B0580A9E84A9B362DB35ED85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00856B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00856C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00856C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00856C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0083AB79,00000000,00000000), ref: 00856C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00856CC7

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 4b1fb35c5d4a7a0664b4f44005029fd13b97b7dc0af1cccb396fcf2bb0d0b559
Instruction ID: 2e83d2902cb20d625800660c7c5de9edcdd7cac45d5de2425569602ea22b26aa
Opcode Fuzzy Hash: 4b1fb35c5d4a7a0664b4f44005029fd13b97b7dc0af1cccb396fcf2bb0d0b559
Instruction Fuzzy Hash: 5041D635A04204AFDB24DF28CC59FA97FA5FB09365F940228FC95E72E0E371AD65CA40

Uniqueness

Uniqueness Score: -1.00%

Function 007F2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007F20C3
_free.LIBCMT ref: 007F20E3

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 3a4c1a8cd245ecc0b26260792068cada884d0b955ccc05ec1e1a8ddcc093ca5e
Instruction ID: d8ae56b6296fb84adb53279e384412e128ebe68d5254ccae692a6ad53e03112e
Opcode Fuzzy Hash: 3a4c1a8cd245ecc0b26260792068cada884d0b955ccc05ec1e1a8ddcc093ca5e
Instruction Fuzzy Hash: 0041F232A00208DFCB20DF78C884A6DB7F5EF89314F1545A9E615EB392DB35AD02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 007D912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 007D9141
ScreenToClient.USER32(00000000,?), ref: 007D915E
GetAsyncKeyState.USER32(00000001), ref: 007D9183
GetAsyncKeyState.USER32(00000002), ref: 007D919D

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 6a19b51430905938e80140157afd70bb052bc24f7a598f388f5eb5b0e482e03a
Instruction ID: 5adba376d4f3edb220890b28aa70aa4e889677c6fd7aa92f28901422ea0a5364
Opcode Fuzzy Hash: 6a19b51430905938e80140157afd70bb052bc24f7a598f388f5eb5b0e482e03a
Instruction Fuzzy Hash: 5641607190860AFBDF199F68C848BEEB775FF05324F20421AE525A3290D7356D94CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00833874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 008338CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00833922
TranslateMessage.USER32(?), ref: 0083394B
DispatchMessageW.USER32(?), ref: 00833955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00833966

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: d6d43aeb55e94851ab491fdb28966b434f67d4d61d1640c98c1e2dd87479848a
Instruction ID: 433fae251bf93c34df21886206db8da64c00b6a4d7ce90a077012e00e9ee309d
Opcode Fuzzy Hash: d6d43aeb55e94851ab491fdb28966b434f67d4d61d1640c98c1e2dd87479848a
Instruction Fuzzy Hash: 34310670508346DFEF25DB34D809BB67FA8FB86304F08046AE862D25A0E3F49685DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0083CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0083CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0083CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0083C21E,00000000), ref: 0083CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0083C21E,00000000), ref: 0083CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0083C21E,00000000), ref: 0083CFF2

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 897b48195219c45bcc1d43f95b741cbb7308c221858be4d36c4087110e2f3f2b
Instruction ID: 43d6b3dbdce73e584282f2b181642544464580551f0bdf31bcf71047d4ee2ee7
Opcode Fuzzy Hash: 897b48195219c45bcc1d43f95b741cbb7308c221858be4d36c4087110e2f3f2b
Instruction Fuzzy Hash: 99313A71600709EFDB20DFA5C8849AABBF9FB54355F10442EE506E2241DB74AE419BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00821901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00821915
PostMessageW.USER32(00000001,00000201,00000001), ref: 008219C1
Sleep.KERNEL32(00000000,?,?,?), ref: 008219C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 008219DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 008219E2

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 482e5714fe81da1d791e86ea98de9b351047bee348a4c8c5de465cae182133a4
Instruction ID: 6003c4fcab7b3875b63584d6e356ab33dbd48247e44e398b5cba1a154ce39ea9
Opcode Fuzzy Hash: 482e5714fe81da1d791e86ea98de9b351047bee348a4c8c5de465cae182133a4
Instruction Fuzzy Hash: 60319C71A00229EFCB00CFA8D99DA9E7BB5FB14315F204229F921E72D1C7709A84CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00855706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00855745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0085579D
_wcslen.LIBCMT ref: 008557AF
_wcslen.LIBCMT ref: 008557BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00855816

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: e81af5807344a4929e8ea26ed912c052deca3d92690b5f52520e54c7581a74c2
Instruction ID: 04758a8592c7ddba432d8f8bbfe16a9a1aa9ce52a40b5bb47db7bfdc97198de4
Opcode Fuzzy Hash: e81af5807344a4929e8ea26ed912c052deca3d92690b5f52520e54c7581a74c2
Instruction Fuzzy Hash: C721B671904618DBDB209FA0DC84AEE7BB9FF04326F108256FD29EB180D7749A89CF50

Uniqueness

Uniqueness Score: -1.00%

Function 007D990F Relevance: 7.6, APIs: 5, Instructions: 74COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 007D98CC
SetTextColor.GDI32(?,?), ref: 007D98D6
SetBkMode.GDI32(?,00000001), ref: 007D98E9
GetStockObject.GDI32(00000005), ref: 007D98F1
GetWindowLongW.USER32(?,000000EB), ref: 007D9952

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 113f3c7c4175d095e63c7cca875cc2500082514d7c674bdcb800118874a6354b
Instruction ID: 6c3bd15fac99ba27b16da6a12ad5fe53bac310ac133d954ecc7888ff119c3c24
Opcode Fuzzy Hash: 113f3c7c4175d095e63c7cca875cc2500082514d7c674bdcb800118874a6354b
Instruction Fuzzy Hash: 5E21F6714453909FCB114F24ECA8BE53FB4AF67722F18418EE6D28B2A2D7396991DF10

Uniqueness

Uniqueness Score: -1.00%

Function 00840930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00840951
GetForegroundWindow.USER32 ref: 00840968
GetDC.USER32(00000000), ref: 008409A4
GetPixel.GDI32(00000000,?,00000003), ref: 008409B0
ReleaseDC.USER32(00000000,00000003), ref: 008409E8

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: ea7baf9b8e8563f13c017a409080604a4ee89d808c507346f9877b938dc771e3
Instruction ID: 5feab19f172e2a157ba23acba481e9e0704f8b8346f1e2369203c86be98f9148
Opcode Fuzzy Hash: ea7baf9b8e8563f13c017a409080604a4ee89d808c507346f9877b938dc771e3
Instruction Fuzzy Hash: 76215E35A00214AFD704EF69D889AAEBBE5FF48701F04846CE84AD7752CA34AD04CF90

Uniqueness

Uniqueness Score: -1.00%

Function 007FCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 007FCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007FCDE9

Part of subcall function 007F3820: RtlAllocateHeap.NTDLL(00000000,?,00891444,?,007DFDF5,?,?,007CA976,00000010,00891440,007C13FC,?,007C13C6,?,007C1129), ref: 007F3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 007FCE0F
_free.LIBCMT ref: 007FCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 007FCE31

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: c5c4377698c40a5cca6f1c963d0089b9db2140fe9c5a75aecf606609ea95a577
Instruction ID: 2dd39d26fa96b5d0ea6bf42ef8afcbdc20bf4927922c2ac97548dae54f06f957
Opcode Fuzzy Hash: c5c4377698c40a5cca6f1c963d0089b9db2140fe9c5a75aecf606609ea95a577
Instruction Fuzzy Hash: F4018472A0171D7F23221AB66D8CDBB796DEEC6BA1315012DFA05D7301EA6D8D0195F0

Uniqueness

Uniqueness Score: -1.00%

Function 007D9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 007D9693
SelectObject.GDI32(?,00000000), ref: 007D96A2
BeginPath.GDI32(?), ref: 007D96B9
SelectObject.GDI32(?,00000000), ref: 007D96E2

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: df9e92dcdc1af6fe69215619716cace11b226a9f0a52555dc12bddd3e36186ab
Instruction ID: d86df606e073bfdd567d7daa37d796d1dac06124dbc2e54dabb1268f7c2af874
Opcode Fuzzy Hash: df9e92dcdc1af6fe69215619716cace11b226a9f0a52555dc12bddd3e36186ab
Instruction Fuzzy Hash: 5A215E30806306EFDF11AF65EC187A97FB8BB50366F984217F511A62B0D3799892CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00825711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00825726
_memcmp.LIBVCRUNTIME ref: 00825744
_memcmp.LIBVCRUNTIME ref: 00825757
_memcmp.LIBVCRUNTIME ref: 0082576F
_memcmp.LIBVCRUNTIME ref: 00825787

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a41b76d6546ab49039c907c2c37a7802e0959804ba92bc35303e2228d9729d8e
Instruction ID: dfeb58b4bcc09ce28ae484b29b1b0c6ae9f5d4f5a7f6124f5bd00c8ff50e0b82
Opcode Fuzzy Hash: a41b76d6546ab49039c907c2c37a7802e0959804ba92bc35303e2228d9729d8e
Instruction Fuzzy Hash: 3E01F5716C2669FFD2089115AE86FBB734DFB243A9F404030FE04DA242F734ED5482A1

Uniqueness

Uniqueness Score: -1.00%

Function 007F2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,007EF2DE,007F3863,00891444,?,007DFDF5,?,?,007CA976,00000010,00891440,007C13FC,?,007C13C6), ref: 007F2DFD
_free.LIBCMT ref: 007F2E32
_free.LIBCMT ref: 007F2E59
SetLastError.KERNEL32(00000000,007C1129), ref: 007F2E66
SetLastError.KERNEL32(00000000,007C1129), ref: 007F2E6F

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 11b1492a215e0967ae2e3ce84aaf897ee3df38b9572e1d53f0f7b541412e9d8e
Instruction ID: 3398ad435ec4d23e38243023221c4ee450bd55c791aa2c230f0f85f8d018e4ed
Opcode Fuzzy Hash: 11b1492a215e0967ae2e3ce84aaf897ee3df38b9572e1d53f0f7b541412e9d8e
Instruction Fuzzy Hash: 2301F43624570CEBC61267746C8DD7B2A59BBC17B5B340129FB21E23A3EA7C8C034520

Uniqueness

Uniqueness Score: -1.00%

Function 0082000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0081FF41,80070057,?,?,?,0082035E), ref: 0082002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0081FF41,80070057,?,?), ref: 00820046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0081FF41,80070057,?,?), ref: 00820054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0081FF41,80070057,?), ref: 00820064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0081FF41,80070057,?,?), ref: 00820070

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 9b53beaf9ce4bc521a4243136f7655acf0a61b81b3992b8889a742f7350980e8
Instruction ID: 232f63ac15f5abd6575653fa9d3b1e5e76d3cad68122e55b567d3de37124282c
Opcode Fuzzy Hash: 9b53beaf9ce4bc521a4243136f7655acf0a61b81b3992b8889a742f7350980e8
Instruction Fuzzy Hash: 2601A276A00724BFEB104F68EC44BAA7AEDFF44752F144124F905D2222E775DD808FA0

Uniqueness

Uniqueness Score: -1.00%

Function 0082E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0082E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0082E9A5
Sleep.KERNEL32(00000000), ref: 0082E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0082E9B7
Sleep.KERNEL32 ref: 0082E9F3

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: c10bf463f27f2a538d25b6879a1a78c8412d26c20016ed73b5c6feba069e9622
Instruction ID: fdc7a1f8d45e2e8203036776ad561e489e67a4b65a1f2d2fafd032fd18b0f6b9
Opcode Fuzzy Hash: c10bf463f27f2a538d25b6879a1a78c8412d26c20016ed73b5c6feba069e9622
Instruction Fuzzy Hash: ED010531C01A3DDBCF40ABE5E859AEDBB78FB09701F000556E502F2291CB3495948BA6

Uniqueness

Uniqueness Score: -1.00%

Function 008210F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00821114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00820B9B,?,?,?), ref: 00821120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00820B9B,?,?,?), ref: 0082112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00820B9B,?,?,?), ref: 00821136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0082114D

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 44a7f7026a636921c767a8ec5fdff2bf55f566764a6c5ae5db0e77e55be6fce3
Instruction ID: 3569eec15e3533e4d67b25a3f4af53c2c52a85fb0f3c77e6595099df428b8953
Opcode Fuzzy Hash: 44a7f7026a636921c767a8ec5fdff2bf55f566764a6c5ae5db0e77e55be6fce3
Instruction Fuzzy Hash: 97014675200315BFDB114BA8EC4DA6A3FAEFF892A1B200418FA41D2360EA35DC50CE60

Uniqueness

Uniqueness Score: -1.00%

Function 00820FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00820FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00820FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00820FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00820FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00821002

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 90389e75299a2ab56ca4404f1d2f52bd7c73eefa4457d6b6bd2dadd6ffefe834
Instruction ID: e94f0386d9b3379d889e94b37a777506565b4c839b2d7478b123d39492115a00
Opcode Fuzzy Hash: 90389e75299a2ab56ca4404f1d2f52bd7c73eefa4457d6b6bd2dadd6ffefe834
Instruction Fuzzy Hash: DDF04935240B15AFDB214FA5AC4DF5A3BADFF89B62F604414FA46C6291CA74DC808E60

Uniqueness

Uniqueness Score: -1.00%

Function 00821014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0082102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00821036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00821045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0082104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00821062

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: ab714eef816441c8fd6ea2b6e60cbbfa141733c05142948490fb4be0a32990ff
Instruction ID: cc6a4774cab0dd0a848ff6bb902f8d3644910f751a61712b16a37118e4d3ec68
Opcode Fuzzy Hash: ab714eef816441c8fd6ea2b6e60cbbfa141733c05142948490fb4be0a32990ff
Instruction Fuzzy Hash: 55F04935240B55AFDB219FA5EC4DF5A3BADFF89762F200414FA46C6290CA74D8808E60

Uniqueness

Uniqueness Score: -1.00%

Function 0083030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0083017D,?,008332FC,?,00000001,00802592,?), ref: 00830324
CloseHandle.KERNEL32(?,?,?,?,0083017D,?,008332FC,?,00000001,00802592,?), ref: 00830331
CloseHandle.KERNEL32(?,?,?,?,0083017D,?,008332FC,?,00000001,00802592,?), ref: 0083033E
CloseHandle.KERNEL32(?,?,?,?,0083017D,?,008332FC,?,00000001,00802592,?), ref: 0083034B
CloseHandle.KERNEL32(?,?,?,?,0083017D,?,008332FC,?,00000001,00802592,?), ref: 00830358
CloseHandle.KERNEL32(?,?,?,?,0083017D,?,008332FC,?,00000001,00802592,?), ref: 00830365

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: f9ed309813edaf03c1a124d14681fb5d975231f5aff9e740aec149f0d7083591
Instruction ID: 0032c67647c106c7a78eaedce86665800cc18e94ae45d8238dcdfcf610c3fd0a
Opcode Fuzzy Hash: f9ed309813edaf03c1a124d14681fb5d975231f5aff9e740aec149f0d7083591
Instruction Fuzzy Hash: C801A272800B159FCB309F66D890412F7F9FF903157158A3FD19692A31C371A954CF80

Uniqueness

Uniqueness Score: -1.00%

Function 007FD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007FD752

Part of subcall function 007F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000), ref: 007F29DE
Part of subcall function 007F29C8: GetLastError.KERNEL32(00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000,00000000), ref: 007F29F0

_free.LIBCMT ref: 007FD764
_free.LIBCMT ref: 007FD776
_free.LIBCMT ref: 007FD788
_free.LIBCMT ref: 007FD79A

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 629525ab6f0a0bc8770618741b5fc5bef7dd84ecbbaabc0474d4b72d0c84ef16
Instruction ID: 4b466713ea8e07440c39715a166b7fdad3b1d5eb9371f90eed8016521ef8a74b
Opcode Fuzzy Hash: 629525ab6f0a0bc8770618741b5fc5bef7dd84ecbbaabc0474d4b72d0c84ef16
Instruction Fuzzy Hash: AEF0FF3259420DAB8621FB68F9C5C3A7BDEBB447107A40805F258EB626C778FC808B74

Uniqueness

Uniqueness Score: -1.00%

Function 00825C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00825C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00825C6F
MessageBeep.USER32(00000000), ref: 00825C87
KillTimer.USER32(?,0000040A), ref: 00825CA3
EndDialog.USER32(?,00000001), ref: 00825CBD

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 117d3687f61f19dcfdfe37ffa49d38e08f743ea562641f5290d9f033d277b3f6
Instruction ID: be93153f7922a6dd4a2b4dfb98b64f5fb8adb85983f935eb60e50cb974736ca3
Opcode Fuzzy Hash: 117d3687f61f19dcfdfe37ffa49d38e08f743ea562641f5290d9f033d277b3f6
Instruction Fuzzy Hash: D3018170540B14AFEB215B50ED5EFA677F8FB14B46F00055DA583A14E1EBF8AA888E90

Uniqueness

Uniqueness Score: -1.00%

Function 007F22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 007F22BE

Part of subcall function 007F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000), ref: 007F29DE
Part of subcall function 007F29C8: GetLastError.KERNEL32(00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000,00000000), ref: 007F29F0

_free.LIBCMT ref: 007F22D0
_free.LIBCMT ref: 007F22E3
_free.LIBCMT ref: 007F22F4
_free.LIBCMT ref: 007F2305

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a053191d2170143411ca281ee17f3c04803022c0f7929e7c9d1c13586ae210da
Instruction ID: b09b7e83b4da207c761f31d64458a099ffb1cf29526ffe48f95ba08b8d7f3a2b
Opcode Fuzzy Hash: a053191d2170143411ca281ee17f3c04803022c0f7929e7c9d1c13586ae210da
Instruction Fuzzy Hash: 3FF05E71884126CF8A12FF98BC098283B64FB18760709051BF514E73BACB781912AFE4

Uniqueness

Uniqueness Score: -1.00%

Function 007D95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 007D95D4
StrokeAndFillPath.GDI32(?,?,008171F7,00000000,?,?,?), ref: 007D95F0
SelectObject.GDI32(?,00000000), ref: 007D9603
DeleteObject.GDI32 ref: 007D9616
StrokePath.GDI32(?), ref: 007D9631

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 0cda37a1c8c9d015bd3f06d78e705aea3f876c1ac1016f7e6cdf57e3a815b092
Instruction ID: 27402454472b09c5f3559e180611679818d6faa00f35da472488d6414ebf786c
Opcode Fuzzy Hash: 0cda37a1c8c9d015bd3f06d78e705aea3f876c1ac1016f7e6cdf57e3a815b092
Instruction Fuzzy Hash: 4FF01930009705EFDB126F65ED1C7A43F71BB00362F488216F525551F0D73989A1DF20

Uniqueness

Uniqueness Score: -1.00%

Function 007F0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 007F10F9
__freea.LIBCMT ref: 007F1117

Part of subcall function 007F1537: _free.LIBCMT ref: 007F154F

Strings

am/pm, xrefs: 007F117A
a/p, xrefs: 007F11DE

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 1d7ae476ff71016067041c16f9a02aa4ffafda2fc4de4797d6ed169b27533bc6
Instruction ID: 22b0d142463c0148510520220dc809f79f6fb38a8bdacde15bd3e6d93c48ddd7
Opcode Fuzzy Hash: 1d7ae476ff71016067041c16f9a02aa4ffafda2fc4de4797d6ed169b27533bc6
Instruction Fuzzy Hash: 31D1F231A1020ECADB289F68C855BFAB7B1FF06310FA84159EB11AB751D77D9D80CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00847B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 007E0242: EnterCriticalSection.KERNEL32(0089070C,00891884,?,?,007D198B,00892518,?,?,?,007C12F9,00000000), ref: 007E024D
Part of subcall function 007E0242: LeaveCriticalSection.KERNEL32(0089070C,?,007D198B,00892518,?,?,?,007C12F9,00000000), ref: 007E028A

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

Part of subcall function 007E00A3: __onexit.LIBCMT ref: 007E00A9

__Init_thread_footer.LIBCMT ref: 00847BFB

Part of subcall function 007E01F8: EnterCriticalSection.KERNEL32(0089070C,?,?,007D8747,00892514), ref: 007E0202
Part of subcall function 007E01F8: LeaveCriticalSection.KERNEL32(0089070C,?,007D8747,00892514), ref: 007E0235

Strings

5, xrefs: 00847C78
Variable must be of type 'Object'., xrefs: 00847C3A
G, xrefs: 00847C7F

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: edd12634db1a715dbabd06aa07c8f622c474b2b9112bb21f0794287b56113b46
Instruction ID: ef7cd21b62c6156295a73a82e1d2203ad2e6033f106e0a7586cc0ac66c968948
Opcode Fuzzy Hash: edd12634db1a715dbabd06aa07c8f622c474b2b9112bb21f0794287b56113b46
Instruction Fuzzy Hash: AE915674A0420DEFCB14EF98D895EADB7B2FF48304F148059F806AB292DB75AE45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 007F8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 007F8B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 007F8B7A
__dosmaperr.LIBCMT ref: 007F8B81

Strings

.~, xrefs: 007F8A63

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .~
API String ID: 2434981716-505086709
Opcode ID: 06c9cedee000b3643ffa922ffe08edd86ed2f58d1ddb415cddddf5bc1c4b05b8
Instruction ID: 53e013105071bac08744e369e43c686731152807fdb14b0ebaf3739e80d320f7
Opcode Fuzzy Hash: 06c9cedee000b3643ffa922ffe08edd86ed2f58d1ddb415cddddf5bc1c4b05b8
Instruction Fuzzy Hash: 65419FF160414DAFCB659F24DC85A7D7FA5EB85300F2C819AFA548B742DE39CD028751

Uniqueness

Uniqueness Score: -1.00%

Function 00822716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0082B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008221D0,?,?,00000034,00000800,?,00000034), ref: 0082B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00822760

Part of subcall function 0082B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008221FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0082B3F8

Part of subcall function 0082B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0082B355
Part of subcall function 0082B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00822194,00000034,?,?,00001004,00000000,00000000), ref: 0082B365
Part of subcall function 0082B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00822194,00000034,?,?,00001004,00000000,00000000), ref: 0082B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008227CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0082281A

Strings

@, xrefs: 00822832

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 537734bcbd890846e3fb703cbd10248cc1bd5cb9bb2d841982b1a5c78724e1f1
Instruction ID: 52a7d83939bb32342cd8a9e66307ccdbe18699a006442b9dfa788c57945e0e7c
Opcode Fuzzy Hash: 537734bcbd890846e3fb703cbd10248cc1bd5cb9bb2d841982b1a5c78724e1f1
Instruction Fuzzy Hash: 1B411D72901228BFDB10DBA8DD85ADEBBB8FF09700F104099FA55B7181DB706E85CB61

Uniqueness

Uniqueness Score: -1.00%

Function 007F172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe,00000104), ref: 007F1769
_free.LIBCMT ref: 007F1834
_free.LIBCMT ref: 007F183E

Strings

C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe, xrefs: 007F1760, 007F1767, 007F1796, 007F17CE

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe
API String ID: 2506810119-2164840763
Opcode ID: e37fe49537fac19dcb975639e2008a42ca2ed98eed218bed614219c97bd8f844
Instruction ID: 5b4b43f379e86c97f901c489aafd69bf65d0d70809f80cc8920109a4eadae799
Opcode Fuzzy Hash: e37fe49537fac19dcb975639e2008a42ca2ed98eed218bed614219c97bd8f844
Instruction Fuzzy Hash: 92319D71A0420CEFCB21EB999989DAEBBFCEB85360F544166EA0497311D6748A40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0082C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0082C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0082C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00891990,01965898), ref: 0082C395

Strings

0, xrefs: 0082C2DF

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 3c046e6a37e4dd0f631699c06c813209673b0c1ce5af2ccdf63861f92b755cde
Instruction ID: 128aece3e6d6ece3a6cf61edda215c54705176c0038d0b54b4e41d7889d0eb3d
Opcode Fuzzy Hash: 3c046e6a37e4dd0f631699c06c813209673b0c1ce5af2ccdf63861f92b755cde
Instruction Fuzzy Hash: F0418B31204351AFD720DF29E888B6EBBA8FF85324F008A1DE9A5D7391D734A944CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00854416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0085CC08,00000000,?,?,?,?), ref: 008544AA
GetWindowLongW.USER32 ref: 008544C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008544D7

Strings

SysTreeView32, xrefs: 0085447C

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 7b68cad5e425434258f72db2135e4b73d5e7b86a56e03699d86456a2615fbd19
Instruction ID: 355c2fb02c6827ded6fd2ec976502b933cd69d373269591bfa9f7dae780935e3
Opcode Fuzzy Hash: 7b68cad5e425434258f72db2135e4b73d5e7b86a56e03699d86456a2615fbd19
Instruction Fuzzy Hash: 63318B31240205AFDF209E38DC45BEA7BA9FB08329F205319F979E22D0D774EC949B50

Uniqueness

Uniqueness Score: -1.00%

Function 0084304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0084335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00843077,?,?), ref: 00843378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0084307A
_wcslen.LIBCMT ref: 0084309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00843106

Strings

255.255.255.255, xrefs: 00843095, 0084309A

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 8d79af8b35a8a033d5ad43b0b9ad0d1321e0cb216cec5397a229b727a2384e8f
Instruction ID: d9dbc7e93298c3ee8366971cbf3525f9d85876962c6f796028eeb9b8cf52437a
Opcode Fuzzy Hash: 8d79af8b35a8a033d5ad43b0b9ad0d1321e0cb216cec5397a229b727a2384e8f
Instruction Fuzzy Hash: CE31E435200209DFDB10CF68C485EAA77E0FF14318F248199E915DB392DB76EE45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00854653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00854705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00854713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0085471A

Strings

msctls_updown32, xrefs: 00854684

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: c8196ba334c455552098e150af1f54643bbb000433f063c12b92c3c1a8c64714
Instruction ID: aae452a5ebf7ed9e473ab555d490c1b27bd4e8ecd5b36888bfe76eea4101807d
Opcode Fuzzy Hash: c8196ba334c455552098e150af1f54643bbb000433f063c12b92c3c1a8c64714
Instruction Fuzzy Hash: 97218CB5604209AFEB11DF68DCC5DA737EDFB5A3A9B041049FA01DB291CB30EC55CA60

Uniqueness

Uniqueness Score: -1.00%

Function 008295AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0082961D

Strings

#requireadmin, xrefs: 008295D9
#OnAutoItStartRegister, xrefs: 008295F3
#notrayicon, xrefs: 008295B7

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 82607a9482cb9557e82240882f2a68ee690c8cf3c9761b97f68a78a8e298981f
Instruction ID: 31c2173baf76b92fe582a649a8e87ad42954119a2430a85f95d74732c5b524b4
Opcode Fuzzy Hash: 82607a9482cb9557e82240882f2a68ee690c8cf3c9761b97f68a78a8e298981f
Instruction Fuzzy Hash: 0F213832204530A6D331AA25AD06FB773D8FF65314F10402AF9DAD7182EB59AD85C2A6

Uniqueness

Uniqueness Score: -1.00%

Function 008537B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00853840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00853850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00853876

Strings

Listbox, xrefs: 0085380F

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: b55cf22dea26d95d0ec8678349f5891e6237ec98eda1694b4690ccea49e323a9
Instruction ID: f4d366058e3a799d404ed15193cc4b30c15f20a512c77937d136f299ba489a18
Opcode Fuzzy Hash: b55cf22dea26d95d0ec8678349f5891e6237ec98eda1694b4690ccea49e323a9
Instruction Fuzzy Hash: 2921CF72600218BBEF219FA4CC85FBB376EFF89791F108124F910AB190C675DC568BA0

Uniqueness

Uniqueness Score: -1.00%

Function 008349F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00834A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00834A5C
SetErrorMode.KERNEL32(00000000,?,?,0085CC08), ref: 00834AD0

Strings

%lu, xrefs: 00834A6F

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 5eca4f84ae38b7c90ef4fac08867831c3278b49fca097d9bd18195842733be8c
Instruction ID: 12c3b554e7d51a88f234f2c714a43583ea733e0c2bdbebdce204673cb5744fb0
Opcode Fuzzy Hash: 5eca4f84ae38b7c90ef4fac08867831c3278b49fca097d9bd18195842733be8c
Instruction Fuzzy Hash: 75312F75A00219AFDB10DF64C885EAA7BF8FF44308F144099F905DB252DB75ED45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 008541EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0085424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00854264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00854271

Strings

msctls_trackbar32, xrefs: 00854226

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: e4a16bb6fe39a6c711659c991ee998de3da4701e9820099438fd145db8a76c04
Instruction ID: db852f0bed99de2bb0af5f6253555947620930a5ebab7396c8542192b94dbeab
Opcode Fuzzy Hash: e4a16bb6fe39a6c711659c991ee998de3da4701e9820099438fd145db8a76c04
Instruction Fuzzy Hash: 0011E331240208BEEF205E29CC46FAB3BACFF95B59F110128FA55E2090D271D8519B20

Uniqueness

Uniqueness Score: -1.00%

Function 00822F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007C6B57: _wcslen.LIBCMT ref: 007C6B6A

Part of subcall function 00822DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00822DC5
Part of subcall function 00822DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00822DD6
Part of subcall function 00822DA7: GetCurrentThreadId.KERNEL32 ref: 00822DDD
Part of subcall function 00822DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00822DE4

GetFocus.USER32 ref: 00822F78

Part of subcall function 00822DEE: GetParent.USER32(00000000), ref: 00822DF9

GetClassNameW.USER32(?,?,00000100), ref: 00822FC3
EnumChildWindows.USER32(?,0082303B), ref: 00822FEB

Strings

%s%d, xrefs: 00822FFF

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: d6b353ed4bbe74df5d29c7011d60f4c7b01ac30b13f6066384692d3eb19a621e
Instruction ID: 28e1b67a8f1a6981317948b519559db1e2a9e772bf88d565a7704fa514e255f7
Opcode Fuzzy Hash: d6b353ed4bbe74df5d29c7011d60f4c7b01ac30b13f6066384692d3eb19a621e
Instruction Fuzzy Hash: 0A11C3B1200219ABCF00BF749C95EED37AAFF94304F044079B909DB252DE385E898B70

Uniqueness

Uniqueness Score: -1.00%

Function 00855882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008558C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008558EE
DrawMenuBar.USER32(?), ref: 008558FD

Strings

0, xrefs: 0085588F

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: a70b4c57075a96941aa0c50b4b49a4285ae23c3ed8c37c7d1205988a91a3ecce
Instruction ID: b52ef3680a142ca8e605d10eb1fc9acf687747e4c1f485f275cf3ae79e1bd4ef
Opcode Fuzzy Hash: a70b4c57075a96941aa0c50b4b49a4285ae23c3ed8c37c7d1205988a91a3ecce
Instruction Fuzzy Hash: B9018431500218EFDB119F51EC44BAEBFB5FF45362F108099E849D6261DB348A84DF71

Uniqueness

Uniqueness Score: -1.00%

Function 0082007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c1ba45a9a6bcafaabb07d66c7de0194aae1644734704b8a8a26d689d5317f57
Instruction ID: 7d64030a5e0f8e819c4666b7c5538d55c01e897be25b79c729ded36bdeedeccd
Opcode Fuzzy Hash: 4c1ba45a9a6bcafaabb07d66c7de0194aae1644734704b8a8a26d689d5317f57
Instruction Fuzzy Hash: 7BC14C75A0021AEFDB14CF94D898AAEB7B5FF48704F108599E905EB252D731ED81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0084342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00843459
CoUninitialize.OLE32 ref: 00843463
VariantInit.OLEAUT32(?), ref: 0084346E
VariantClear.OLEAUT32(?), ref: 0084371B

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 22e74d9f8751b7a59706bb1fd5ecdfdab9faae4aafb13582f32f20ee619436c5
Instruction ID: 4f440d179eb729dfa824147b5150c142c5a8045f8e4f3a0985fd8b0a94028689
Opcode Fuzzy Hash: 22e74d9f8751b7a59706bb1fd5ecdfdab9faae4aafb13582f32f20ee619436c5
Instruction Fuzzy Hash: 08A103756042059FCB14DF28C489A2AB7E5FF88714F05885DF98A9B362DB34EE01DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00820436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0085FC08,?), ref: 008205F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0085FC08,?), ref: 00820608
CLSIDFromProgID.OLE32(?,?,00000000,0085CC40,000000FF,?,00000000,00000800,00000000,?,0085FC08,?), ref: 0082062D
_memcmp.LIBVCRUNTIME ref: 0082064E

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: f68f0d4ad1bfba5b10d021aed5568333e5a0f3a16c14fb499d1e9e7b4f2a3065
Instruction ID: 53fe8ba2a88d9ca97c8c23a092149137d7bf719d110a2073ea032cb953b959e3
Opcode Fuzzy Hash: f68f0d4ad1bfba5b10d021aed5568333e5a0f3a16c14fb499d1e9e7b4f2a3065
Instruction Fuzzy Hash: 07810771A00219EFCB04DF94C988EEEB7B9FF89315B204558E506EB251DB71AE46CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00801391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008014C0

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b5c7c581c81944569cd5854931deb426504f951b8cc5dabd844ca1dacf481562
Instruction ID: e570cc2bcf11f84f34dfc4d93e27ae780fd6d88acad25d6668cca0c23b74ed56
Opcode Fuzzy Hash: b5c7c581c81944569cd5854931deb426504f951b8cc5dabd844ca1dacf481562
Instruction Fuzzy Hash: 94415D32600948EBDF616FBD8C8D6BE3AAAFF45330F144225F618D72E2E73848415766

Uniqueness

Uniqueness Score: -1.00%

Function 00856278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0196F240,?), ref: 008562E2
ScreenToClient.USER32(?,?), ref: 00856315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00856382

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 7c7a7ca3302acaf76b3745099a3f4269ae9807294e8283ba0e73cf8ae33a4167
Instruction ID: 1be255b0b380951854d75fb57ba03486aa54f5ad3581d8347083bc47885e72d3
Opcode Fuzzy Hash: 7c7a7ca3302acaf76b3745099a3f4269ae9807294e8283ba0e73cf8ae33a4167
Instruction Fuzzy Hash: BB513A74A00209EFCF10DF68D884AAE7BB6FB45365F508169F815DB2A0E730ED95CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00841AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00841AFD
WSAGetLastError.WSOCK32 ref: 00841B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00841B8A
WSAGetLastError.WSOCK32 ref: 00841B94

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: efc7d14a1602e66942e46b88efcaafae91ded40abf813051e33f0cfff80da6dd
Instruction ID: a2fc383f17477b83c81b539f096b06adcde398b0c2af4fb343e56d8a41f145c9
Opcode Fuzzy Hash: efc7d14a1602e66942e46b88efcaafae91ded40abf813051e33f0cfff80da6dd
Instruction Fuzzy Hash: C6417035640304AFEB20AF24C88AF2977E5EB44718F54845CF91A9F7D2D776DD828B90

Uniqueness

Uniqueness Score: -1.00%

Function 007FB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb5fa1af4f0bddc5b69b3c690a3e106c13dead4a2a29c2c2a590fae8327b4119
Instruction ID: 413225fe76d7a2a60b8d8c35c765c48d7531b05ebcc46b1e472430f4e3de0cfb
Opcode Fuzzy Hash: fb5fa1af4f0bddc5b69b3c690a3e106c13dead4a2a29c2c2a590fae8327b4119
Instruction Fuzzy Hash: 63412B75900748FFD7249F78CC45B7E7BA9EB88710F10452AF251DB782D779A9018B90

Uniqueness

Uniqueness Score: -1.00%

Function 008356D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00835783
GetLastError.KERNEL32(?,00000000), ref: 008357A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 008357CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 008357FA

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: c5aa0cdebd00a23d008b3e6e19230e08204e92db08d51865cbf24d8120e13f87
Instruction ID: ba814c03e74319007079451c990c9fb31dfbc9b915675602eac088d0dd1be42a
Opcode Fuzzy Hash: c5aa0cdebd00a23d008b3e6e19230e08204e92db08d51865cbf24d8120e13f87
Instruction Fuzzy Hash: 7D410735600610DFCB15DF15D445A5ABBE2FF89320B18889CE84AAB362CB38FD41DF91

Uniqueness

Uniqueness Score: -1.00%

Function 007FD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,007E6D71,00000000,00000000,007E82D9,?,007E82D9,?,00000001,007E6D71,?,00000001,007E82D9,007E82D9), ref: 007FD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 007FD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 007FD9AB
__freea.LIBCMT ref: 007FD9B4

Part of subcall function 007F3820: RtlAllocateHeap.NTDLL(00000000,?,00891444,?,007DFDF5,?,?,007CA976,00000010,00891440,007C13FC,?,007C13C6,?,007C1129), ref: 007F3852

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 4bcb5c6cb6de51fe7ba2c6927e3370973df0d8acb46dd037493df8300425fe2f
Instruction ID: a67935a3ce5eb81ecab97033b5f7cf2dfe53a34acc22a89c0e193ae56958b834
Opcode Fuzzy Hash: 4bcb5c6cb6de51fe7ba2c6927e3370973df0d8acb46dd037493df8300425fe2f
Instruction Fuzzy Hash: 2F31CF72A0020AABDF25DFA9DC45EBE7BA6EB40310F054168FD04D7251EB79ED50CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 008552C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00855352
GetWindowLongW.USER32(?,000000F0), ref: 00855375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00855382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008553A8

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 2c50d99ed814273fa30d42a3b093c1984075b7da759e951f273ec42e5eef5ce9
Instruction ID: e8cd6899bd0ab7a2b5b42fc489343332621e904d830cd5821d90f3efa52701f0
Opcode Fuzzy Hash: 2c50d99ed814273fa30d42a3b093c1984075b7da759e951f273ec42e5eef5ce9
Instruction Fuzzy Hash: BE31C134A55A0CEFEF209F14CC25BE977A2FB06392F584016BE19D63E0C7B499889B41

Uniqueness

Uniqueness Score: -1.00%

Function 0082AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 0082ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0082AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0082AC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 0082ACC6

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 991fefb9558f6b69e8864a085315d1eb05e0034dfecd813a4c965c7aea39001e
Instruction ID: 24052af6ce448196f9b2b067141f0039d0165826be30b34962ea66a05c7ec4cc
Opcode Fuzzy Hash: 991fefb9558f6b69e8864a085315d1eb05e0034dfecd813a4c965c7aea39001e
Instruction Fuzzy Hash: 5931F430A04728AFFF298B65EC047FA7BAAFF89310F04421AE485D21D1D3798AC58752

Uniqueness

Uniqueness Score: -1.00%

Function 00857674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0085769A
GetWindowRect.USER32(?,?), ref: 00857710
PtInRect.USER32(?,?,00858B89), ref: 00857720
MessageBeep.USER32(00000000), ref: 0085778C

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 1f2948ca9719b7853ec5893925d5bf984f78b400f7dd8e76d685caa8fc001746
Instruction ID: 609ccaca42d67f0bf5e93689ede672ed168918dbdd3e20146ad2731dc25f36d6
Opcode Fuzzy Hash: 1f2948ca9719b7853ec5893925d5bf984f78b400f7dd8e76d685caa8fc001746
Instruction Fuzzy Hash: 2641AD34609255DFDB02DF58E898EA9BBF5FB49306F1880A9E814DB261C330A949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 008516DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 008516EB

Part of subcall function 00823A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00823A57
Part of subcall function 00823A3D: GetCurrentThreadId.KERNEL32 ref: 00823A5E
Part of subcall function 00823A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008225B3), ref: 00823A65

GetCaretPos.USER32(?), ref: 008516FF
ClientToScreen.USER32(00000000,?), ref: 0085174C
GetForegroundWindow.USER32 ref: 00851752

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: ad2e878fa0ff8f4e864c27a6cf8d79bd52c0d8f1622bb6f1766402e5c7fa870c
Instruction ID: 04a69b51a870e35e28ef122b794e44ddc43f43ff39989d8b4204309de9d7ab0d
Opcode Fuzzy Hash: ad2e878fa0ff8f4e864c27a6cf8d79bd52c0d8f1622bb6f1766402e5c7fa870c
Instruction Fuzzy Hash: 6F313E75D00249AFCB04EFA9C885DAEBBF9FF48304B5480AEE415E7211DA359E45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0082D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0082D501
Process32FirstW.KERNEL32(00000000,?), ref: 0082D50F
Process32NextW.KERNEL32(00000000,?), ref: 0082D52F
CloseHandle.KERNEL32(00000000), ref: 0082D5DC

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 76c29e86e6569b3cf1ebff0abb2846410f5c47bd4af646eb6161147924e57cd2
Instruction ID: 363e3dbc7e331407a2c147332b07faf7918c82c9a16b48b469cfed429637e90d
Opcode Fuzzy Hash: 76c29e86e6569b3cf1ebff0abb2846410f5c47bd4af646eb6161147924e57cd2
Instruction Fuzzy Hash: 2D317E711083009FD301EF64D889EAFBBF8FF99354F14092DF581861A1EB75A985CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00858FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2

GetCursorPos.USER32(?), ref: 00859001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00817711,?,?,?,?,?), ref: 00859016
GetCursorPos.USER32(?), ref: 0085905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00817711,?,?,?), ref: 00859094

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: e14fd1bd24b8d8e3f5b4b5ebae8a5a7e80222a81d2d1d94d0521e65e5371bce3
Instruction ID: c69c3879374902e2e466c2d9886451ff89435fbb8b47fa7ac6ced40be3fa3961
Opcode Fuzzy Hash: e14fd1bd24b8d8e3f5b4b5ebae8a5a7e80222a81d2d1d94d0521e65e5371bce3
Instruction Fuzzy Hash: 0221BF31600518EFCF268F94CC58EEB7BF9FB89352F044465F945872A1D335A950EB60

Uniqueness

Uniqueness Score: -1.00%

Function 0082D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0085CB68), ref: 0082D2FB
GetLastError.KERNEL32 ref: 0082D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0082D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0085CB68), ref: 0082D376

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: b58a0945bb755a47b7df7b65c722a483ef2751fa63662cfb1d9c4e2b472866a4
Instruction ID: a6d9573114525e602ebcbe2a594d8c9e3847fd7d23cea738501b5e990c48854e
Opcode Fuzzy Hash: b58a0945bb755a47b7df7b65c722a483ef2751fa63662cfb1d9c4e2b472866a4
Instruction Fuzzy Hash: 39219F70508311DF8700DF28D8898AABBE4FE56324F504A1DF4A9C33A1E734D98ACB93

Uniqueness

Uniqueness Score: -1.00%

Function 00821571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00821014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0082102A
Part of subcall function 00821014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00821036
Part of subcall function 00821014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00821045
Part of subcall function 00821014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0082104C
Part of subcall function 00821014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00821062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008215BE
_memcmp.LIBVCRUNTIME ref: 008215E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00821617
HeapFree.KERNEL32(00000000), ref: 0082161E

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 11bf09595ec9e03b67b6cc3d67939dad841457bc89335d38b2f36455a6e38c4d
Instruction ID: 548ca70d21ef131f97330c38f53191bb6600d5ac9cf41f4a68769964a0992021
Opcode Fuzzy Hash: 11bf09595ec9e03b67b6cc3d67939dad841457bc89335d38b2f36455a6e38c4d
Instruction Fuzzy Hash: D5215771E40218AFDF00DFA4D949BEEB7B8FF64355F284459E441AB241E734AA85CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00852782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0085280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00852824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00852832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00852840

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 9c04c889acbe8df5e755a80be70db32094085926fc51a0b9a8a20663c62de4a3
Instruction ID: 135b8702c580bfc6f1af81fd9ca0debe89e4ddeaa441b78b99176e347ebab15a
Opcode Fuzzy Hash: 9c04c889acbe8df5e755a80be70db32094085926fc51a0b9a8a20663c62de4a3
Instruction Fuzzy Hash: A621E031204211AFD715DB24C845FAA7B95FF4A326F14825CF826CB2E2CB75EC86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 008278F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00828D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0082790A,?,000000FF,?,00828754,00000000,?,0000001C,?,?), ref: 00828D8C
Part of subcall function 00828D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00828DB2
Part of subcall function 00828D7D: lstrcmpiW.KERNEL32(00000000,?,0082790A,?,000000FF,?,00828754,00000000,?,0000001C,?,?), ref: 00828DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00828754,00000000,?,0000001C,?,?,00000000), ref: 00827923
lstrcpyW.KERNEL32(00000000,?), ref: 00827949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00828754,00000000,?,0000001C,?,?,00000000), ref: 00827984

Strings

cdecl, xrefs: 0082797B

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: affb5f606d4ce02cd3aaf556f7e78e3bbbf39e24003e3ae971103e591893e653
Instruction ID: 4cc5b1b5e32f759570d65d661da070cf690511eb82e05ad73b72eff9e56fb58e
Opcode Fuzzy Hash: affb5f606d4ce02cd3aaf556f7e78e3bbbf39e24003e3ae971103e591893e653
Instruction Fuzzy Hash: 7111E93A200311AFCB155F39E845D7A7BA9FF45354B50402AF946C73A4EB359891C761

Uniqueness

Uniqueness Score: -1.00%

Function 00857CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00857D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00857D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00857D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0083B7AD,00000000), ref: 00857D6B

Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 29f16de3eb94c9bb900f0b231cf287ea3ce600ce1b4e9cd865cbf041b7f5d40e
Instruction ID: f0f9018e7c997cd12c22e31e2df93de26678e26fd412caddc2f7743dda57f0fa
Opcode Fuzzy Hash: 29f16de3eb94c9bb900f0b231cf287ea3ce600ce1b4e9cd865cbf041b7f5d40e
Instruction Fuzzy Hash: F511C031208615AFCB119F68DC08A663BA5FF45362B158325FC35D72F0E7319D58CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00855660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 008556BB
_wcslen.LIBCMT ref: 008556CD
_wcslen.LIBCMT ref: 008556D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00855816

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: e30a79a35be292e8237882c49a82506f22a3ba703430d72d5a24d931fdfb661a
Instruction ID: 80497c34372689ac38e4326afe80b6442c9c87ac5399206bfb02d56bc2cf8b68
Opcode Fuzzy Hash: e30a79a35be292e8237882c49a82506f22a3ba703430d72d5a24d931fdfb661a
Instruction Fuzzy Hash: 78110375600608E6DF209FA1DC95AEE3BBCFF10766B10402AFD15E6081E774DA88CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00821A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00821A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00821A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00821A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00821A8A

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 012da72f200f9bf224f970f9dd1878b903616105602654dd20fd819a93dc95a5
Instruction ID: 3ffa6e1ff2079fc697f31343067d5e5f9579d6a7540f9d3ea07929b0e88bffdc
Opcode Fuzzy Hash: 012da72f200f9bf224f970f9dd1878b903616105602654dd20fd819a93dc95a5
Instruction Fuzzy Hash: 4411273A901229FFEF109BA4C985FADBB78FB18750F2000A1EA01B7290D7716E50DB94

Uniqueness

Uniqueness Score: -1.00%

Function 0082E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0082E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0082E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0082E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0082E24D

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 316a44e6096717b84bf5cc66827918ef1a64143ec1915203cd7204a4afc3a186
Instruction ID: 018cd9a0417559ca4fcb9066f1fe4e6784fbd834559024f2f95850d4f93fd64c
Opcode Fuzzy Hash: 316a44e6096717b84bf5cc66827918ef1a64143ec1915203cd7204a4afc3a186
Instruction Fuzzy Hash: A211C876904369FFCB019FA8AC09A9E7FACFB45311F144256F925E3391D7788D448BA0

Uniqueness

Uniqueness Score: -1.00%

Function 007ED1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,007ECFF9,00000000,00000004,00000000), ref: 007ED218
GetLastError.KERNEL32 ref: 007ED224
__dosmaperr.LIBCMT ref: 007ED22B
ResumeThread.KERNEL32(00000000), ref: 007ED249

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: ecb72ffcaba6a0084995e957d87dcbd38a3c3bfdf587210f562755fbe667050c
Instruction ID: 05dfce3369ded3d257633fa17cbe80c208fd1aa6d83d913b8147c74408f35b40
Opcode Fuzzy Hash: ecb72ffcaba6a0084995e957d87dcbd38a3c3bfdf587210f562755fbe667050c
Instruction Fuzzy Hash: C501D636807248BFC7215BA7DC09BAE7A6DFF89731F104219FA25961D0DB798D01C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 007C600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 007C604C
GetStockObject.GDI32(00000011), ref: 007C6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 007C606A

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 258b484dc80b37fff443c0149232558a5f0dc52f5abd0e21c627a19bd228206c
Instruction ID: bf4baeca850e2db19c7020c8150d29feeee5a47227792aba920921385075aa40
Opcode Fuzzy Hash: 258b484dc80b37fff443c0149232558a5f0dc52f5abd0e21c627a19bd228206c
Instruction Fuzzy Hash: F7115E72501609BFEF125F949C84FEA7BA9FF18755F050119FA1562110D73A9CA09F90

Uniqueness

Uniqueness Score: -1.00%

Function 007E3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 007E3B56

Part of subcall function 007E3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 007E3AD2
Part of subcall function 007E3AA3: ___AdjustPointer.LIBCMT ref: 007E3AED

_UnwindNestedFrames.LIBCMT ref: 007E3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 007E3B7C
CallCatchBlock.LIBVCRUNTIME ref: 007E3BA4

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 4b22b94fcf7a57680e310593f851e22bec77f6833764d96f381c090a273ea2aa
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 04012972101189BBDF126E96CC4AEEB3B6EEF8C754F044014FE4896121C73AE961DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 007F3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,007C13C6,00000000,00000000,?,007F301A,007C13C6,00000000,00000000,00000000,?,007F328B,00000006,FlsSetValue), ref: 007F30A5
GetLastError.KERNEL32(?,007F301A,007C13C6,00000000,00000000,00000000,?,007F328B,00000006,FlsSetValue,00862290,FlsSetValue,00000000,00000364,?,007F2E46), ref: 007F30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,007F301A,007C13C6,00000000,00000000,00000000,?,007F328B,00000006,FlsSetValue,00862290,FlsSetValue,00000000), ref: 007F30BF

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 759bf9fbc23ee342007876943f9aa64ef946c5ff1bd791a5f275f9fedff6b5ae
Instruction ID: 543377cf383ee4bbef506858192cd46cd8d86d67dcf1b289f34dc980345c7c89
Opcode Fuzzy Hash: 759bf9fbc23ee342007876943f9aa64ef946c5ff1bd791a5f275f9fedff6b5ae
Instruction Fuzzy Hash: 1D01D43230132AAFCB214A799C449777B9AAF05BA1B210721FA06E3340CF29D941CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 00827464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0082747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00827497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 008274AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 008274CA

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: f28ae5105384577044e8e08f0e292d5cfa37e63f0e16f7aef19c06d6115554d8
Instruction ID: 73266e8d6abfd8105bf035138071218a265140cfb0f16e048aab876064ed12d0
Opcode Fuzzy Hash: f28ae5105384577044e8e08f0e292d5cfa37e63f0e16f7aef19c06d6115554d8
Instruction Fuzzy Hash: 7811ADB1205325AFE720AF15EC08FA27BFCFB00B04F508569E616D6191D7B4E984DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0082B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0082ACD3,?,00008000), ref: 0082B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0082ACD3,?,00008000), ref: 0082B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0082ACD3,?,00008000), ref: 0082B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0082ACD3,?,00008000), ref: 0082B126

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: e836b0a1da72951e91dc024a30b3f3502ce77d8c6ef12fa0579bc7fb5447cae1
Instruction ID: e6fbef56875121e685d5b8f0d59841209ee78f8a7e869b2d9bec725b244dde7c
Opcode Fuzzy Hash: e836b0a1da72951e91dc024a30b3f3502ce77d8c6ef12fa0579bc7fb5447cae1
Instruction Fuzzy Hash: A5112D31D02A3DEBCF00AFE4E9696EEBF78FF49711F114096D941B2281DB3456A08B55

Uniqueness

Uniqueness Score: -1.00%

Function 00822DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00822DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00822DD6
GetCurrentThreadId.KERNEL32 ref: 00822DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00822DE4

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: f858f8caeb5752bcbab7b192152ccd47b3756abdb8063a448125556b885a0808
Instruction ID: 477537475445f521050b83ab4d334cc21b933026ce8d26cc5d7fa530c3fdea8a
Opcode Fuzzy Hash: f858f8caeb5752bcbab7b192152ccd47b3756abdb8063a448125556b885a0808
Instruction Fuzzy Hash: F3E0EDB25417387BD7201B72AC0DEEB7EACFB56BA2F400119B506D50909AA99985CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00858863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 007D9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 007D9693
Part of subcall function 007D9639: SelectObject.GDI32(?,00000000), ref: 007D96A2
Part of subcall function 007D9639: BeginPath.GDI32(?), ref: 007D96B9
Part of subcall function 007D9639: SelectObject.GDI32(?,00000000), ref: 007D96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00858887
LineTo.GDI32(?,?,?), ref: 00858894
EndPath.GDI32(?), ref: 008588A4
StrokePath.GDI32(?), ref: 008588B2

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 95c932b87889642c742b5852a2e0d59e2f37f9db97db3cbd9ab53f0c33376d43
Instruction ID: ed4f286f9a576607ed99eeb52b5f6515cbd4af09861fd418e9a0b2801560340e
Opcode Fuzzy Hash: 95c932b87889642c742b5852a2e0d59e2f37f9db97db3cbd9ab53f0c33376d43
Instruction Fuzzy Hash: 87F03A36045759FADB126F94AC0DFCA3F69BF06312F448001FA11650E1C7795511CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 007D98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 007D98CC
SetTextColor.GDI32(?,?), ref: 007D98D6
SetBkMode.GDI32(?,00000001), ref: 007D98E9
GetStockObject.GDI32(00000005), ref: 007D98F1

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: b2ea3a2d1f04728c0bf0e07ec02e3e165b07bf5013e640b0df696f2988626d6c
Instruction ID: 7e2710584abb0d55fa5ae400ea544202b6c31c0081ea8e9773e00c1863a5a7e3
Opcode Fuzzy Hash: b2ea3a2d1f04728c0bf0e07ec02e3e165b07bf5013e640b0df696f2988626d6c
Instruction Fuzzy Hash: 66E06D31284780AEDB215B78AC09BE83F21FB12376F04821AF7FA980E1C77546809F10

Uniqueness

Uniqueness Score: -1.00%

Function 0082162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00821634
OpenThreadToken.ADVAPI32(00000000,?,?,?,008211D9), ref: 0082163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008211D9), ref: 00821648
OpenProcessToken.ADVAPI32(00000000,?,?,?,008211D9), ref: 0082164F

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: b05583b22f4c9b77825b204d794dc10d236082f3d2d2e4d56931853df6cc2b89
Instruction ID: 307ab00bd70c5e323d683c531c37d37db62ddfe5b4deb5a23c80e6c7f17b0977
Opcode Fuzzy Hash: b05583b22f4c9b77825b204d794dc10d236082f3d2d2e4d56931853df6cc2b89
Instruction Fuzzy Hash: 95E04F71602321AFDB201BA1AD0DB8A3B68FF64B93F144808F245C9080D6284480CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0081D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0081D858
GetDC.USER32(00000000), ref: 0081D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0081D882
ReleaseDC.USER32(?), ref: 0081D8A3

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 80321fc4900aec92d92fc004ee658de98730354d8861e62f4ed112d659213ac0
Instruction ID: 2122ce86a743e8bf9fdece4e4af494ba75e061e3ad753030cbb76c33171f4755
Opcode Fuzzy Hash: 80321fc4900aec92d92fc004ee658de98730354d8861e62f4ed112d659213ac0
Instruction Fuzzy Hash: BDE075B5800305DFCB519FA09908A6DBBF5FB58712B14945DE84AE7250D73C5A41AF50

Uniqueness

Uniqueness Score: -1.00%

Function 0081D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0081D86C
GetDC.USER32(00000000), ref: 0081D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0081D882
ReleaseDC.USER32(?), ref: 0081D8A3

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 24a41614a879494edfd5c8a54e3b288b047b401cbdc1e083f6d9b6fbdd5aa3c3
Instruction ID: 2bf02e4f3862b3768e6e047bc2f1dda6218a5b5b0eef81d18ef1f5dd985acdc5
Opcode Fuzzy Hash: 24a41614a879494edfd5c8a54e3b288b047b401cbdc1e083f6d9b6fbdd5aa3c3
Instruction Fuzzy Hash: D6E07EB5800304EFCB51AFA09808A6DBBF5BB58712B14944DE94AE7250DB3C5A02AF50

Uniqueness

Uniqueness Score: -1.00%

Function 00834D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 007C7620: _wcslen.LIBCMT ref: 007C7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00834ED4

Strings

*, xrefs: 00834E10
LPT, xrefs: 00834DFB

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 6f268c417cad6ae9293409fc912b587cb31f9daef836aa26d2bff0f7a05cc9aa
Instruction ID: b555e8cce4bbf901e78aaf014cbc8ac07a03759b4e0a8da3e3a5d23bc8641b6e
Opcode Fuzzy Hash: 6f268c417cad6ae9293409fc912b587cb31f9daef836aa26d2bff0f7a05cc9aa
Instruction Fuzzy Hash: 0C912C75A002049FCB14DF58C484EA9BBF1FF85318F19909DE80A9B362DB75ED85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 007EE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 007EE30D

Strings

pow, xrefs: 007EE2E5, 007EE302

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 20578f5d99fdeabebcb6fc66edadaa1caa4a7bc3de4be22c8e628955f87e1117
Instruction ID: a060e99bbe2bcb9fc0b03818c9fdbe75295246ca01e3dd15cb22ce4ef06166b0
Opcode Fuzzy Hash: 20578f5d99fdeabebcb6fc66edadaa1caa4a7bc3de4be22c8e628955f87e1117
Instruction Fuzzy Hash: 7E51AA61A0E64AD6CB197B15CD4537A3BA8FB04740F348DA9E1D1823E9EF3C8C91DA46

Uniqueness

Uniqueness Score: -1.00%

Function 007DE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 007DE1B1

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 32e54f9ec6adf8739f2ce1a32ad3f9fd52e8b0d0d75723ddb1c89f5bc817b5b3
Instruction ID: 772344bc0c62f28b86ca473b75b27b020ce0def21ce891dc3f94981b1c906211
Opcode Fuzzy Hash: 32e54f9ec6adf8739f2ce1a32ad3f9fd52e8b0d0d75723ddb1c89f5bc817b5b3
Instruction Fuzzy Hash: 2C510575500246DFEB15EF68C485AFA7BB8FF55310F24445AEC51DB2D0D638AD82CB60

Uniqueness

Uniqueness Score: -1.00%

Function 007DF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 007DF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 007DF2BB

Strings

@, xrefs: 007DF2AF

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: e21d8cd01dc5abeb0c925dd77deb1b232a6c974d3371ad708307f7fc12cf4128
Instruction ID: fe45713c5ce83b088f56652ad8fc277741686fbd8f7ce28d526c79908076813b
Opcode Fuzzy Hash: e21d8cd01dc5abeb0c925dd77deb1b232a6c974d3371ad708307f7fc12cf4128
Instruction Fuzzy Hash: 22513472418B44DBD320AF14DC8ABAFBBF8FB84300F81885DF1D9411A5EB749569CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00845745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 008457E0
_wcslen.LIBCMT ref: 008457EC

Strings

CALLARGARRAY, xrefs: 008457E6, 008457EB

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: aaf61ea97ab6d5022264358839d94fc96cb68382cbea3c4d7f5df2cfbb225a6a
Instruction ID: 297a8777ea2817bfb68b8d590d36ccaac18637679dd9595992486654a1096234
Opcode Fuzzy Hash: aaf61ea97ab6d5022264358839d94fc96cb68382cbea3c4d7f5df2cfbb225a6a
Instruction Fuzzy Hash: FB418C31A00209DFCB14EFA9C8859AEBBF5FF59724F10406DE505E7292EB349D81CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0083D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0083D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0083D13A

Strings

|, xrefs: 0083D10B

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 2548dcee7bf3b4882d8376b47b8b1e490c5cd26b5739b839255dbd3c65e3a459
Instruction ID: 84f4ff75506f875dd1ea11bb9cbd01811996f87c3ad7c900411dfbc86baacfec
Opcode Fuzzy Hash: 2548dcee7bf3b4882d8376b47b8b1e490c5cd26b5739b839255dbd3c65e3a459
Instruction Fuzzy Hash: EB310771D00209EBCF15EFA5DC89EEEBFB9FF48304F000019E815A6162E735AA16CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0085356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00853621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0085365C

Strings

static, xrefs: 008535BC

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: fa85bf22a1b72a642eab49562ef26c63ae7e82b18b43f52dc784cea0df6d304b
Instruction ID: 26884efd8344ab539a03b7ea5944164997849e0272dc4ec7ef48d4fc8361d5da
Opcode Fuzzy Hash: fa85bf22a1b72a642eab49562ef26c63ae7e82b18b43f52dc784cea0df6d304b
Instruction Fuzzy Hash: DE318C71100604AEDB109F28DC80EBB73A9FF98765F10961DF8A5D7290DA34AD85DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00854537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0085461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00854634

Strings

', xrefs: 0085458E

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 60a34ef5cc03cd5f44f9f39cd30c5c475384b64a470a45c3c543652b5f6e5cfb
Instruction ID: 8640ab8ef240325ee068772c0b57b8e17c92c57ae515d44e8dc0dc719c1c9e5a
Opcode Fuzzy Hash: 60a34ef5cc03cd5f44f9f39cd30c5c475384b64a470a45c3c543652b5f6e5cfb
Instruction Fuzzy Hash: 76311774A0120AAFDB14CF69C990BDABBB5FB09305F14506AED04EB341E770A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 008531EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0085327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00853287

Strings

Combobox, xrefs: 00853249

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 3012a9e9997bf34d44aa7a65d7f79c2d5e754ca4ec40bae30a0f4a24cfb4e3cc
Instruction ID: 729a6476a825ee1a17a9968382750055ac57c62786effabe0b7d3114b4c140a9
Opcode Fuzzy Hash: 3012a9e9997bf34d44aa7a65d7f79c2d5e754ca4ec40bae30a0f4a24cfb4e3cc
Instruction Fuzzy Hash: A811B271304608BFEF219E54DC84EBB376BFB943A6F104129F918E7290D6359D558760

Uniqueness

Uniqueness Score: -1.00%

Function 00853710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 007C600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 007C604C
Part of subcall function 007C600E: GetStockObject.GDI32(00000011), ref: 007C6060
Part of subcall function 007C600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 007C606A

GetWindowRect.USER32(00000000,?), ref: 0085377A
GetSysColor.USER32(00000012), ref: 00853794

Strings

static, xrefs: 00853757

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 83a36eddb9aac5877f76159b075679f79b69bd36b248a4a0f3f9ed343fde70b8
Instruction ID: 12d96dc54db6a9f0dc585e2ff54b6851160c6bc5635c5782badf5c66614fc2eb
Opcode Fuzzy Hash: 83a36eddb9aac5877f76159b075679f79b69bd36b248a4a0f3f9ed343fde70b8
Instruction Fuzzy Hash: 111129B2A10209AFDF00DFA8CC45EFA7BB8FB08355F004529FD55E2250E735E9559B50

Uniqueness

Uniqueness Score: -1.00%

Function 0083CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0083CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0083CDA6

Strings

<local>, xrefs: 0083CD66

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: aa9b9971f1ad64919247c7d658229d5488b80ed0e015264fe50d49e4817c9565
Instruction ID: 147cb812547f45733ec3c67fbb91f46c71496bd83cbc33cecd65152e3f14633e
Opcode Fuzzy Hash: aa9b9971f1ad64919247c7d658229d5488b80ed0e015264fe50d49e4817c9565
Instruction Fuzzy Hash: 6411C275205635BED7385B668C49EE7BEADFF927A8F00422AB109E3180D7749840D7F0

Uniqueness

Uniqueness Score: -1.00%

Function 00853429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 008534AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 008534BA

Strings

edit, xrefs: 0085348F

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 1177f9945a4cb55f82c0977bad86ff1692f563bea0903a007d0a83fd338b8416
Instruction ID: a8ec8437b6e24e2803c080bce1997bd73bfc4e16f49eeb51c66cc9d73698b3c1
Opcode Fuzzy Hash: 1177f9945a4cb55f82c0977bad86ff1692f563bea0903a007d0a83fd338b8416
Instruction Fuzzy Hash: D2119D71100208AFEF114E64DC44AAB376AFB243B9F504724FD61D31D0C735DD999B58

Uniqueness

Uniqueness Score: -1.00%

Function 00826C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00826CB6
_wcslen.LIBCMT ref: 00826CC2

Strings

STOP, xrefs: 00826CBC, 00826CC1

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 28154cd1b5286c737f77dfaa9c4be0c59f21b556422da26853d58de520102d51
Instruction ID: 443125ecc5327234e48ad606cc77d49bde52ab192c8e15886d4a116dc820cd51
Opcode Fuzzy Hash: 28154cd1b5286c737f77dfaa9c4be0c59f21b556422da26853d58de520102d51
Instruction Fuzzy Hash: 89010032A0053A8BCB20AFFDEC849BF73E4FB607147400528E862D3190FA36D9A0C650

Uniqueness

Uniqueness Score: -1.00%

Function 00821CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

Part of subcall function 00823CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00823CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00821D4C

Strings

ComboBox, xrefs: 00821CEB
ListBox, xrefs: 00821D16

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 100dbd80fbc4913b815d65fbd1b9b290330e4ee4bf970da55b10658c480be1ee
Instruction ID: acbd12aa05ac1d6b35c5df17118d523f500d00ab5a457c7ebcc161206cafeddd
Opcode Fuzzy Hash: 100dbd80fbc4913b815d65fbd1b9b290330e4ee4bf970da55b10658c480be1ee
Instruction Fuzzy Hash: C401B575601228EBCF54EBA4EC59DFE77A8FB66350B14051DF832A73C1EA3459488760

Uniqueness

Uniqueness Score: -1.00%

Function 00821BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

Part of subcall function 00823CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00823CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00821C46

Strings

ComboBox, xrefs: 00821BE5
ListBox, xrefs: 00821C10

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 3b23e55ac1a258a762b6d5ff5a2c87e93ea00e4c83366fca41164bbb70a75620
Instruction ID: 8d97e4c39c49792fa1dd8f984982b21953e40f0fd0ef146881a3764089269cff
Opcode Fuzzy Hash: 3b23e55ac1a258a762b6d5ff5a2c87e93ea00e4c83366fca41164bbb70a75620
Instruction Fuzzy Hash: C901AC75641118A6CF14FBA0D959EFF77E8FB31340F14001DA916B7281EA289F5887B1

Uniqueness

Uniqueness Score: -1.00%

Function 00821C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

Part of subcall function 00823CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00823CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00821CC8

Strings

ComboBox, xrefs: 00821C69
ListBox, xrefs: 00821C94

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: e56de663e58908d826b2a4348fdd09c4eff9af019b015ed9ffef7bf378a48f5d
Instruction ID: 3d63aa1b108c68fc5c3ab7ae6744be395a5c79e39fa0caf8a81952c70bf8f9bc
Opcode Fuzzy Hash: e56de663e58908d826b2a4348fdd09c4eff9af019b015ed9ffef7bf378a48f5d
Instruction Fuzzy Hash: 06016775641128A6CF14FBA4DA19EFE77E8FB21340B64001DB911F3281EA699F588771

Uniqueness

Uniqueness Score: -1.00%

Function 0084747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00847493
_wcslen.LIBCMT ref: 008474B9

Strings

3, 3, 16, 1, xrefs: 00847483

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 9e6789c4df23bd860134a427fa3d340e76f753d04e6cb31080daee3226bda644
Instruction ID: 00d55c2b66d4230e393962a9223cce3db8ef2cc7c8245b6b70377638fbc87928
Opcode Fuzzy Hash: 9e6789c4df23bd860134a427fa3d340e76f753d04e6cb31080daee3226bda644
Instruction Fuzzy Hash: A4E02B42205260609231227A9CC597F5789EFDD750710182BF981D2267EB98DD9193F5

Uniqueness

Uniqueness Score: -1.00%

Function 00820B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00820B23

Strings

Error allocating memory., xrefs: 00820B1C
AutoIt, xrefs: 00820B17

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: ac184e5a2a3a550b18203966a7e5a8fe84001482a972acdf05551205f92e8131
Instruction ID: 3d2f66299078dc686590fc344f3244d226fdff7accff9dbf809e6420f4cbc081
Opcode Fuzzy Hash: ac184e5a2a3a550b18203966a7e5a8fe84001482a972acdf05551205f92e8131
Instruction Fuzzy Hash: 88E0D8312443186ED21036957C0BF897F94EF09F61F10046BFB98D56C38AE928904AE9

Uniqueness

Uniqueness Score: -1.00%

Function 007E0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 007DF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,007E0D71,?,?,?,007C100A), ref: 007DF7CE

IsDebuggerPresent.KERNEL32(?,?,?,007C100A), ref: 007E0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,007C100A), ref: 007E0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 007E0D7F

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: d3d6c6765fef715615ceb604ffbbb37a16fc3c0d2da8640bf1458557b328ecae
Instruction ID: 0036ca8fd212bd09689b395a5af908993533146ef0fbad24d1cfbb0848676cb9
Opcode Fuzzy Hash: d3d6c6765fef715615ceb604ffbbb37a16fc3c0d2da8640bf1458557b328ecae
Instruction Fuzzy Hash: 40E039742003418BD320AFA9D8487467BE0BB04756F00492DE882CA652DBF8E4888BE1

Uniqueness

Uniqueness Score: -1.00%

Function 0081D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0081D220

Strings

%.3d, xrefs: 0081D22B
X64, xrefs: 0081D2A8

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: e625a9d04a2b230b19980cd4d3c6d7d92aa5014bf608326178f50f6855b0e3b6
Instruction ID: d63547bdff0160e4fe89bb17e897f72241467a58c9e3b795673c680c6f15385e
Opcode Fuzzy Hash: e625a9d04a2b230b19980cd4d3c6d7d92aa5014bf608326178f50f6855b0e3b6
Instruction Fuzzy Hash: B9D012A180831CE9CB5096E0CC49AF9B37CFF19305F608453F826D1140D63CE9886B61

Uniqueness

Uniqueness Score: -1.00%

Function 00852322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0085232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0085233F

Part of subcall function 0082E97B: Sleep.KERNEL32 ref: 0082E9F3

Strings

Shell_TrayWnd, xrefs: 00852325

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 685b92d40226fb0dbd32b15cfd7944dc2815ef9903bc58227c504fe8f131d39d
Instruction ID: 130bd091dcdfb62f1cc70c64e59a1e4b116a5e3fdbbd94a29f60472ba0349ff3
Opcode Fuzzy Hash: 685b92d40226fb0dbd32b15cfd7944dc2815ef9903bc58227c504fe8f131d39d
Instruction Fuzzy Hash: FCD0A932380310BAE2A4B770AC1FFC66A04BB00B01F004A067205EA1D0D8A8A8418A44

Uniqueness

Uniqueness Score: -1.00%

Function 00852356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0085236C
PostMessageW.USER32(00000000), ref: 00852373

Part of subcall function 0082E97B: Sleep.KERNEL32 ref: 0082E9F3

Strings

Shell_TrayWnd, xrefs: 00852365

Memory Dump Source

Source File: 00000000.00000002.2014969159.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.2014663897.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015052895.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015264499.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015338153.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_62402781, Fiyat Teklif Talebi.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 277f9fd82da595071ca0769d738333ac62bb1d3060e880f40fcc39aed8d202e5
Instruction ID: 22ea5ccbd88cc356f63a1a5a9610c0acc21afb50a5c48046be8a367c77a4febf
Opcode Fuzzy Hash: 277f9fd82da595071ca0769d738333ac62bb1d3060e880f40fcc39aed8d202e5
Instruction Fuzzy Hash: 2BD0A9323803107AE2A4B770AC0FFC66A04BB00B01F004A067201EA1D0D8A8A8418A48

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 62402781, Fiyat Teklif Talebi.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Threatname: RedLine

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ctsdvwT.exe.log

C:\Users\user\AppData\Local\Temp\Keily

C:\Users\user\AppData\Local\Temp\Maianthemum

C:\Users\user\AppData\Local\Temp\aut32DD.tmp

C:\Users\user\AppData\Local\Temp\aut332C.tmp

C:\Users\user\AppData\Local\Temp\aut3686.tmp

C:\Users\user\AppData\Local\Temp\aut36D6.tmp

C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe

\Device\ConDrv

Static File Info

General

File Icon

Windows Analysis Report
62402781, Fiyat Teklif Talebi.pdf.exe

Function 007C42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 007C42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00802BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 007C2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 007F8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300
COMMONLIBRARYCODE

Function 0080065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 007C344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 007C2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre