Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
hesaphareketi-.exe

Overview

General Information

Sample name:hesaphareketi-.exe
Analysis ID:1446733
MD5:6ee05d4dd363d273ce38c497b1238db1
SHA1:7c4f86c5edfe9cf5d1955c4af44cd8d0a25a0f0a
SHA256:1a88cd1b38768b690166ed6a6647ca7e975a68b7112c0e938cdfaaea8d509c9e
Tags:AgentTeslaexegeoTUR
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large strings
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses FTP
Uses a known web browser user agent for HTTP communication
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • hesaphareketi-.exe (PID: 6832 cmdline: "C:\Users\user\Desktop\hesaphareketi-.exe" MD5: 6EE05D4DD363D273CE38C497B1238DB1)
    • hesaphareketi-.exe (PID: 3496 cmdline: "C:\Users\user\Desktop\hesaphareketi-.exe" MD5: 6EE05D4DD363D273CE38C497B1238DB1)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.normagroup.com.tr", "Username": "admin@normagroup.com.tr", "Password": "Qb.X[.j.Yfm["}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1763207948.0000000003879000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000000.00000002.1763207948.0000000003879000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000002.00000002.4189629111.0000000002BB9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000002.00000002.4188331044.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000002.00000002.4188331044.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 9 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.hesaphareketi-.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              2.2.hesaphareketi-.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                2.2.hesaphareketi-.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x33099:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x3310b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x33195:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x33227:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x33291:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x33303:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x33399:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x33429:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                2.2.hesaphareketi-.exe.400000.0.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                • 0x304e6:$s2: GetPrivateProfileString
                • 0x2fbf5:$s3: get_OSFullName
                • 0x3125a:$s5: remove_Key
                • 0x313d3:$s5: remove_Key
                • 0x322c2:$s6: FtpWebRequest
                • 0x3307b:$s7: logins
                • 0x335ed:$s7: logins
                • 0x362d0:$s7: logins
                • 0x363b0:$s7: logins
                • 0x37cae:$s7: logins
                • 0x36f4a:$s9: 1.85 (Hash, version 2, native byte-order)
                0.2.hesaphareketi-.exe.3b6d660.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 16 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: http://ftp.normagroup.com.trAvira URL Cloud: Label: malware
                  Found malware configuration
                  Source: 0.2.hesaphareketi-.exe.38c34e0.3.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.normagroup.com.tr", "Username": "admin@normagroup.com.tr", "Password": "Qb.X[.j.Yfm["}
                  Multi AV Scanner detection for submitted file
                  Source: hesaphareketi-.exeReversingLabs: Detection: 47%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: hesaphareketi-.exeJoe Sandbox ML: detected
                  Source: hesaphareketi-.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49732 version: TLS 1.2
                  Source: hesaphareketi-.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: wfrb.pdbSHA256f source: hesaphareketi-.exe
                  Source: Binary string: wfrb.pdb source: hesaphareketi-.exe

                  Networking

                  barindex
                  Connects to many ports of the same IP (likely port scanning)
                  Source: global trafficTCP traffic: 104.247.165.99 ports 62592,64834,56060,61504,58712,1,2,55953,61120,21
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 0.2.hesaphareketi-.exe.3b6d660.4.raw.unpack, type: UNPACKEDPE
                  Source: global trafficTCP traffic: 192.168.2.4:49754 -> 104.247.165.99:62592
                  Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                  Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                  Source: Joe Sandbox ViewIP Address: 104.247.165.99 104.247.165.99
                  Source: Joe Sandbox ViewASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownFTP traffic detected: 104.247.165.99:21 -> 192.168.2.4:49753 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 21:28. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 21:28. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 21:28. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 21:28. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                  Source: global trafficDNS traffic detected: DNS query: ftp.normagroup.com.tr
                  Source: hesaphareketi-.exe, 00000002.00000002.4189629111.0000000002E48000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-.exe, 00000002.00000002.4189629111.0000000002DED000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-.exe, 00000002.00000002.4189629111.0000000002BCF000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-.exe, 00000002.00000002.4189629111.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-.exe, 00000002.00000002.4189629111.0000000002BB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.normagroup.com.tr
                  Source: hesaphareketi-.exe, 00000002.00000002.4189629111.0000000002B41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: hesaphareketi-.exeString found in binary or memory: http://tempuri.org/DataSet1.xsd#tableLayoutPanel1
                  Source: hesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: hesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: hesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: hesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: hesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: hesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: hesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                  Source: hesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: hesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: hesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: hesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: hesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: hesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: hesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: hesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: hesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: hesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: hesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: hesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: hesaphareketi-.exe, 00000000.00000002.1765665168.0000000005880000.00000004.00000020.00020000.00000000.sdmp, hesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: hesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: hesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: hesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                  Source: hesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: hesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: hesaphareketi-.exe, 00000000.00000002.1763207948.0000000003879000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-.exe, 00000000.00000002.1763207948.0000000003AE6000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-.exe, 00000002.00000002.4188331044.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                  Source: hesaphareketi-.exe, 00000000.00000002.1763207948.0000000003879000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-.exe, 00000000.00000002.1763207948.0000000003AE6000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-.exe, 00000002.00000002.4189629111.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-.exe, 00000002.00000002.4188331044.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                  Source: hesaphareketi-.exe, 00000002.00000002.4189629111.0000000002B41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                  Source: hesaphareketi-.exe, 00000002.00000002.4189629111.0000000002B41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                  Source: hesaphareketi-.exeString found in binary or memory: https://github.com/romenrg/genetic-startups
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                  Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49732 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 0.2.hesaphareketi-.exe.38c34e0.3.raw.unpack, gmBpn1ecBmQ.cs.Net Code: GcrDSu6Vtcl
                  Source: 0.2.hesaphareketi-.exe.3b6d660.4.raw.unpack, gmBpn1ecBmQ.cs.Net Code: GcrDSu6Vtcl
                  Contains functionality to register a low level keyboard hook
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 2_2_067F8FC8 SetWindowsHookExA 0000000D,00000000,?,?,?,?,?,?,?,?,?,067F95F0,00000000,000000002_2_067F8FC8
                  Installs a global keyboard hook
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\hesaphareketi-.exeJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 2.2.hesaphareketi-.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 2.2.hesaphareketi-.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.hesaphareketi-.exe.3b6d660.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.hesaphareketi-.exe.3b6d660.4.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.hesaphareketi-.exe.38c34e0.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.hesaphareketi-.exe.38c34e0.3.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.hesaphareketi-.exe.38c34e0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.hesaphareketi-.exe.38c34e0.3.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.hesaphareketi-.exe.3b6d660.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.hesaphareketi-.exe.3b6d660.4.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  .NET source code contains very large strings
                  Source: hesaphareketi-.exe, MainForm.csLong String: Length: 150953
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_0275DAEC0_2_0275DAEC
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 2_2_029FE5902_2_029FE590
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 2_2_029FAA982_2_029FAA98
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 2_2_029F4A582_2_029F4A58
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 2_2_029F3E402_2_029F3E40
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 2_2_029FDD182_2_029FDD18
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 2_2_029F41882_2_029F4188
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 2_2_029FAA932_2_029FAA93
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 2_2_067F02742_2_067F0274
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 2_2_067FE3E82_2_067FE3E8
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 2_2_067F24F72_2_067F24F7
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 2_2_067F18082_2_067F1808
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 2_2_067F18032_2_067F1803
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 2_2_068055902_2_06805590
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 2_2_068065D82_2_068065D8
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 2_2_0680B2182_2_0680B218
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 2_2_068023582_2_06802358
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 2_2_0680C1782_2_0680C178
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 2_2_06807D682_2_06807D68
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 2_2_068076882_2_06807688
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 2_2_0680E3902_2_0680E390
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 2_2_068083B02_2_068083B0
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 2_2_068000402_2_06800040
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 2_2_06805CD82_2_06805CD8
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 2_2_068000072_2_06800007
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 2_2_068005372_2_06800537
                  Source: hesaphareketi-.exe, 00000000.00000002.1762669027.00000000028B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename114326d3-9409-41d5-a856-433d8726b4f2.exe4 vs hesaphareketi-.exe
                  Source: hesaphareketi-.exe, 00000000.00000002.1765463255.0000000005250000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs hesaphareketi-.exe
                  Source: hesaphareketi-.exe, 00000000.00000002.1763207948.0000000003879000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename114326d3-9409-41d5-a856-433d8726b4f2.exe4 vs hesaphareketi-.exe
                  Source: hesaphareketi-.exe, 00000000.00000002.1763207948.0000000003AE6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename114326d3-9409-41d5-a856-433d8726b4f2.exe4 vs hesaphareketi-.exe
                  Source: hesaphareketi-.exe, 00000000.00000002.1763207948.0000000003AE6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs hesaphareketi-.exe
                  Source: hesaphareketi-.exe, 00000000.00000000.1733738489.0000000000528000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamewfrb.exeN vs hesaphareketi-.exe
                  Source: hesaphareketi-.exe, 00000000.00000002.1766847259.00000000071E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs hesaphareketi-.exe
                  Source: hesaphareketi-.exe, 00000000.00000002.1760958903.0000000000AEE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs hesaphareketi-.exe
                  Source: hesaphareketi-.exe, 00000002.00000002.4188455477.00000000009A9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs hesaphareketi-.exe
                  Source: hesaphareketi-.exe, 00000002.00000002.4188331044.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename114326d3-9409-41d5-a856-433d8726b4f2.exe4 vs hesaphareketi-.exe
                  Source: hesaphareketi-.exeBinary or memory string: OriginalFilenamewfrb.exeN vs hesaphareketi-.exe
                  Source: hesaphareketi-.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 2.2.hesaphareketi-.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 2.2.hesaphareketi-.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.hesaphareketi-.exe.3b6d660.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.hesaphareketi-.exe.3b6d660.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.hesaphareketi-.exe.38c34e0.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.hesaphareketi-.exe.38c34e0.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.hesaphareketi-.exe.38c34e0.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.hesaphareketi-.exe.38c34e0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.hesaphareketi-.exe.3b6d660.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.hesaphareketi-.exe.3b6d660.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.hesaphareketi-.exe.38c34e0.3.raw.unpack, roEs93G.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.hesaphareketi-.exe.38c34e0.3.raw.unpack, roEs93G.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.hesaphareketi-.exe.38c34e0.3.raw.unpack, JQn0Aia1.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.hesaphareketi-.exe.38c34e0.3.raw.unpack, JQn0Aia1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 0.2.hesaphareketi-.exe.38c34e0.3.raw.unpack, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.hesaphareketi-.exe.38c34e0.3.raw.unpack, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.hesaphareketi-.exe.38c34e0.3.raw.unpack, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.hesaphareketi-.exe.38c34e0.3.raw.unpack, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.hesaphareketi-.exe.71e0000.8.raw.unpack, qSF0J7DvnxdthJZib5.csSecurity API names: _0020.SetAccessControl
                  Source: 0.2.hesaphareketi-.exe.71e0000.8.raw.unpack, qSF0J7DvnxdthJZib5.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.hesaphareketi-.exe.71e0000.8.raw.unpack, qSF0J7DvnxdthJZib5.csSecurity API names: _0020.AddAccessRule
                  Source: 0.2.hesaphareketi-.exe.3ce2d50.2.raw.unpack, qSF0J7DvnxdthJZib5.csSecurity API names: _0020.SetAccessControl
                  Source: 0.2.hesaphareketi-.exe.3ce2d50.2.raw.unpack, qSF0J7DvnxdthJZib5.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.hesaphareketi-.exe.3ce2d50.2.raw.unpack, qSF0J7DvnxdthJZib5.csSecurity API names: _0020.AddAccessRule
                  Source: 0.2.hesaphareketi-.exe.3c66b30.5.raw.unpack, qSF0J7DvnxdthJZib5.csSecurity API names: _0020.SetAccessControl
                  Source: 0.2.hesaphareketi-.exe.3c66b30.5.raw.unpack, qSF0J7DvnxdthJZib5.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.hesaphareketi-.exe.3c66b30.5.raw.unpack, qSF0J7DvnxdthJZib5.csSecurity API names: _0020.AddAccessRule
                  Source: 0.2.hesaphareketi-.exe.3c66b30.5.raw.unpack, A6T4HvQSBKp3I8TOI7.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.hesaphareketi-.exe.71e0000.8.raw.unpack, A6T4HvQSBKp3I8TOI7.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.hesaphareketi-.exe.3ce2d50.2.raw.unpack, A6T4HvQSBKp3I8TOI7.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/2
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hesaphareketi-.exe.logJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeMutant created: NULL
                  Source: hesaphareketi-.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: hesaphareketi-.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: hesaphareketi-.exeReversingLabs: Detection: 47%
                  Source: hesaphareketi-.exeString found in binary or memory: Form3!Types of Squares-Startup life evolution%Genetic AlgorithmsyPopulation: chromosomes encoding starting cell and movementsYOperators: selection, crossover and mutation
                  Source: hesaphareketi-.exeString found in binary or memory: Source code available on Github under MIT license: https://github.com/romenrg/genetic-startups
                  Source: unknownProcess created: C:\Users\user\Desktop\hesaphareketi-.exe "C:\Users\user\Desktop\hesaphareketi-.exe"
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess created: C:\Users\user\Desktop\hesaphareketi-.exe "C:\Users\user\Desktop\hesaphareketi-.exe"
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess created: C:\Users\user\Desktop\hesaphareketi-.exe "C:\Users\user\Desktop\hesaphareketi-.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: hesaphareketi-.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: hesaphareketi-.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: hesaphareketi-.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: wfrb.pdbSHA256f source: hesaphareketi-.exe
                  Source: Binary string: wfrb.pdb source: hesaphareketi-.exe

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: hesaphareketi-.exe, MainForm.cs.Net Code: createBasicLayout
                  Source: 0.2.hesaphareketi-.exe.3c66b30.5.raw.unpack, qSF0J7DvnxdthJZib5.cs.Net Code: dNVoVdfCvA System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.hesaphareketi-.exe.5250000.7.raw.unpack, LoginForm.cs.Net Code: _206B_206C_202A_202D_206F_206F_206C_202D_206A_202A_200B_206C_206E_206A_206D_206B_202C_206E_200C_206F_200D_206D_200C_200F_202C_206C_202E_206B_202B_202E_206E_206B_206B_206D_206C_202C_200D_202E_202C_200E_202E System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.hesaphareketi-.exe.3ce2d50.2.raw.unpack, qSF0J7DvnxdthJZib5.cs.Net Code: dNVoVdfCvA System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.hesaphareketi-.exe.71e0000.8.raw.unpack, qSF0J7DvnxdthJZib5.cs.Net Code: dNVoVdfCvA System.Reflection.Assembly.Load(byte[])
                  Source: hesaphareketi-.exeStatic PE information: section name: .text entropy: 6.966251395726089
                  Source: 0.2.hesaphareketi-.exe.3c66b30.5.raw.unpack, U4O5F7tCA5mXrp4xJe.csHigh entropy of concatenated method names: 'wrEKO1a6TW', 'FNgK6M0XsX', 'EUbKaElI24', 'cedKDdvIyN', 'fjkK1FP8eZ', 'fIBK0PHWxo', 'kEyKAB5IhS', 'Q5oKLFyZ22', 'dIoKW9Q3bx', 'QjJKS13eJa'
                  Source: 0.2.hesaphareketi-.exe.3c66b30.5.raw.unpack, s7GQtBPueGNviOKVDk.csHigh entropy of concatenated method names: 'kFcgNgsMyW', 'TCRgQDHiim', 'LLygO7DPyJ', 'OlOg6CxLDp', 'b0cglu8M1d', 'mXwguhOIw2', 'KlsgiqGno4', 'lgtgEk0cIh', 'kfdgeFdjNG', 'E3AgJmuXUa'
                  Source: 0.2.hesaphareketi-.exe.3c66b30.5.raw.unpack, EWNefPUpdnnuMF2LDw.csHigh entropy of concatenated method names: 'KFZTjHmjK1', 'vNWTvNmJWK', 'AatTVHgShh', 'WU6TNPt0qi', 'dM9Tw4wp7G', 'FDHTQSDNRy', 'uiqT9mO5tp', 'jFnTOAOQWi', 'sExT6eVm0b', 'TMmTtaa9JC'
                  Source: 0.2.hesaphareketi-.exe.3c66b30.5.raw.unpack, iVtniYN4vZtxR6yDAr.csHigh entropy of concatenated method names: 'T5giMUHlyV', 'bNhiyNpv60', 'mE4EfjJnwQ', 'PcMEhqjYFP', 'Si1iSf9cbq', 'qihixsx6IF', 'SYaiFEi9MC', 'SXKip23eHr', 'qMMiHXSBAP', 'kMkicK7kaE'
                  Source: 0.2.hesaphareketi-.exe.3c66b30.5.raw.unpack, SM5eqqVuTVFO8dvrHH.csHigh entropy of concatenated method names: 'b4GlWeOUKK', 'g2ClxnWkMK', 'z9ulplClFs', 'Ko0lHDi5lq', 'mcZlDgDQ6r', 'J2rlbkNsLu', 'mPLl1WY2wl', 'TP6l0nP8tC', 'JATlsVMUZs', 'pujlAHYG3y'
                  Source: 0.2.hesaphareketi-.exe.3c66b30.5.raw.unpack, bD17TXcjkL7Y9j5QUH.csHigh entropy of concatenated method names: 'Dispose', 'fRShm0UiIO', 'A58rDpLKTZ', 'pmInn2xbag', 'i2whyPfKWt', 'YfHhz796Du', 'ProcessDialogKey', 'UqOrfUvTPv', 'nKNrhUQKL4', 'oknrrHKP5o'
                  Source: 0.2.hesaphareketi-.exe.3c66b30.5.raw.unpack, yQAU6D1JP0QpKGv8yW.csHigh entropy of concatenated method names: 'W3IhTJZOip', 'U4dhPQF6MJ', 'NCIh71DEl5', 'maIh8IOKmy', 'DqGhlQ7a3I', 'hUehuaFgbj', 'SnrUckHxiy698xlyVl', 'hilfigoE2Ban5eNjyn', 'BYhhhIYxWu', 'WvUhY1F3ca'
                  Source: 0.2.hesaphareketi-.exe.3c66b30.5.raw.unpack, A6T4HvQSBKp3I8TOI7.csHigh entropy of concatenated method names: 'M5qdpd4Ckb', 'iMudHRG6sc', 'l9ZdcemdGQ', 'aMRd2hwAks', 'kSCdqCJt61', 'ryDdXJtHls', 'ORKd5M6fix', 'vJedMg3dAY', 'QRMdmv0eNS', 'NvtdyQ3Qxv'
                  Source: 0.2.hesaphareketi-.exe.3c66b30.5.raw.unpack, Ye427Es96uSuSHgwDH.csHigh entropy of concatenated method names: 'r2uVYhtjV', 'b0mN7bSSD', 'bjOQYsPG0', 'tFW9WWjv9', 'rsa6XfU57', 'x7VtSDabx', 'k5Clos05llpON64yYN', 'h2PRufxw8vaAXY6vUT', 'tO9ECAqVm', 'myDJA69Us'
                  Source: 0.2.hesaphareketi-.exe.3c66b30.5.raw.unpack, PQLLFTlOCBYNXekLp3.csHigh entropy of concatenated method names: 'Mj0eh271UK', 'YTeeYLjPTq', 'EZVeoT74Do', 'TsoeUcOIS2', 'ryxedE3Yfo', 'BIFeCQ4pS3', 'QIxeR6NXDc', 'krpE5kNt8C', 'FxqEMCMweR', 'yQrEmUkmw8'
                  Source: 0.2.hesaphareketi-.exe.3c66b30.5.raw.unpack, tyMC5KzKNmJ8VxLdVq.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'J44eKxZ0WX', 'HVQelpCcj9', 'gE2euphTEc', 'sVdeiJFBjv', 'KGZeE17In6', 'wjweeK5YZ6', 'xfAeJWsjfZ'
                  Source: 0.2.hesaphareketi-.exe.3c66b30.5.raw.unpack, YuuMvnWhOLbeKF1DHk.csHigh entropy of concatenated method names: 'dyFEabo2fD', 'TrJEDTmwCp', 'wnHEbukOiV', 'R1jE1f21Lr', 'LIuEpamc1o', 'F72E0UMSSw', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.hesaphareketi-.exe.3c66b30.5.raw.unpack, UcN2tS4TVvhfkkdhvv.csHigh entropy of concatenated method names: 'JykRBJjcUX', 'iKnRdmRBes', 'UZwRC3Mw4f', 'Yg9RT9HTxj', 'nu2RPNxLET', 'niVCqpnHYd', 'JDvCXwHGt9', 'xLwC5PUkTa', 'G8nCMhG8AG', 'J8PCmf4rSk'
                  Source: 0.2.hesaphareketi-.exe.3c66b30.5.raw.unpack, qSF0J7DvnxdthJZib5.csHigh entropy of concatenated method names: 'IMuYBx3IaN', 'RGDYUCQXdW', 'tuDYdhUgIM', 'ylwYgPtbfJ', 'ujQYCWxhqM', 'In9YRUTT8k', 'HhpYTRtD2R', 'YMmYP8Jh4D', 'RqZY4weB5J', 'cRjY72POCr'
                  Source: 0.2.hesaphareketi-.exe.3c66b30.5.raw.unpack, HGW7wDaJtlnWFFev73.csHigh entropy of concatenated method names: 'tmfRkuDgAU', 'iprRjYnJOw', 'ioSRVD7Jho', 'B9WRNNTgRU', 'zC4RQ23m15', 'vHWR9tP0yY', 'tMfR6lg7Y0', 'F3nRtGN9sH', 'AZSIu8few6G8M1bqJHa', 'IHop0pfiXYUD4mPcQd8'
                  Source: 0.2.hesaphareketi-.exe.3c66b30.5.raw.unpack, ngaD9fevEcvo0XvIaN.csHigh entropy of concatenated method names: 'E5Bi7giErN', 'SDEi8BqRWc', 'ToString', 'v6diUdA3O4', 'YsCidulyBF', 'z9Kig2gAWm', 'JwBiCaiCR1', 'OtFiRemuuV', 'cPdiTh1qw1', 'sjPiPSt1EO'
                  Source: 0.2.hesaphareketi-.exe.3c66b30.5.raw.unpack, DKDR76B8ckP7Brsx4b.csHigh entropy of concatenated method names: 'zNcEUvK3AK', 'SPLEdtZLbj', 'DCkEgeOYJc', 'Pl3ECY7U8R', 'vQmERpoSf7', 'TClETMMMZW', 'kATEPuBjTQ', 'YDBE4d3qFW', 'HMgE7kIO1K', 'rPAE8LLRhw'
                  Source: 0.2.hesaphareketi-.exe.3c66b30.5.raw.unpack, adXmY1I1Otiab8KBLS.csHigh entropy of concatenated method names: 'OElCwfUSSx', 'R90C9oZhQ9', 'hmGgbe4VMm', 'EmRg13yZiw', 'WQug00cQku', 'gnZgs5Fqe4', 'WYHgA0Eu79', 'IZDgL5PRDi', 'vGlg3ZXJ5Q', 'N9hgWbsROP'
                  Source: 0.2.hesaphareketi-.exe.3c66b30.5.raw.unpack, LHjqx0gXy9y11yjTH21.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JPmJpnWttY', 'yV0JH9urgi', 'ovoJc1cIek', 'eYmJ2uGRV1', 'GfjJqBKtKO', 'lG6JXRKu0X', 'PpBJ5swk1L'
                  Source: 0.2.hesaphareketi-.exe.3c66b30.5.raw.unpack, TwgML5SYjhFRdyKIDi.csHigh entropy of concatenated method names: 'kkYk9WfMAwlrTVa0H7n', 'lCcPX8f9OD2uanXLNc8', 'IBTREwaEKS', 'Ni9ReCGfyP', 'H81RJhwFar', 'kGb59UfrgJR0YMVmpMg', 'doID52fgJUSQ5DrcxB5'
                  Source: 0.2.hesaphareketi-.exe.3c66b30.5.raw.unpack, mDcIsZgfbrOPtql7Els.csHigh entropy of concatenated method names: 'BKlejsZ0Ga', 'tkZevlsogp', 'YcneViUvj3', 'WaNeNZVX1x', 'GEIewQcT6I', 'dTFeQYhwJJ', 'rsfe9YhMa3', 'QRNeOj4DJJ', 'HB5e6AMZ9P', 'bjket1wkgt'
                  Source: 0.2.hesaphareketi-.exe.3ce2d50.2.raw.unpack, U4O5F7tCA5mXrp4xJe.csHigh entropy of concatenated method names: 'wrEKO1a6TW', 'FNgK6M0XsX', 'EUbKaElI24', 'cedKDdvIyN', 'fjkK1FP8eZ', 'fIBK0PHWxo', 'kEyKAB5IhS', 'Q5oKLFyZ22', 'dIoKW9Q3bx', 'QjJKS13eJa'
                  Source: 0.2.hesaphareketi-.exe.3ce2d50.2.raw.unpack, s7GQtBPueGNviOKVDk.csHigh entropy of concatenated method names: 'kFcgNgsMyW', 'TCRgQDHiim', 'LLygO7DPyJ', 'OlOg6CxLDp', 'b0cglu8M1d', 'mXwguhOIw2', 'KlsgiqGno4', 'lgtgEk0cIh', 'kfdgeFdjNG', 'E3AgJmuXUa'
                  Source: 0.2.hesaphareketi-.exe.3ce2d50.2.raw.unpack, EWNefPUpdnnuMF2LDw.csHigh entropy of concatenated method names: 'KFZTjHmjK1', 'vNWTvNmJWK', 'AatTVHgShh', 'WU6TNPt0qi', 'dM9Tw4wp7G', 'FDHTQSDNRy', 'uiqT9mO5tp', 'jFnTOAOQWi', 'sExT6eVm0b', 'TMmTtaa9JC'
                  Source: 0.2.hesaphareketi-.exe.3ce2d50.2.raw.unpack, iVtniYN4vZtxR6yDAr.csHigh entropy of concatenated method names: 'T5giMUHlyV', 'bNhiyNpv60', 'mE4EfjJnwQ', 'PcMEhqjYFP', 'Si1iSf9cbq', 'qihixsx6IF', 'SYaiFEi9MC', 'SXKip23eHr', 'qMMiHXSBAP', 'kMkicK7kaE'
                  Source: 0.2.hesaphareketi-.exe.3ce2d50.2.raw.unpack, SM5eqqVuTVFO8dvrHH.csHigh entropy of concatenated method names: 'b4GlWeOUKK', 'g2ClxnWkMK', 'z9ulplClFs', 'Ko0lHDi5lq', 'mcZlDgDQ6r', 'J2rlbkNsLu', 'mPLl1WY2wl', 'TP6l0nP8tC', 'JATlsVMUZs', 'pujlAHYG3y'
                  Source: 0.2.hesaphareketi-.exe.3ce2d50.2.raw.unpack, bD17TXcjkL7Y9j5QUH.csHigh entropy of concatenated method names: 'Dispose', 'fRShm0UiIO', 'A58rDpLKTZ', 'pmInn2xbag', 'i2whyPfKWt', 'YfHhz796Du', 'ProcessDialogKey', 'UqOrfUvTPv', 'nKNrhUQKL4', 'oknrrHKP5o'
                  Source: 0.2.hesaphareketi-.exe.3ce2d50.2.raw.unpack, yQAU6D1JP0QpKGv8yW.csHigh entropy of concatenated method names: 'W3IhTJZOip', 'U4dhPQF6MJ', 'NCIh71DEl5', 'maIh8IOKmy', 'DqGhlQ7a3I', 'hUehuaFgbj', 'SnrUckHxiy698xlyVl', 'hilfigoE2Ban5eNjyn', 'BYhhhIYxWu', 'WvUhY1F3ca'
                  Source: 0.2.hesaphareketi-.exe.3ce2d50.2.raw.unpack, A6T4HvQSBKp3I8TOI7.csHigh entropy of concatenated method names: 'M5qdpd4Ckb', 'iMudHRG6sc', 'l9ZdcemdGQ', 'aMRd2hwAks', 'kSCdqCJt61', 'ryDdXJtHls', 'ORKd5M6fix', 'vJedMg3dAY', 'QRMdmv0eNS', 'NvtdyQ3Qxv'
                  Source: 0.2.hesaphareketi-.exe.3ce2d50.2.raw.unpack, Ye427Es96uSuSHgwDH.csHigh entropy of concatenated method names: 'r2uVYhtjV', 'b0mN7bSSD', 'bjOQYsPG0', 'tFW9WWjv9', 'rsa6XfU57', 'x7VtSDabx', 'k5Clos05llpON64yYN', 'h2PRufxw8vaAXY6vUT', 'tO9ECAqVm', 'myDJA69Us'
                  Source: 0.2.hesaphareketi-.exe.3ce2d50.2.raw.unpack, PQLLFTlOCBYNXekLp3.csHigh entropy of concatenated method names: 'Mj0eh271UK', 'YTeeYLjPTq', 'EZVeoT74Do', 'TsoeUcOIS2', 'ryxedE3Yfo', 'BIFeCQ4pS3', 'QIxeR6NXDc', 'krpE5kNt8C', 'FxqEMCMweR', 'yQrEmUkmw8'
                  Source: 0.2.hesaphareketi-.exe.3ce2d50.2.raw.unpack, tyMC5KzKNmJ8VxLdVq.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'J44eKxZ0WX', 'HVQelpCcj9', 'gE2euphTEc', 'sVdeiJFBjv', 'KGZeE17In6', 'wjweeK5YZ6', 'xfAeJWsjfZ'
                  Source: 0.2.hesaphareketi-.exe.3ce2d50.2.raw.unpack, YuuMvnWhOLbeKF1DHk.csHigh entropy of concatenated method names: 'dyFEabo2fD', 'TrJEDTmwCp', 'wnHEbukOiV', 'R1jE1f21Lr', 'LIuEpamc1o', 'F72E0UMSSw', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.hesaphareketi-.exe.3ce2d50.2.raw.unpack, UcN2tS4TVvhfkkdhvv.csHigh entropy of concatenated method names: 'JykRBJjcUX', 'iKnRdmRBes', 'UZwRC3Mw4f', 'Yg9RT9HTxj', 'nu2RPNxLET', 'niVCqpnHYd', 'JDvCXwHGt9', 'xLwC5PUkTa', 'G8nCMhG8AG', 'J8PCmf4rSk'
                  Source: 0.2.hesaphareketi-.exe.3ce2d50.2.raw.unpack, qSF0J7DvnxdthJZib5.csHigh entropy of concatenated method names: 'IMuYBx3IaN', 'RGDYUCQXdW', 'tuDYdhUgIM', 'ylwYgPtbfJ', 'ujQYCWxhqM', 'In9YRUTT8k', 'HhpYTRtD2R', 'YMmYP8Jh4D', 'RqZY4weB5J', 'cRjY72POCr'
                  Source: 0.2.hesaphareketi-.exe.3ce2d50.2.raw.unpack, HGW7wDaJtlnWFFev73.csHigh entropy of concatenated method names: 'tmfRkuDgAU', 'iprRjYnJOw', 'ioSRVD7Jho', 'B9WRNNTgRU', 'zC4RQ23m15', 'vHWR9tP0yY', 'tMfR6lg7Y0', 'F3nRtGN9sH', 'AZSIu8few6G8M1bqJHa', 'IHop0pfiXYUD4mPcQd8'
                  Source: 0.2.hesaphareketi-.exe.3ce2d50.2.raw.unpack, ngaD9fevEcvo0XvIaN.csHigh entropy of concatenated method names: 'E5Bi7giErN', 'SDEi8BqRWc', 'ToString', 'v6diUdA3O4', 'YsCidulyBF', 'z9Kig2gAWm', 'JwBiCaiCR1', 'OtFiRemuuV', 'cPdiTh1qw1', 'sjPiPSt1EO'
                  Source: 0.2.hesaphareketi-.exe.3ce2d50.2.raw.unpack, DKDR76B8ckP7Brsx4b.csHigh entropy of concatenated method names: 'zNcEUvK3AK', 'SPLEdtZLbj', 'DCkEgeOYJc', 'Pl3ECY7U8R', 'vQmERpoSf7', 'TClETMMMZW', 'kATEPuBjTQ', 'YDBE4d3qFW', 'HMgE7kIO1K', 'rPAE8LLRhw'
                  Source: 0.2.hesaphareketi-.exe.3ce2d50.2.raw.unpack, adXmY1I1Otiab8KBLS.csHigh entropy of concatenated method names: 'OElCwfUSSx', 'R90C9oZhQ9', 'hmGgbe4VMm', 'EmRg13yZiw', 'WQug00cQku', 'gnZgs5Fqe4', 'WYHgA0Eu79', 'IZDgL5PRDi', 'vGlg3ZXJ5Q', 'N9hgWbsROP'
                  Source: 0.2.hesaphareketi-.exe.3ce2d50.2.raw.unpack, LHjqx0gXy9y11yjTH21.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JPmJpnWttY', 'yV0JH9urgi', 'ovoJc1cIek', 'eYmJ2uGRV1', 'GfjJqBKtKO', 'lG6JXRKu0X', 'PpBJ5swk1L'
                  Source: 0.2.hesaphareketi-.exe.3ce2d50.2.raw.unpack, TwgML5SYjhFRdyKIDi.csHigh entropy of concatenated method names: 'kkYk9WfMAwlrTVa0H7n', 'lCcPX8f9OD2uanXLNc8', 'IBTREwaEKS', 'Ni9ReCGfyP', 'H81RJhwFar', 'kGb59UfrgJR0YMVmpMg', 'doID52fgJUSQ5DrcxB5'
                  Source: 0.2.hesaphareketi-.exe.3ce2d50.2.raw.unpack, mDcIsZgfbrOPtql7Els.csHigh entropy of concatenated method names: 'BKlejsZ0Ga', 'tkZevlsogp', 'YcneViUvj3', 'WaNeNZVX1x', 'GEIewQcT6I', 'dTFeQYhwJJ', 'rsfe9YhMa3', 'QRNeOj4DJJ', 'HB5e6AMZ9P', 'bjket1wkgt'
                  Source: 0.2.hesaphareketi-.exe.71e0000.8.raw.unpack, U4O5F7tCA5mXrp4xJe.csHigh entropy of concatenated method names: 'wrEKO1a6TW', 'FNgK6M0XsX', 'EUbKaElI24', 'cedKDdvIyN', 'fjkK1FP8eZ', 'fIBK0PHWxo', 'kEyKAB5IhS', 'Q5oKLFyZ22', 'dIoKW9Q3bx', 'QjJKS13eJa'
                  Source: 0.2.hesaphareketi-.exe.71e0000.8.raw.unpack, s7GQtBPueGNviOKVDk.csHigh entropy of concatenated method names: 'kFcgNgsMyW', 'TCRgQDHiim', 'LLygO7DPyJ', 'OlOg6CxLDp', 'b0cglu8M1d', 'mXwguhOIw2', 'KlsgiqGno4', 'lgtgEk0cIh', 'kfdgeFdjNG', 'E3AgJmuXUa'
                  Source: 0.2.hesaphareketi-.exe.71e0000.8.raw.unpack, EWNefPUpdnnuMF2LDw.csHigh entropy of concatenated method names: 'KFZTjHmjK1', 'vNWTvNmJWK', 'AatTVHgShh', 'WU6TNPt0qi', 'dM9Tw4wp7G', 'FDHTQSDNRy', 'uiqT9mO5tp', 'jFnTOAOQWi', 'sExT6eVm0b', 'TMmTtaa9JC'
                  Source: 0.2.hesaphareketi-.exe.71e0000.8.raw.unpack, iVtniYN4vZtxR6yDAr.csHigh entropy of concatenated method names: 'T5giMUHlyV', 'bNhiyNpv60', 'mE4EfjJnwQ', 'PcMEhqjYFP', 'Si1iSf9cbq', 'qihixsx6IF', 'SYaiFEi9MC', 'SXKip23eHr', 'qMMiHXSBAP', 'kMkicK7kaE'
                  Source: 0.2.hesaphareketi-.exe.71e0000.8.raw.unpack, SM5eqqVuTVFO8dvrHH.csHigh entropy of concatenated method names: 'b4GlWeOUKK', 'g2ClxnWkMK', 'z9ulplClFs', 'Ko0lHDi5lq', 'mcZlDgDQ6r', 'J2rlbkNsLu', 'mPLl1WY2wl', 'TP6l0nP8tC', 'JATlsVMUZs', 'pujlAHYG3y'
                  Source: 0.2.hesaphareketi-.exe.71e0000.8.raw.unpack, bD17TXcjkL7Y9j5QUH.csHigh entropy of concatenated method names: 'Dispose', 'fRShm0UiIO', 'A58rDpLKTZ', 'pmInn2xbag', 'i2whyPfKWt', 'YfHhz796Du', 'ProcessDialogKey', 'UqOrfUvTPv', 'nKNrhUQKL4', 'oknrrHKP5o'
                  Source: 0.2.hesaphareketi-.exe.71e0000.8.raw.unpack, yQAU6D1JP0QpKGv8yW.csHigh entropy of concatenated method names: 'W3IhTJZOip', 'U4dhPQF6MJ', 'NCIh71DEl5', 'maIh8IOKmy', 'DqGhlQ7a3I', 'hUehuaFgbj', 'SnrUckHxiy698xlyVl', 'hilfigoE2Ban5eNjyn', 'BYhhhIYxWu', 'WvUhY1F3ca'
                  Source: 0.2.hesaphareketi-.exe.71e0000.8.raw.unpack, A6T4HvQSBKp3I8TOI7.csHigh entropy of concatenated method names: 'M5qdpd4Ckb', 'iMudHRG6sc', 'l9ZdcemdGQ', 'aMRd2hwAks', 'kSCdqCJt61', 'ryDdXJtHls', 'ORKd5M6fix', 'vJedMg3dAY', 'QRMdmv0eNS', 'NvtdyQ3Qxv'
                  Source: 0.2.hesaphareketi-.exe.71e0000.8.raw.unpack, Ye427Es96uSuSHgwDH.csHigh entropy of concatenated method names: 'r2uVYhtjV', 'b0mN7bSSD', 'bjOQYsPG0', 'tFW9WWjv9', 'rsa6XfU57', 'x7VtSDabx', 'k5Clos05llpON64yYN', 'h2PRufxw8vaAXY6vUT', 'tO9ECAqVm', 'myDJA69Us'
                  Source: 0.2.hesaphareketi-.exe.71e0000.8.raw.unpack, PQLLFTlOCBYNXekLp3.csHigh entropy of concatenated method names: 'Mj0eh271UK', 'YTeeYLjPTq', 'EZVeoT74Do', 'TsoeUcOIS2', 'ryxedE3Yfo', 'BIFeCQ4pS3', 'QIxeR6NXDc', 'krpE5kNt8C', 'FxqEMCMweR', 'yQrEmUkmw8'
                  Source: 0.2.hesaphareketi-.exe.71e0000.8.raw.unpack, tyMC5KzKNmJ8VxLdVq.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'J44eKxZ0WX', 'HVQelpCcj9', 'gE2euphTEc', 'sVdeiJFBjv', 'KGZeE17In6', 'wjweeK5YZ6', 'xfAeJWsjfZ'
                  Source: 0.2.hesaphareketi-.exe.71e0000.8.raw.unpack, YuuMvnWhOLbeKF1DHk.csHigh entropy of concatenated method names: 'dyFEabo2fD', 'TrJEDTmwCp', 'wnHEbukOiV', 'R1jE1f21Lr', 'LIuEpamc1o', 'F72E0UMSSw', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.hesaphareketi-.exe.71e0000.8.raw.unpack, UcN2tS4TVvhfkkdhvv.csHigh entropy of concatenated method names: 'JykRBJjcUX', 'iKnRdmRBes', 'UZwRC3Mw4f', 'Yg9RT9HTxj', 'nu2RPNxLET', 'niVCqpnHYd', 'JDvCXwHGt9', 'xLwC5PUkTa', 'G8nCMhG8AG', 'J8PCmf4rSk'
                  Source: 0.2.hesaphareketi-.exe.71e0000.8.raw.unpack, qSF0J7DvnxdthJZib5.csHigh entropy of concatenated method names: 'IMuYBx3IaN', 'RGDYUCQXdW', 'tuDYdhUgIM', 'ylwYgPtbfJ', 'ujQYCWxhqM', 'In9YRUTT8k', 'HhpYTRtD2R', 'YMmYP8Jh4D', 'RqZY4weB5J', 'cRjY72POCr'
                  Source: 0.2.hesaphareketi-.exe.71e0000.8.raw.unpack, HGW7wDaJtlnWFFev73.csHigh entropy of concatenated method names: 'tmfRkuDgAU', 'iprRjYnJOw', 'ioSRVD7Jho', 'B9WRNNTgRU', 'zC4RQ23m15', 'vHWR9tP0yY', 'tMfR6lg7Y0', 'F3nRtGN9sH', 'AZSIu8few6G8M1bqJHa', 'IHop0pfiXYUD4mPcQd8'
                  Source: 0.2.hesaphareketi-.exe.71e0000.8.raw.unpack, ngaD9fevEcvo0XvIaN.csHigh entropy of concatenated method names: 'E5Bi7giErN', 'SDEi8BqRWc', 'ToString', 'v6diUdA3O4', 'YsCidulyBF', 'z9Kig2gAWm', 'JwBiCaiCR1', 'OtFiRemuuV', 'cPdiTh1qw1', 'sjPiPSt1EO'
                  Source: 0.2.hesaphareketi-.exe.71e0000.8.raw.unpack, DKDR76B8ckP7Brsx4b.csHigh entropy of concatenated method names: 'zNcEUvK3AK', 'SPLEdtZLbj', 'DCkEgeOYJc', 'Pl3ECY7U8R', 'vQmERpoSf7', 'TClETMMMZW', 'kATEPuBjTQ', 'YDBE4d3qFW', 'HMgE7kIO1K', 'rPAE8LLRhw'
                  Source: 0.2.hesaphareketi-.exe.71e0000.8.raw.unpack, adXmY1I1Otiab8KBLS.csHigh entropy of concatenated method names: 'OElCwfUSSx', 'R90C9oZhQ9', 'hmGgbe4VMm', 'EmRg13yZiw', 'WQug00cQku', 'gnZgs5Fqe4', 'WYHgA0Eu79', 'IZDgL5PRDi', 'vGlg3ZXJ5Q', 'N9hgWbsROP'
                  Source: 0.2.hesaphareketi-.exe.71e0000.8.raw.unpack, LHjqx0gXy9y11yjTH21.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JPmJpnWttY', 'yV0JH9urgi', 'ovoJc1cIek', 'eYmJ2uGRV1', 'GfjJqBKtKO', 'lG6JXRKu0X', 'PpBJ5swk1L'
                  Source: 0.2.hesaphareketi-.exe.71e0000.8.raw.unpack, TwgML5SYjhFRdyKIDi.csHigh entropy of concatenated method names: 'kkYk9WfMAwlrTVa0H7n', 'lCcPX8f9OD2uanXLNc8', 'IBTREwaEKS', 'Ni9ReCGfyP', 'H81RJhwFar', 'kGb59UfrgJR0YMVmpMg', 'doID52fgJUSQ5DrcxB5'
                  Source: 0.2.hesaphareketi-.exe.71e0000.8.raw.unpack, mDcIsZgfbrOPtql7Els.csHigh entropy of concatenated method names: 'BKlejsZ0Ga', 'tkZevlsogp', 'YcneViUvj3', 'WaNeNZVX1x', 'GEIewQcT6I', 'dTFeQYhwJJ', 'rsfe9YhMa3', 'QRNeOj4DJJ', 'HB5e6AMZ9P', 'bjket1wkgt'
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: hesaphareketi-.exe PID: 6832, type: MEMORYSTR
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeMemory allocated: 2670000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeMemory allocated: 2870000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeMemory allocated: 2670000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeMemory allocated: 7710000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeMemory allocated: 8710000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeMemory allocated: 88C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeMemory allocated: 98C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeMemory allocated: 2950000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeMemory allocated: 2B40000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeMemory allocated: 2950000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 599766Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 599656Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 599547Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 599437Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 599328Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 599219Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 599109Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 599000Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 598891Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 598781Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 598670Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 598562Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 598453Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 598343Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 598234Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 598125Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 598014Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 597906Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 597797Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 597684Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 597578Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 597466Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 597359Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 597250Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 597141Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 597031Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 596922Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 596812Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 596703Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 596594Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 596484Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 596375Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 596266Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 596156Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 596047Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 595937Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 595828Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 595719Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 595609Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 595500Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 595391Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 595281Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 595172Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 595062Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 594953Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 594844Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 594734Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 594625Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeWindow / User API: threadDelayed 957Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeWindow / User API: threadDelayed 8908Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6880Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -25825441703193356s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -599875s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -599766s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -599656s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -599547s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -599437s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -599328s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -599219s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -599109s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -599000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -598891s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -598781s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -598670s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -598562s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -598453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -598343s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -598234s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -598125s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -598014s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -597906s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -597797s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -597684s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -597578s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -597466s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -597359s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -597250s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -597141s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -597031s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -596922s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -596812s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -596703s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -596594s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -596484s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -596375s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -596266s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -596156s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -596047s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -595937s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -595828s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -595719s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -595609s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -595500s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -595391s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -595281s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -595172s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -595062s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -594953s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -594844s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -594734s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6508Thread sleep time: -594625s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 599766Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 599656Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 599547Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 599437Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 599328Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 599219Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 599109Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 599000Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 598891Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 598781Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 598670Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 598562Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 598453Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 598343Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 598234Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 598125Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 598014Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 597906Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 597797Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 597684Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 597578Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 597466Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 597359Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 597250Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 597141Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 597031Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 596922Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 596812Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 596703Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 596594Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 596484Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 596375Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 596266Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 596156Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 596047Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 595937Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 595828Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 595719Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 595609Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 595500Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 595391Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 595281Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 595172Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 595062Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 594953Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 594844Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 594734Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 594625Jump to behavior
                  Source: hesaphareketi-.exe, 00000002.00000002.4188566877.0000000000D55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess created: C:\Users\user\Desktop\hesaphareketi-.exe "C:\Users\user\Desktop\hesaphareketi-.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Users\user\Desktop\hesaphareketi-.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Users\user\Desktop\hesaphareketi-.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 2.2.hesaphareketi-.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.hesaphareketi-.exe.3b6d660.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.hesaphareketi-.exe.38c34e0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.hesaphareketi-.exe.38c34e0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.hesaphareketi-.exe.3b6d660.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1763207948.0000000003879000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4189629111.0000000002BB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4188331044.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4189629111.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1763207948.0000000003AE6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: hesaphareketi-.exe PID: 6832, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: hesaphareketi-.exe PID: 3496, type: MEMORYSTR
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Users\user\Desktop\hesaphareketi-.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: Yara matchFile source: 2.2.hesaphareketi-.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.hesaphareketi-.exe.3b6d660.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.hesaphareketi-.exe.38c34e0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.hesaphareketi-.exe.38c34e0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.hesaphareketi-.exe.3b6d660.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1763207948.0000000003879000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4188331044.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4189629111.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1763207948.0000000003AE6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: hesaphareketi-.exe PID: 6832, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: hesaphareketi-.exe PID: 3496, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 2.2.hesaphareketi-.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.hesaphareketi-.exe.3b6d660.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.hesaphareketi-.exe.38c34e0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.hesaphareketi-.exe.38c34e0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.hesaphareketi-.exe.3b6d660.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1763207948.0000000003879000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4189629111.0000000002BB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4188331044.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4189629111.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1763207948.0000000003AE6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: hesaphareketi-.exe PID: 6832, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: hesaphareketi-.exe PID: 3496, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		1
                  File and Directory Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		1
                  Exfiltration Over Alternative Protocol                  		Abuse Accessibility Features
                  CredentialsDomainsDefault Accounts2
                  Command and Scripting Interpreter                  		Boot or Logon Initialization Scripts11
                  Process Injection                  		1
                  Deobfuscate/Decode Files or Information                  		31
                  Input Capture                  		24
                  System Information Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		1
                  Query Registry                  		SMB/Windows Admin Shares1
                  Email Collection                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                  Software Packing                  		NTDS111
                  Security Software Discovery                  		Distributed Component Object Model31
                  Input Capture                  		2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  DLL Side-Loading                  		LSA Secrets1
                  Process Discovery                  		SSH1
                  Clipboard Data                  		23
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Masquerading                  		Cached Domain Credentials141
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                  Virtualization/Sandbox Evasion                  		DCSync1
                  Application Window Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                  Process Injection                  		Proc Filesystem1
                  System Network Configuration Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  hesaphareketi-.exe47%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                  hesaphareketi-.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://api.ipify.org/0%URL Reputationsafe
                  http://www.apache.org/licenses/LICENSE-2.00%URL Reputationsafe
                  http://www.fontbureau.com0%URL Reputationsafe
                  http://www.fontbureau.com/designersG0%URL Reputationsafe
                  http://www.fontbureau.com/designers/?0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  https://account.dyn.com/0%URL Reputationsafe
                  http://www.fontbureau.com/designers?0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.fontbureau.com/designers0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  https://api.ipify.org/t0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  https://api.ipify.org0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.fontbureau.com/designers80%URL Reputationsafe
                  http://www.fonts.com0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://ftp.normagroup.com.tr100%Avira URL Cloudmalware
                  https://github.com/romenrg/genetic-startups0%Avira URL Cloudsafe
                  http://tempuri.org/DataSet1.xsd#tableLayoutPanel10%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  api.ipify.org
                  		104.26.12.205
                  		truefalse
                    		unknown
                    ftp.normagroup.com.tr
                    		104.247.165.99
                    		truetrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://api.ipify.org/false
                      • URL Reputation: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://ftp.normagroup.com.trhesaphareketi-.exe, 00000002.00000002.4189629111.0000000002E48000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-.exe, 00000002.00000002.4189629111.0000000002DED000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-.exe, 00000002.00000002.4189629111.0000000002BCF000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-.exe, 00000002.00000002.4189629111.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-.exe, 00000002.00000002.4189629111.0000000002BB9000.00000004.00000800.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://www.apache.org/licenses/LICENSE-2.0hesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.comhesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designersGhesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/?hesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cn/bThehesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://account.dyn.com/hesaphareketi-.exe, 00000000.00000002.1763207948.0000000003879000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-.exe, 00000000.00000002.1763207948.0000000003AE6000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-.exe, 00000002.00000002.4188331044.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers?hesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.tiro.comhesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://github.com/romenrg/genetic-startupshesaphareketi-.exefalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.com/designershesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.goodfont.co.krhesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://api.ipify.org/thesaphareketi-.exe, 00000002.00000002.4189629111.0000000002B41000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.carterandcone.comlhesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.sajatypeworks.comhesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.typography.netDhesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/cabarga.htmlNhesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cn/cThehesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.galapagosdesign.com/staff/dennis.htmhesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://api.ipify.orghesaphareketi-.exe, 00000000.00000002.1763207948.0000000003879000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-.exe, 00000000.00000002.1763207948.0000000003AE6000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-.exe, 00000002.00000002.4189629111.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-.exe, 00000002.00000002.4188331044.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cnhesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/frere-user.htmlhesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/hesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.galapagosdesign.com/DPleasehesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers8hesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fonts.comhesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.sandoll.co.krhesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.urwpp.deDPleasehesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.zhongyicts.com.cnhesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namehesaphareketi-.exe, 00000002.00000002.4189629111.0000000002B41000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.sakkal.comhesaphareketi-.exe, 00000000.00000002.1765665168.0000000005880000.00000004.00000020.00020000.00000000.sdmp, hesaphareketi-.exe, 00000000.00000002.1765691420.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/DataSet1.xsd#tableLayoutPanel1hesaphareketi-.exefalse
                      • Avira URL Cloud: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      104.26.12.205
                      		api.ipify.orgUnited States
                      		13335CLOUDFLARENETUSfalse
                      104.247.165.99
                      		ftp.normagroup.com.trUnited States
                      		8100ASN-QUADRANET-GLOBALUStrue

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1446733
                      Start date and time:2024-05-23 20:25:12 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 8m 46s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:7
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:hesaphareketi-.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@3/1@2/2
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 90
                      • Number of non-executed functions: 7
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                      • VT rate limit hit for: hesaphareketi-.exe

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      14:26:11API Interceptor11348298x Sleep call for process: hesaphareketi-.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      104.26.12.205482730621.exeGet hashmaliciousStealitBrowse
                      • api.ipify.org/?format=json
                      482730621.exeGet hashmaliciousStealitBrowse
                      • api.ipify.org/?format=json
                      Sonic-Glyder.exeGet hashmaliciousStealitBrowse
                      • api.ipify.org/?format=json
                      Sky-Beta.exeGet hashmaliciousStealitBrowse
                      • api.ipify.org/?format=json
                      SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exeGet hashmaliciousBunny LoaderBrowse
                      • api.ipify.org/
                      lods.cmdGet hashmaliciousRemcosBrowse
                      • api.ipify.org/
                      104.247.165.99CN-Invoice-0945413571-XXXXX6856-23120537357076000009.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                        wUBne5sGQK.exeGet hashmaliciousAgentTeslaBrowse
                          1PtZHrluDy.exeGet hashmaliciousAgentTeslaBrowse
                            CN-Invoice-945413571-XXXXX6856-2312053735707600.exeGet hashmaliciousAgentTeslaBrowse
                              Dekont-2024-03-28,pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                DEKONT - 20240327-g0CiifOO4eIH5dL.exeGet hashmaliciousAgentTeslaBrowse
                                  Dekont-PDF.exeGet hashmaliciousAgentTeslaBrowse
                                    Dekont-Formu20242503-DOC.exeGet hashmaliciousAgentTeslaBrowse
                                      Dekont-Formu20242203-DOC.exeGet hashmaliciousAgentTeslaBrowse
                                        SecuriteInfo.com.W32.MSIL_Agent.GLM.gen.Eldorado.13975.20245.exeGet hashmaliciousAgentTeslaBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          api.ipify.orgDocuments Of DHL -BL- AWB- 8976453410.exeGet hashmaliciousAgentTeslaBrowse
                                          • 172.67.74.152
                                          https://www.google.com/url?q=https://tame-coherent-emmental.glitch.me/%23aG95ZUB1bW4uZWR1&source=gmail-imap&ust=1717088881000000&usg=AOvVaw14q68JL0hvqaGr_XiCkvK4Get hashmaliciousHTMLPhisherBrowse
                                          • 172.67.74.152
                                          Doc0781123608.exeGet hashmaliciousAgentTesla, PureLog Stealer, XWormBrowse
                                          • 172.67.74.152
                                          30% Down Payment Slip.pdf_______________________________________________________.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.26.12.205
                                          ordinul de cotatie.exeGet hashmaliciousAgentTeslaBrowse
                                          • 172.67.74.152
                                          PI_230524.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                          • 104.26.12.205
                                          PO_23052024.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.26.12.205
                                          hesaphareketi-015232024.SCR.exeGet hashmaliciousAgentTeslaBrowse
                                          • 172.67.74.152
                                          rPurchaseOrderPO05232024.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                          • 104.26.13.205
                                          ASCD0001 INQ9829......pdf.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.26.13.205
                                          ftp.normagroup.com.trCN-Invoice-0945413571-XXXXX6856-23120537357076000009.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          • 104.247.165.99
                                          wUBne5sGQK.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.247.165.99
                                          1PtZHrluDy.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.247.165.99
                                          CN-Invoice-945413571-XXXXX6856-2312053735707600.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.247.165.99
                                          Dekont-2024-03-28,pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          • 104.247.165.99
                                          DEKONT - 20240327-g0CiifOO4eIH5dL.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.247.165.99
                                          Dekont-PDF.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.247.165.99
                                          Dekont-Formu20242503-DOC.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.247.165.99
                                          Dekont-Formu20242203-DOC.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.247.165.99
                                          SecuriteInfo.com.W32.MSIL_Agent.GLM.gen.Eldorado.13975.20245.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.247.165.99

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          CLOUDFLARENETUSHome Purchase Contract and Property Details.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                          • 188.114.96.3
                                          Documents Of DHL -BL- AWB- 8976453410.exeGet hashmaliciousAgentTeslaBrowse
                                          • 172.67.74.152
                                          Offer Document 24.lnkGet hashmaliciousFormBookBrowse
                                          • 23.227.38.74
                                          PO 4500025813.xlsGet hashmaliciousUnknownBrowse
                                          • 188.114.97.3
                                          https://freexxxth.linkGet hashmaliciousUnknownBrowse
                                          • 104.21.25.77
                                          https://freexxxth.linkGet hashmaliciousUnknownBrowse
                                          • 172.67.223.248
                                          SCB REmittance Advice.docGet hashmaliciousLokibotBrowse
                                          • 188.114.97.9
                                          V_273686.Lnk.lnkGet hashmaliciousMalLnkBrowse
                                          • 172.67.217.192
                                          kam.cmdGet hashmaliciousGuLoaderBrowse
                                          • 104.21.28.80
                                          https://www.whtenvlpe.com/acTcl2kTmPSJi_Ld_mhpL5dNumT258E0ztzYJGo7sYTHmy1SnIHoHTr_lyuA2BZnhF49nvpBtTPseiLflrqOEA~~/16/1Get hashmaliciousUnknownBrowse
                                          • 104.21.39.66
                                          ASN-QUADRANET-GLOBALUSNew_Order945846743.exeGet hashmaliciousAveMaria, GuLoader, PrivateLoaderBrowse
                                          • 72.11.156.201
                                          PO2737478834ORDER.exeGet hashmaliciousAveMaria, GuLoader, PrivateLoaderBrowse
                                          • 72.11.156.201
                                          ORDER893474849.exeGet hashmaliciousAveMaria, GuLoader, PrivateLoaderBrowse
                                          • 72.11.156.201
                                          rORDER002838477624PO.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                          • 72.11.156.201
                                          sF2s1EQU7T.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                          • 64.188.21.131
                                          xerox322200524.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                          • 167.160.166.205
                                          Plat#U0103 Factura MTL11852.xlsGet hashmaliciousRemcosBrowse
                                          • 23.226.128.138
                                          Plat#U0103 Factura MTL11852.xlsGet hashmaliciousUnknownBrowse
                                          • 23.226.128.138
                                          https://dianliangyingyu.com/Get hashmaliciousUnknownBrowse
                                          • 204.44.86.21
                                          file.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                          • 64.188.27.90

                                          JA3 Fingerprints

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          3b5074b1b5d032e5620f69f9f700ff0esipari#U015f_comfirmasyonu.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.26.12.205
                                          Documents Of DHL -BL- AWB- 8976453410.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.26.12.205
                                          COMMERCIAL INVOICE - BL - AWB 7032805642.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.26.12.205
                                          kam.cmdGet hashmaliciousGuLoaderBrowse
                                          • 104.26.12.205
                                          Doc0781123608.exeGet hashmaliciousAgentTesla, PureLog Stealer, XWormBrowse
                                          • 104.26.12.205
                                          upload.vbsGet hashmaliciousUnknownBrowse
                                          • 104.26.12.205
                                          upload.vbsGet hashmaliciousGuLoader, XWormBrowse
                                          • 104.26.12.205
                                          update.vbsGet hashmaliciousGuLoader, XWormBrowse
                                          • 104.26.12.205
                                          file.vbsGet hashmaliciousGuLoaderBrowse
                                          • 104.26.12.205
                                          windows.vbsGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                          • 104.26.12.205

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hesaphareketi-.exe.log

                                          Download File
                                          Process:C:\Users\user\Desktop\hesaphareketi-.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.34331486778365
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                          Malicious:false
                                          Reputation:high, very likely benign file
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):6.960231532527883
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:hesaphareketi-.exe
                                          File size:939'008 bytes
                                          MD5:6ee05d4dd363d273ce38c497b1238db1
                                          SHA1:7c4f86c5edfe9cf5d1955c4af44cd8d0a25a0f0a
                                          SHA256:1a88cd1b38768b690166ed6a6647ca7e975a68b7112c0e938cdfaaea8d509c9e
                                          SHA512:db37e14f851f0d2de99cff71a720b72f12db0b388c60f0f89e83f2493364bf8bc72eb2a98dcae065c532a2541fc42ddb199d679b1dab91c6bc426925622e3709
                                          SSDEEP:24576:6yK3B4Tw/bf4vQJTg4i0pMyR++/PhNt96WVp:6N94yU4i0WyD/36WV
                                          TLSH:D0159F3C18FC2A229160D6A4CFE0C663F150F4FA3963992299D24755474BE9BBDC327E
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Nf..............0..J...........h... ........@.. ....................................@................................

                                          File Icon

                                          Icon Hash:90cececece8e8eb0

                                          Static PE Info

                                          General

                                          Entrypoint:0x4e6816
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x664ED1A0 [Thu May 23 05:18:24 2024 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xe67c30x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xe80000x5d4.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xea0000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xe43680x54.text
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000xe481c0xe4a00dd0a3e2c743e52eff1e39019c616add2False0.6967765428512849data6.966251395726089IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0xe80000x5d40x600a73137abe1e0968be14d0125539e9fe5False0.4283854166666667data4.148648565251091IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xea0000xc0x2006d04a551d662569ede38cad17e04f668False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_VERSION0xe80900x344data0.4270334928229665
                                          RT_MANIFEST0xe83e40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          May 23, 2024 20:26:13.593163967 CEST49732443192.168.2.4104.26.12.205
                                          May 23, 2024 20:26:13.593242884 CEST44349732104.26.12.205192.168.2.4
                                          May 23, 2024 20:26:13.593353033 CEST49732443192.168.2.4104.26.12.205
                                          May 23, 2024 20:26:13.601720095 CEST49732443192.168.2.4104.26.12.205
                                          May 23, 2024 20:26:13.601744890 CEST44349732104.26.12.205192.168.2.4
                                          May 23, 2024 20:26:14.195894003 CEST44349732104.26.12.205192.168.2.4
                                          May 23, 2024 20:26:14.196299076 CEST49732443192.168.2.4104.26.12.205
                                          May 23, 2024 20:26:14.200438023 CEST49732443192.168.2.4104.26.12.205
                                          May 23, 2024 20:26:14.200455904 CEST44349732104.26.12.205192.168.2.4
                                          May 23, 2024 20:26:14.200736046 CEST44349732104.26.12.205192.168.2.4
                                          May 23, 2024 20:26:14.242508888 CEST49732443192.168.2.4104.26.12.205
                                          May 23, 2024 20:26:14.258514881 CEST49732443192.168.2.4104.26.12.205
                                          May 23, 2024 20:26:14.302501917 CEST44349732104.26.12.205192.168.2.4
                                          May 23, 2024 20:26:14.441783905 CEST44349732104.26.12.205192.168.2.4
                                          May 23, 2024 20:26:14.441869974 CEST44349732104.26.12.205192.168.2.4
                                          May 23, 2024 20:26:14.442070007 CEST49732443192.168.2.4104.26.12.205
                                          May 23, 2024 20:26:14.450100899 CEST49732443192.168.2.4104.26.12.205
                                          May 23, 2024 20:26:15.761395931 CEST4973421192.168.2.4104.247.165.99
                                          May 23, 2024 20:26:15.766340971 CEST2149734104.247.165.99192.168.2.4
                                          May 23, 2024 20:26:15.766458035 CEST4973421192.168.2.4104.247.165.99
                                          May 23, 2024 20:26:15.784187078 CEST4973421192.168.2.4104.247.165.99
                                          May 23, 2024 20:26:15.835544109 CEST2149734104.247.165.99192.168.2.4
                                          May 23, 2024 20:26:15.837089062 CEST4973421192.168.2.4104.247.165.99
                                          May 23, 2024 20:27:47.133560896 CEST4974421192.168.2.4104.247.165.99
                                          May 23, 2024 20:27:47.138602018 CEST2149744104.247.165.99192.168.2.4
                                          May 23, 2024 20:27:47.138734102 CEST4974421192.168.2.4104.247.165.99
                                          May 23, 2024 20:27:47.138840914 CEST4974421192.168.2.4104.247.165.99
                                          May 23, 2024 20:27:47.182372093 CEST2149744104.247.165.99192.168.2.4
                                          May 23, 2024 20:27:47.182492018 CEST4974421192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:01.189251900 CEST4974521192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:01.194561958 CEST2149745104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:01.197756052 CEST4974521192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:01.197854996 CEST4974521192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:01.254194021 CEST2149745104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:01.254508972 CEST4974521192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:08.366137028 CEST4974621192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:08.372268915 CEST2149746104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:08.372361898 CEST4974621192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:08.372647047 CEST4974621192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:08.426268101 CEST2149746104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:08.426516056 CEST4974621192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:13.202949047 CEST4974721192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:14.146158934 CEST2149747104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:14.146230936 CEST4974721192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:14.146580935 CEST4974721192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:14.156047106 CEST2149747104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:14.156096935 CEST4974721192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:15.234893084 CEST4974821192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:15.241636038 CEST2149748104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:15.241738081 CEST4974821192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:15.241967916 CEST4974821192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:15.298125982 CEST2149748104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:15.298660040 CEST4974821192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:19.388930082 CEST4974921192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:19.393938065 CEST2149749104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:19.399079084 CEST4974921192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:19.399239063 CEST4974921192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:19.465365887 CEST2149749104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:19.511895895 CEST2149749104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:19.513102055 CEST4974921192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:20.005481958 CEST4975021192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:20.011487007 CEST2149750104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:20.011586905 CEST4975021192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:20.011904001 CEST4975021192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:20.073707104 CEST2149750104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:20.073780060 CEST4975021192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:26.349301100 CEST4975121192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:26.355204105 CEST2149751104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:26.355261087 CEST4975121192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:26.355448008 CEST4975121192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:26.405953884 CEST2149751104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:26.405998945 CEST4975121192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:30.714827061 CEST4975221192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:30.721086025 CEST2149752104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:30.721184969 CEST4975221192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:30.721434116 CEST4975221192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:30.781487942 CEST2149752104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:30.781595945 CEST4975221192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:45.846199036 CEST4975321192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:45.851243019 CEST2149753104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:45.851324081 CEST4975321192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:46.731831074 CEST2149753104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:46.732157946 CEST4975321192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:46.746335983 CEST2149753104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:47.127262115 CEST2149753104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:47.127713919 CEST4975321192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:47.132756948 CEST2149753104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:47.617975950 CEST2149753104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:47.619019032 CEST4975321192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:47.624151945 CEST2149753104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:47.921236992 CEST2149753104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:47.921576977 CEST4975321192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:47.926567078 CEST2149753104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:48.150744915 CEST2149753104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:48.151035070 CEST4975321192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:48.207576036 CEST2149753104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:48.499938965 CEST2149753104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:48.500075102 CEST4975321192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:48.505131006 CEST2149753104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:48.805833101 CEST2149753104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:48.806586981 CEST4975462592192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:48.851363897 CEST4975321192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:48.853885889 CEST6259249754104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:48.854098082 CEST4975462592192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:48.854190111 CEST4975321192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:48.876631021 CEST2149753104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:49.593909979 CEST2149753104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:49.598907948 CEST4975462592192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:49.606357098 CEST6259249754104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:49.606368065 CEST6259249754104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:49.606378078 CEST6259249754104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:49.606558084 CEST4975462592192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:49.608469963 CEST6259249754104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:49.608479977 CEST6259249754104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:49.608489990 CEST6259249754104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:49.608499050 CEST6259249754104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:49.608508110 CEST6259249754104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:49.608642101 CEST4975462592192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:49.610196114 CEST6259249754104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:49.610388041 CEST4975462592192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:49.617858887 CEST6259249754104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:49.618066072 CEST4975462592192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:49.627258062 CEST6259249754104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:49.627273083 CEST6259249754104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:49.627284050 CEST6259249754104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:49.627300978 CEST6259249754104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:49.627316952 CEST6259249754104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:49.627326965 CEST6259249754104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:49.627351999 CEST4975462592192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:49.627405882 CEST4975462592192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:49.628094912 CEST6259249754104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:49.628107071 CEST6259249754104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:49.628314972 CEST4975462592192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:49.636593103 CEST6259249754104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:49.648252010 CEST4975321192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:49.664282084 CEST6259249754104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:49.666683912 CEST4975462592192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:50.311012983 CEST2149753104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:50.366996050 CEST4975321192.168.2.4104.247.165.99
                                          May 23, 2024 20:28:50.381091118 CEST2149753104.247.165.99192.168.2.4
                                          May 23, 2024 20:28:50.381165028 CEST4975321192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:00.326834917 CEST4975321192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:00.340250015 CEST2149753104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:00.568528891 CEST2149753104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:00.571264982 CEST4975564834192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:00.577728033 CEST6483449755104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:00.578906059 CEST4975564834192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:00.578975916 CEST4975321192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:00.679897070 CEST2149753104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:01.207123995 CEST2149753104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:01.207381964 CEST4975564834192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:01.213155985 CEST6483449755104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:01.213208914 CEST4975564834192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:01.222420931 CEST6483449755104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:01.222435951 CEST6483449755104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:01.222445011 CEST6483449755104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:01.222454071 CEST6483449755104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:01.222461939 CEST6483449755104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:01.222467899 CEST4975564834192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:01.222470999 CEST6483449755104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:01.222479105 CEST6483449755104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:01.222510099 CEST6483449755104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:01.222516060 CEST4975564834192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:01.222552061 CEST4975564834192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:01.222574949 CEST4975564834192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:01.231611967 CEST6483449755104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:01.231621981 CEST6483449755104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:01.231648922 CEST4975564834192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:01.231679916 CEST4975564834192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:01.238817930 CEST6483449755104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:01.238828897 CEST6483449755104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:01.238836050 CEST6483449755104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:01.238845110 CEST6483449755104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:01.238852978 CEST6483449755104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:01.238853931 CEST4975564834192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:01.238862038 CEST6483449755104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:01.238869905 CEST6483449755104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:01.238897085 CEST4975564834192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:01.238940954 CEST4975564834192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:01.245832920 CEST6483449755104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:01.252717972 CEST6483449755104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:01.252727032 CEST6483449755104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:01.252734900 CEST6483449755104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:01.252743959 CEST6483449755104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:01.301573038 CEST6483449755104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:01.301629066 CEST4975564834192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:01.364968061 CEST4975321192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:01.702121973 CEST2149753104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:01.867197037 CEST4975321192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:04.308434963 CEST4975321192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:04.326623917 CEST2149753104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:04.818742037 CEST2149753104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:04.819273949 CEST4975658712192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:04.829797029 CEST5871249756104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:04.829866886 CEST4975658712192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:04.829952002 CEST4975321192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:04.892028093 CEST2149753104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:05.467633963 CEST2149753104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:05.467901945 CEST4975658712192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:05.473220110 CEST5871249756104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:05.473380089 CEST4975658712192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:05.480151892 CEST5871249756104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:05.480163097 CEST5871249756104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:05.480170965 CEST5871249756104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:05.480180025 CEST5871249756104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:05.480189085 CEST5871249756104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:05.480197906 CEST5871249756104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:05.480206013 CEST5871249756104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:05.480215073 CEST5871249756104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:05.480272055 CEST4975658712192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:05.489564896 CEST5871249756104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:05.489574909 CEST5871249756104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:05.489624977 CEST4975658712192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:05.494360924 CEST5871249756104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:05.494370937 CEST5871249756104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:05.494379997 CEST5871249756104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:05.494388103 CEST5871249756104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:05.494395971 CEST5871249756104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:05.494404078 CEST5871249756104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:05.494416952 CEST4975658712192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:05.494438887 CEST4975658712192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:05.494477987 CEST4975658712192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:05.499164104 CEST5871249756104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:05.503923893 CEST5871249756104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:05.503935099 CEST5871249756104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:05.550035954 CEST5871249756104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:05.550154924 CEST4975658712192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:05.554502010 CEST4975321192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:05.965930939 CEST2149753104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:06.163846016 CEST4975321192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:14.668451071 CEST4975321192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:14.677800894 CEST2149753104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:14.906666040 CEST2149753104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:14.910501957 CEST4975755953192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:14.915430069 CEST5595349757104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:14.915560007 CEST4975755953192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:14.915680885 CEST4975321192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:14.965992928 CEST2149753104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:15.544559002 CEST2149753104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:15.544807911 CEST4975755953192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:15.549992085 CEST5595349757104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:15.550045967 CEST4975755953192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:15.555022001 CEST5595349757104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:15.555033922 CEST5595349757104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:15.555043936 CEST5595349757104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:15.555054903 CEST5595349757104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:15.555063963 CEST5595349757104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:15.555074930 CEST5595349757104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:15.555084944 CEST5595349757104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:15.555093050 CEST5595349757104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:15.555095911 CEST4975755953192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:15.555104017 CEST5595349757104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:15.555141926 CEST4975755953192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:15.555166960 CEST4975755953192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:15.559859991 CEST5595349757104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:15.559909105 CEST4975755953192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:15.564688921 CEST5595349757104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:15.564699888 CEST5595349757104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:15.564707994 CEST5595349757104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:15.564717054 CEST5595349757104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:15.564721107 CEST5595349757104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:15.564743996 CEST4975755953192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:15.564769030 CEST4975755953192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:15.569499969 CEST5595349757104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:15.569574118 CEST4975755953192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:15.574305058 CEST5595349757104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:15.574317932 CEST5595349757104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:15.574327946 CEST5595349757104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:15.579479933 CEST5595349757104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:15.579492092 CEST5595349757104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:15.579504013 CEST5595349757104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:15.579513073 CEST5595349757104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:15.601366997 CEST4975321192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:15.606285095 CEST5595349757104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:15.606301069 CEST5595349757104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:15.606357098 CEST4975755953192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:16.068845987 CEST2149753104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:16.210828066 CEST4975321192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:41.453752995 CEST4975821192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:41.469830990 CEST2149758104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:41.469898939 CEST4975821192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:41.470134974 CEST4975821192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:41.487736940 CEST2149758104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:41.487747908 CEST2149758104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:41.487802982 CEST4975821192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:56.043258905 CEST4975921192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:56.054173946 CEST2149759104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:56.054464102 CEST4975921192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:56.054635048 CEST4975921192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:56.106340885 CEST2149759104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:56.112765074 CEST4975921192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:59.073596954 CEST4976021192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:59.078735113 CEST2149760104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:59.078844070 CEST4976021192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:59.728112936 CEST2149760104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:59.728311062 CEST4976021192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:59.733654976 CEST2149760104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:59.975085020 CEST2149760104.247.165.99192.168.2.4
                                          May 23, 2024 20:29:59.975284100 CEST4976021192.168.2.4104.247.165.99
                                          May 23, 2024 20:29:59.980214119 CEST2149760104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:00.230171919 CEST2149760104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:00.230320930 CEST4976021192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:00.235680103 CEST2149760104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:00.459373951 CEST2149760104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:00.459501028 CEST4976021192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:00.464473009 CEST2149760104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:00.683608055 CEST2149760104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:00.683875084 CEST4976021192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:00.695144892 CEST2149760104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:00.930624008 CEST2149760104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:00.930823088 CEST4976021192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:00.935805082 CEST2149760104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:01.158257008 CEST2149760104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:01.158885002 CEST4976161504192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:01.163907051 CEST6150449761104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:01.164060116 CEST4976161504192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:01.164067030 CEST4976021192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:01.216165066 CEST2149760104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:01.790853024 CEST2149760104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:01.791191101 CEST4976161504192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:01.796251059 CEST6150449761104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:01.796484947 CEST4976161504192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:01.801398993 CEST6150449761104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:01.801417112 CEST6150449761104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:01.801428080 CEST6150449761104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:01.801439047 CEST6150449761104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:01.801454067 CEST6150449761104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:01.801465034 CEST6150449761104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:01.801475048 CEST6150449761104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:01.801486015 CEST6150449761104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:01.801491976 CEST6150449761104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:01.801497936 CEST4976161504192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:01.801563025 CEST4976161504192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:01.806185007 CEST6150449761104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:01.806386948 CEST4976161504192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:01.810995102 CEST6150449761104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:01.811016083 CEST6150449761104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:01.811028957 CEST6150449761104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:01.811038971 CEST6150449761104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:01.811049938 CEST6150449761104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:01.811059952 CEST4976161504192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:01.811063051 CEST6150449761104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:01.811074018 CEST6150449761104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:01.811084986 CEST6150449761104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:01.811094999 CEST6150449761104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:01.811105013 CEST6150449761104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:01.811131954 CEST4976161504192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:01.811172962 CEST4976161504192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:01.815944910 CEST6150449761104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:01.820704937 CEST6150449761104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:01.820719957 CEST6150449761104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:01.820729017 CEST6150449761104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:01.820740938 CEST6150449761104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:01.820744991 CEST6150449761104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:01.820755959 CEST6150449761104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:01.820765972 CEST6150449761104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:01.820775986 CEST6150449761104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:01.867315054 CEST6150449761104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:01.867474079 CEST4976161504192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:01.932956934 CEST4976021192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:02.278111935 CEST2149760104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:02.335674047 CEST4976021192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:09.058726072 CEST4976021192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:09.065123081 CEST2149760104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:09.284538984 CEST2149760104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:09.287297010 CEST4976261120192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:09.294459105 CEST6112049762104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:09.294996023 CEST4976021192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:09.298707962 CEST4976261120192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:09.299890995 CEST2149760104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:09.401684046 CEST4976321192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:09.414865971 CEST2149763104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:09.415007114 CEST4976321192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:09.415208101 CEST4976321192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:09.742721081 CEST4976321192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:10.383380890 CEST4976321192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:10.546039104 CEST2149760104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:10.546269894 CEST4976261120192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:10.556113005 CEST2149763104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:10.556129932 CEST2149760104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:10.556139946 CEST2149763104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:10.556149006 CEST2149760104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:10.556159019 CEST2149763104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:10.556176901 CEST4976321192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:10.556215048 CEST4976021192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:10.556231022 CEST4976321192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:10.556231022 CEST4976021192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:10.556231022 CEST4976321192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:10.577223063 CEST2149763104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:10.577326059 CEST4976321192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:10.581938982 CEST2149763104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:10.581963062 CEST6112049762104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:10.581971884 CEST2149763104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:10.581979990 CEST6112049762104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:10.581989050 CEST6112049762104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:10.581996918 CEST6112049762104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:10.582006931 CEST6112049762104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:10.582015991 CEST6112049762104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:10.582024097 CEST6112049762104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:10.582032919 CEST6112049762104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:10.582041025 CEST6112049762104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:10.582048893 CEST6112049762104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:10.582154036 CEST4976321192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:10.582154036 CEST4976321192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:10.582180023 CEST4976261120192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:10.592370987 CEST6112049762104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:10.592390060 CEST6112049762104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:10.592398882 CEST6112049762104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:10.592407942 CEST6112049762104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:10.592417002 CEST6112049762104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:10.592425108 CEST6112049762104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:10.592619896 CEST4976261120192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:10.600821972 CEST6112049762104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:10.600941896 CEST4976261120192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:10.607748985 CEST6112049762104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:10.612492085 CEST6112049762104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:10.612513065 CEST6112049762104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:10.612523079 CEST6112049762104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:10.612531900 CEST6112049762104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:10.663853884 CEST6112049762104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:10.663906097 CEST6112049762104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:10.665992022 CEST4976261120192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:11.081517935 CEST2149760104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:11.242500067 CEST4976021192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:17.682627916 CEST4976021192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:17.687678099 CEST2149760104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:17.913454056 CEST2149760104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:17.913958073 CEST4976456060192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:17.922492027 CEST5606049764104.247.165.99192.168.2.4
                                          May 23, 2024 20:30:17.922573090 CEST4976456060192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:17.922663927 CEST4976021192.168.2.4104.247.165.99
                                          May 23, 2024 20:30:17.980374098 CEST2149760104.247.165.99192.168.2.4

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          May 23, 2024 20:26:13.543620110 CEST5894053192.168.2.41.1.1.1
                                          May 23, 2024 20:26:13.585087061 CEST53589401.1.1.1192.168.2.4
                                          May 23, 2024 20:26:15.380846024 CEST5377853192.168.2.41.1.1.1
                                          May 23, 2024 20:26:15.760234118 CEST53537781.1.1.1192.168.2.4

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          May 23, 2024 20:26:13.543620110 CEST192.168.2.41.1.1.10x7baStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                          May 23, 2024 20:26:15.380846024 CEST192.168.2.41.1.1.10xee9dStandard query (0)ftp.normagroup.com.trA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          May 23, 2024 20:26:13.585087061 CEST1.1.1.1192.168.2.40x7baNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                          May 23, 2024 20:26:13.585087061 CEST1.1.1.1192.168.2.40x7baNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                          May 23, 2024 20:26:13.585087061 CEST1.1.1.1192.168.2.40x7baNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                          May 23, 2024 20:26:15.760234118 CEST1.1.1.1192.168.2.40xee9dNo error (0)ftp.normagroup.com.tr104.247.165.99A (IP address)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • api.ipify.org

                                          HTTPS Proxied Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.449732104.26.12.2054433496C:\Users\user\Desktop\hesaphareketi-.exe
                                          TimestampBytes transferredDirectionData
                                          2024-05-23 18:26:14 UTC155OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                          Host: api.ipify.org
                                          Connection: Keep-Alive
                                          2024-05-23 18:26:14 UTC211INHTTP/1.1 200 OK
                                          Date: Thu, 23 May 2024 18:26:14 GMT
                                          Content-Type: text/plain
                                          Content-Length: 12
                                          Connection: close
                                          Vary: Origin
                                          CF-Cache-Status: DYNAMIC
                                          Server: cloudflare
                                          CF-RAY: 888717d78b1e15cb-EWR
                                          2024-05-23 18:26:14 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 37 35
                                          Data Ascii: 8.46.123.175


                                          FTP Packets

                                          TimestampSource PortDest PortSource IPDest IPCommands
                                          May 23, 2024 20:28:46.731831074 CEST2149753104.247.165.99192.168.2.4220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 21:28. Server port: 21.
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 21:28. Server port: 21.220-This is a private system - No anonymous login
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 21:28. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 21:28. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                          May 23, 2024 20:28:46.732157946 CEST4975321192.168.2.4104.247.165.99USER admin@normagroup.com.tr
                                          May 23, 2024 20:28:47.127262115 CEST2149753104.247.165.99192.168.2.4331 User admin@normagroup.com.tr OK. Password required
                                          May 23, 2024 20:28:47.127713919 CEST4975321192.168.2.4104.247.165.99PASS Qb.X[.j.Yfm[
                                          May 23, 2024 20:28:47.617975950 CEST2149753104.247.165.99192.168.2.4230 OK. Current restricted directory is /
                                          May 23, 2024 20:28:47.921236992 CEST2149753104.247.165.99192.168.2.4504 Unknown command
                                          May 23, 2024 20:28:47.921576977 CEST4975321192.168.2.4104.247.165.99PWD
                                          May 23, 2024 20:28:48.150744915 CEST2149753104.247.165.99192.168.2.4257 "/" is your current location
                                          May 23, 2024 20:28:48.151035070 CEST4975321192.168.2.4104.247.165.99TYPE I
                                          May 23, 2024 20:28:48.499938965 CEST2149753104.247.165.99192.168.2.4200 TYPE is now 8-bit binary
                                          May 23, 2024 20:28:48.500075102 CEST4975321192.168.2.4104.247.165.99PASV
                                          May 23, 2024 20:28:48.805833101 CEST2149753104.247.165.99192.168.2.4227 Entering Passive Mode (104,247,165,99,244,128)
                                          May 23, 2024 20:28:48.854190111 CEST4975321192.168.2.4104.247.165.99STOR SC_user-928100_2024_07_28_11_34_19.jpeg
                                          May 23, 2024 20:28:49.593909979 CEST2149753104.247.165.99192.168.2.4150 Accepted data connection
                                          May 23, 2024 20:28:50.311012983 CEST2149753104.247.165.99192.168.2.4226-File successfully transferred
                                          226-File successfully transferred226 0.532 seconds (measured here), 104.27 Kbytes per second
                                          May 23, 2024 20:28:50.381091118 CEST2149753104.247.165.99192.168.2.4226-File successfully transferred
                                          226-File successfully transferred226 0.532 seconds (measured here), 104.27 Kbytes per second
                                          May 23, 2024 20:29:00.326834917 CEST4975321192.168.2.4104.247.165.99PASV
                                          May 23, 2024 20:29:00.568528891 CEST2149753104.247.165.99192.168.2.4227 Entering Passive Mode (104,247,165,99,253,66)
                                          May 23, 2024 20:29:00.578975916 CEST4975321192.168.2.4104.247.165.99STOR SC_user-928100_2024_08_09_10_55_29.jpeg
                                          May 23, 2024 20:29:01.207123995 CEST2149753104.247.165.99192.168.2.4150 Accepted data connection
                                          May 23, 2024 20:29:01.702121973 CEST2149753104.247.165.99192.168.2.4226-File successfully transferred
                                          226-File successfully transferred226 0.493 seconds (measured here), 112.42 Kbytes per second
                                          May 23, 2024 20:29:04.308434963 CEST4975321192.168.2.4104.247.165.99PASV
                                          May 23, 2024 20:29:04.818742037 CEST2149753104.247.165.99192.168.2.4227 Entering Passive Mode (104,247,165,99,229,88)
                                          May 23, 2024 20:29:04.829952002 CEST4975321192.168.2.4104.247.165.99STOR SC_user-928100_2024_08_13_10_17_39.jpeg
                                          May 23, 2024 20:29:05.467633963 CEST2149753104.247.165.99192.168.2.4150 Accepted data connection
                                          May 23, 2024 20:29:05.965930939 CEST2149753104.247.165.99192.168.2.4226-File successfully transferred
                                          226-File successfully transferred226 0.496 seconds (measured here), 111.76 Kbytes per second
                                          May 23, 2024 20:29:14.668451071 CEST4975321192.168.2.4104.247.165.99PASV
                                          May 23, 2024 20:29:14.906666040 CEST2149753104.247.165.99192.168.2.4227 Entering Passive Mode (104,247,165,99,218,145)
                                          May 23, 2024 20:29:14.915680885 CEST4975321192.168.2.4104.247.165.99STOR SC_user-928100_2024_08_19_17_12_53.jpeg
                                          May 23, 2024 20:29:15.544559002 CEST2149753104.247.165.99192.168.2.4150 Accepted data connection
                                          May 23, 2024 20:29:16.068845987 CEST2149753104.247.165.99192.168.2.4226-File successfully transferred
                                          226-File successfully transferred226 0.513 seconds (measured here), 108.05 Kbytes per second
                                          May 23, 2024 20:29:59.728112936 CEST2149760104.247.165.99192.168.2.4220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 21:29. Server port: 21.
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 21:29. Server port: 21.220-This is a private system - No anonymous login
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 21:29. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 21:29. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                          May 23, 2024 20:29:59.728311062 CEST4976021192.168.2.4104.247.165.99USER admin@normagroup.com.tr
                                          May 23, 2024 20:29:59.975085020 CEST2149760104.247.165.99192.168.2.4331 User admin@normagroup.com.tr OK. Password required
                                          May 23, 2024 20:29:59.975284100 CEST4976021192.168.2.4104.247.165.99PASS Qb.X[.j.Yfm[
                                          May 23, 2024 20:30:00.230171919 CEST2149760104.247.165.99192.168.2.4230 OK. Current restricted directory is /
                                          May 23, 2024 20:30:00.459373951 CEST2149760104.247.165.99192.168.2.4504 Unknown command
                                          May 23, 2024 20:30:00.459501028 CEST4976021192.168.2.4104.247.165.99PWD
                                          May 23, 2024 20:30:00.683608055 CEST2149760104.247.165.99192.168.2.4257 "/" is your current location
                                          May 23, 2024 20:30:00.683875084 CEST4976021192.168.2.4104.247.165.99TYPE I
                                          May 23, 2024 20:30:00.930624008 CEST2149760104.247.165.99192.168.2.4200 TYPE is now 8-bit binary
                                          May 23, 2024 20:30:00.930823088 CEST4976021192.168.2.4104.247.165.99PASV
                                          May 23, 2024 20:30:01.158257008 CEST2149760104.247.165.99192.168.2.4227 Entering Passive Mode (104,247,165,99,240,64)
                                          May 23, 2024 20:30:01.164067030 CEST4976021192.168.2.4104.247.165.99STOR SC_user-928100_2024_09_14_05_07_52.jpeg
                                          May 23, 2024 20:30:01.790853024 CEST2149760104.247.165.99192.168.2.4150 Accepted data connection
                                          May 23, 2024 20:30:02.278111935 CEST2149760104.247.165.99192.168.2.4226-File successfully transferred
                                          226-File successfully transferred226 0.487 seconds (measured here), 118.65 Kbytes per second
                                          May 23, 2024 20:30:09.058726072 CEST4976021192.168.2.4104.247.165.99PASV
                                          May 23, 2024 20:30:09.284538984 CEST2149760104.247.165.99192.168.2.4227 Entering Passive Mode (104,247,165,99,238,192)
                                          May 23, 2024 20:30:09.294996023 CEST4976021192.168.2.4104.247.165.99STOR SC_user-928100_2024_09_20_19_39_17.jpeg
                                          May 23, 2024 20:30:10.546039104 CEST2149760104.247.165.99192.168.2.4150 Accepted data connection
                                          May 23, 2024 20:30:10.556113005 CEST2149763104.247.165.99192.168.2.4220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed.
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed.220-Local time is now 21:30. Server port: 21.
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed.220-Local time is now 21:30. Server port: 21.220-This is a private system - No anonymous login
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed.220-Local time is now 21:30. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed.220-Local time is now 21:30. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                          May 23, 2024 20:30:10.556129932 CEST2149760104.247.165.99192.168.2.4150 Accepted data connection
                                          May 23, 2024 20:30:10.556139946 CEST2149763104.247.165.99192.168.2.4220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed.
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed.220-Local time is now 21:30. Server port: 21.
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed.220-Local time is now 21:30. Server port: 21.220-This is a private system - No anonymous login
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed.220-Local time is now 21:30. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed.220-Local time is now 21:30. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                          May 23, 2024 20:30:10.556149006 CEST2149760104.247.165.99192.168.2.4150 Accepted data connection
                                          May 23, 2024 20:30:10.556159019 CEST2149763104.247.165.99192.168.2.4220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed.
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed.220-Local time is now 21:30. Server port: 21.
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed.220-Local time is now 21:30. Server port: 21.220-This is a private system - No anonymous login
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed.220-Local time is now 21:30. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed.220-Local time is now 21:30. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                          May 23, 2024 20:30:11.081517935 CEST2149760104.247.165.99192.168.2.4226-File successfully transferred
                                          226-File successfully transferred226 1.134 seconds (measured here), 48.87 Kbytes per second
                                          May 23, 2024 20:30:17.682627916 CEST4976021192.168.2.4104.247.165.99PASV
                                          May 23, 2024 20:30:17.913454056 CEST2149760104.247.165.99192.168.2.4227 Entering Passive Mode (104,247,165,99,218,252)
                                          May 23, 2024 20:30:17.922663927 CEST4976021192.168.2.4104.247.165.99STOR SC_user-928100_2024_05_23_14_30_16.jpeg

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:14:26:09
                                          Start date:23/05/2024
                                          Path:C:\Users\user\Desktop\hesaphareketi-.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\hesaphareketi-.exe"
                                          Imagebase:0x440000
                                          File size:939'008 bytes
                                          MD5 hash:6EE05D4DD363D273CE38C497B1238DB1
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1763207948.0000000003879000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1763207948.0000000003879000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1763207948.0000000003AE6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1763207948.0000000003AE6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:2
                                          Start time:14:26:12
                                          Start date:23/05/2024
                                          Path:C:\Users\user\Desktop\hesaphareketi-.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\hesaphareketi-.exe"
                                          Imagebase:0x730000
                                          File size:939'008 bytes
                                          MD5 hash:6EE05D4DD363D273CE38C497B1238DB1
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4189629111.0000000002BB9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4188331044.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4188331044.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4189629111.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4189629111.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:false

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:7.5%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:55
                                            Total number of Limit Nodes:1
                                            execution_graph 15114 2754668 15115 275467a 15114->15115 15116 2754686 15115->15116 15118 2754778 15115->15118 15119 275479d 15118->15119 15123 2754879 15119->15123 15127 2754888 15119->15127 15124 2754888 15123->15124 15125 275498c 15124->15125 15131 27544e0 15124->15131 15125->15125 15129 27548af 15127->15129 15128 275498c 15128->15128 15129->15128 15130 27544e0 CreateActCtxA 15129->15130 15130->15128 15132 2755918 CreateActCtxA 15131->15132 15134 27559db 15132->15134 15135 275d1d8 15136 275d21e 15135->15136 15140 275d3a7 15136->15140 15144 275d3b8 15136->15144 15137 275d30b 15141 275d3b5 15140->15141 15143 275d3e6 15141->15143 15147 275b3e8 15141->15147 15143->15137 15145 275b3e8 DuplicateHandle 15144->15145 15146 275d3e6 15145->15146 15146->15137 15148 275d420 DuplicateHandle 15147->15148 15149 275d4b6 15148->15149 15149->15143 15150 275ad28 15154 275ae11 15150->15154 15161 275ae20 15150->15161 15151 275ad37 15155 275ae31 15154->15155 15158 275ae4c 15154->15158 15168 2759d90 15155->15168 15158->15151 15162 275ae31 15161->15162 15165 275ae4c 15161->15165 15163 2759d90 GetModuleHandleW 15162->15163 15164 275ae3c 15163->15164 15164->15165 15166 275b4b1 2 API calls 15164->15166 15167 275b4c0 2 API calls 15164->15167 15165->15151 15166->15165 15167->15165 15169 275b418 GetModuleHandleW 15168->15169 15171 275ae3c 15169->15171 15171->15158 15172 275b4c0 15171->15172 15177 275b4b1 15171->15177 15173 2759d90 GetModuleHandleW 15172->15173 15174 275b4d4 15173->15174 15175 275b4f9 15174->15175 15183 275b020 15174->15183 15175->15158 15178 275b4c0 15177->15178 15179 2759d90 GetModuleHandleW 15178->15179 15180 275b4d4 15179->15180 15181 275b020 LoadLibraryExW 15180->15181 15182 275b4f9 15180->15182 15181->15182 15182->15158 15184 275b6a0 LoadLibraryExW 15183->15184 15186 275b719 15184->15186 15186->15175

                                            Executed Functions

                                            Function 0275590D Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 327 275590d-2755916 328 2755918-27559d9 CreateActCtxA 327->328 330 27559e2-2755a3c 328->330 331 27559db-27559e1 328->331 338 2755a3e-2755a41 330->338 339 2755a4b-2755a4f 330->339 331->330 338->339 340 2755a51-2755a5d 339->340 341 2755a60 339->341 340->341 343 2755a61 341->343 343->343
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 027559C9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1762610866.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2750000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 7bea00d5443b1fa44bb2e4f3568e9ebde3bfe00e0f440cb8c0f7422d7922ab48
                                            • Instruction ID: a18df8d486afd748c386bd071442901498f5f41388e2f083c3526952ef3681df
                                            • Opcode Fuzzy Hash: 7bea00d5443b1fa44bb2e4f3568e9ebde3bfe00e0f440cb8c0f7422d7922ab48
                                            • Instruction Fuzzy Hash: 9F41E2B0C00719CBDB24CFA9C88468EFBF5BF45704F60806AE409AB250DBB66949CF90
                                            Function 027544E0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 344 27544e0-27559d9 CreateActCtxA 347 27559e2-2755a3c 344->347 348 27559db-27559e1 344->348 355 2755a3e-2755a41 347->355 356 2755a4b-2755a4f 347->356 348->347 355->356 357 2755a51-2755a5d 356->357 358 2755a60 356->358 357->358 360 2755a61 358->360 360->360
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 027559C9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1762610866.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2750000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 55abd4104b01eb186c205a8ed8f15c4fefc2ffdb5bfcca470cd6dc58edb13f00
                                            • Instruction ID: ff59b8cf5c42c11fbb2e03945a99656954c4e0ba30741065e08c1f945dd096eb
                                            • Opcode Fuzzy Hash: 55abd4104b01eb186c205a8ed8f15c4fefc2ffdb5bfcca470cd6dc58edb13f00
                                            • Instruction Fuzzy Hash: 1041D2B0C0062DCBDB24CFA9C88479DFBF5BF49704F64806AD409AB255DBB56949CF90
                                            Function 0275B3F8 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 361 275b3f8-275b400 363 275b446-275b458 361->363 364 275b402-275b444 361->364 366 275b460-275b48b GetModuleHandleW 363->366 367 275b45a-275b45d 363->367 364->363 368 275b494-275b4a8 366->368 369 275b48d-275b493 366->369 367->366 369->368
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0275AE3C), ref: 0275B47E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1762610866.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2750000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 1a3b60aa9f48dc5cabd9dced5356d6fafe4fc889acfc92e21041e834a6c08e2f
                                            • Instruction ID: 56c012ec85622a9dd8becb49fffb181fee4b7e6f5ce91ed2a97690b30ad24ab4
                                            • Opcode Fuzzy Hash: 1a3b60aa9f48dc5cabd9dced5356d6fafe4fc889acfc92e21041e834a6c08e2f
                                            • Instruction Fuzzy Hash: 072136B58047988FDB20DFA9D4446EAFBB0AF49218F15845AC858AB212D3745546CFA1
                                            Function 0275B3E8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 371 275b3e8-275d4b4 DuplicateHandle 373 275d4b6-275d4bc 371->373 374 275d4bd-275d4da 371->374 373->374
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0275D3E6,?,?,?,?,?), ref: 0275D4A7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1762610866.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2750000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 18c52a43ff741ab61c21fa90ad2cef501de76cde0bd7e5643882aac9ffea5ffc
                                            • Instruction ID: 913ab61f92151245b56bf8b02838e284c15e525d618d315919f3f1fc24eee8d2
                                            • Opcode Fuzzy Hash: 18c52a43ff741ab61c21fa90ad2cef501de76cde0bd7e5643882aac9ffea5ffc
                                            • Instruction Fuzzy Hash: 572116B5900218EFDB10CF9AD584ADEFBF4EB48320F14801AE914B3310D374A940CFA4
                                            Function 0275D419 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 377 275d419-275d4b4 DuplicateHandle 378 275d4b6-275d4bc 377->378 379 275d4bd-275d4da 377->379 378->379
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0275D3E6,?,?,?,?,?), ref: 0275D4A7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1762610866.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2750000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 9030580c4d3258c4b68ab5090df91f1b7943406f98955a7057f7e113aa792763
                                            • Instruction ID: e606f2cbe3ac7febd8c575a545b0206a451239e9a7971e7c3a56e169e0399738
                                            • Opcode Fuzzy Hash: 9030580c4d3258c4b68ab5090df91f1b7943406f98955a7057f7e113aa792763
                                            • Instruction Fuzzy Hash: E021E4B5900218DFDB10CFAAD584ADEFFF5EB48324F14842AE958A7310C378A940CFA5
                                            Function 0275B020 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 382 275b020-275b6e0 384 275b6e2-275b6e5 382->384 385 275b6e8-275b717 LoadLibraryExW 382->385 384->385 386 275b720-275b73d 385->386 387 275b719-275b71f 385->387 387->386
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0275B4F9,00000800,00000000,00000000), ref: 0275B70A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1762610866.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2750000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 00059e082bcac694846e6afff80b4fc529d9db3925560d0e4379350f7c86483d
                                            • Instruction ID: 5438b41cb59ebb8cf3f3877dc346b28384342444076c0ccb876d1df2b4ba1b22
                                            • Opcode Fuzzy Hash: 00059e082bcac694846e6afff80b4fc529d9db3925560d0e4379350f7c86483d
                                            • Instruction Fuzzy Hash: 091114B69002199FDB10CF9AD444AEEFBF4EB88314F10842AD919B7210C3B5A545CFA4
                                            Function 0275B699 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 390 275b699-275b6e0 391 275b6e2-275b6e5 390->391 392 275b6e8-275b717 LoadLibraryExW 390->392 391->392 393 275b720-275b73d 392->393 394 275b719-275b71f 392->394 394->393
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0275B4F9,00000800,00000000,00000000), ref: 0275B70A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1762610866.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2750000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 63fb7424f47027fa91b40f84685a2c692a8fb07bccf41f23204c26b80b595e7d
                                            • Instruction ID: 01d14f14c2f7ad486b23fd05d5b6a347db817c28170e64ef2680d2e6261c1b10
                                            • Opcode Fuzzy Hash: 63fb7424f47027fa91b40f84685a2c692a8fb07bccf41f23204c26b80b595e7d
                                            • Instruction Fuzzy Hash: 401126B6D002598FDB10CFAAD444AEEFBF4EB48314F14842AD859A7210C375A545CFA5
                                            Function 02759D90 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 397 2759d90-275b458 399 275b460-275b48b GetModuleHandleW 397->399 400 275b45a-275b45d 397->400 401 275b494-275b4a8 399->401 402 275b48d-275b493 399->402 400->399 402->401
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0275AE3C), ref: 0275B47E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1762610866.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2750000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 888e10d1ef4c51428f3459eef05a45bcc3265ce8393afc8ae81646a77df4a101
                                            • Instruction ID: f1123ec4d97aa8185ed5cf2347255648e17296d6c883a3346e9b1b5643c85f5c
                                            • Opcode Fuzzy Hash: 888e10d1ef4c51428f3459eef05a45bcc3265ce8393afc8ae81646a77df4a101
                                            • Instruction Fuzzy Hash: F51132B1C007588FDB20CF9AD444AEEFBF4EB88228F10842AD819B7314C3B5A545CFA0
                                            Function 00E1D4C4 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1761492473.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e1d000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a0885f0f228ada63d8ef1e3c7193bbf8e4f92abc7f9e6bc4cd8581d2b165efb3
                                            • Instruction ID: dc03127475761f56e7fcc9cf2bb849fb95c7a00c60837b0438f777c7da4cc89f
                                            • Opcode Fuzzy Hash: a0885f0f228ada63d8ef1e3c7193bbf8e4f92abc7f9e6bc4cd8581d2b165efb3
                                            • Instruction Fuzzy Hash: 94212571508240DFCB05DF14DDC0BA7BF66FB98318F20C569E8095B256C336D896CAA1
                                            Function 00E2D1D4 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1761727367.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e2d000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: efad8e9aa519f5d22844e749c426964bbfeede7842241a9ac0e10b55058d671e
                                            • Instruction ID: e3f46eefd4d45fcada66d35502b03432c3490eb36425028b571840a9d37e474a
                                            • Opcode Fuzzy Hash: efad8e9aa519f5d22844e749c426964bbfeede7842241a9ac0e10b55058d671e
                                            • Instruction Fuzzy Hash: 50212672508204EFDB05DF54EDC4B26BBA5FB84318F30C66DEA095B2A6C336D856CA61
                                            Function 00E2D01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1761727367.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e2d000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 95b6374c5b3e5cd115ad8d8782c676e9c1df5fa4de72f1be825bc38700794707
                                            • Instruction ID: 24b2c083d211d7abde600eca00d1e45c3a2050c3cc74c29e84b76a2918090e5e
                                            • Opcode Fuzzy Hash: 95b6374c5b3e5cd115ad8d8782c676e9c1df5fa4de72f1be825bc38700794707
                                            • Instruction Fuzzy Hash: F021F271608240DFCB14DF14E984F26BBA6FB84318F20C569DA4A5B2A6C73AD847CA61
                                            Function 00E2D005 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1761727367.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e2d000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6ff682a803a7488462a23ccb078c11669c551e4dde1408fb3783de7c9ee1e240
                                            • Instruction ID: 6359a3df6455733672b159d9a28e59271b7bc572e752a752dcb2e9bf15a584b1
                                            • Opcode Fuzzy Hash: 6ff682a803a7488462a23ccb078c11669c551e4dde1408fb3783de7c9ee1e240
                                            • Instruction Fuzzy Hash: 7021537550D3808FD712CF24D994B15BF72EB46314F28C5DAD9498F6A7C33A980ACB62
                                            Function 00E1D4BF Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1761492473.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e1d000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                            • Instruction ID: 7f6abda2fb63cab9429736cd0ba6953894c3c37df1ac9885d81c810406c6e8d8
                                            • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                            • Instruction Fuzzy Hash: F511D376504280CFCB16CF14D9C4B56BF72FB94328F24C6A9D8494B656C336D89ACBA1
                                            Function 00E2D1CF Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1761727367.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e2d000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                            • Instruction ID: e5b36c9839276b433dfbae82c5a75d7e652c7ce8a0209b4d60cc8a2ae81b6cbb
                                            • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                            • Instruction Fuzzy Hash: BE11BB76508284DFDB02CF50D9C4B15BBA1FB84318F24C6AAD9494B2A6C33AD81ACB61
                                            Function 00E1D745 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1761492473.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e1d000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e3725e108c8fa43be11b2226ef1f12326fbc712139deab176204fa50a07c4e2d
                                            • Instruction ID: 2d6051460491247197c0b795548be4ec029d5e85cf3dca1a42c2c27b5d21bb0f
                                            • Opcode Fuzzy Hash: e3725e108c8fa43be11b2226ef1f12326fbc712139deab176204fa50a07c4e2d
                                            • Instruction Fuzzy Hash: 4101A77100C3409AE7105A25CD84BE7BF98EF41334F18D52BED195A2D6D6799880C671
                                            Function 00E1D744 Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1761492473.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e1d000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bf6b45afc0c09ef52be90c704643855f2d60af5a5f2f442f5c87cfff039bfb47
                                            • Instruction ID: f960d17a3cdec272d1b7fee8c9b3648a45181d3a070ac065cb5afa1c6b012c51
                                            • Opcode Fuzzy Hash: bf6b45afc0c09ef52be90c704643855f2d60af5a5f2f442f5c87cfff039bfb47
                                            • Instruction Fuzzy Hash: A7F062714083449AE7109E16DC88BA2FFA8EB51739F18C45AED485B296C2799884CBB1

                                            Non-executed Functions

                                            Function 0275DAEC Relevance: .3, Instructions: 264COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1762610866.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2750000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 147b7f0a1a89b01742000f966ebb93f5b8e09af9bd7580ae8608ef01780cb287
                                            • Instruction ID: 3e42ffabd22b4de53e82e5bea535ba7118fac0a8e0453d0222a6ea909d095b7e
                                            • Opcode Fuzzy Hash: 147b7f0a1a89b01742000f966ebb93f5b8e09af9bd7580ae8608ef01780cb287
                                            • Instruction Fuzzy Hash: D7A15C32E006298FCF15DFA4C8449AEB7B3FF85300B1541AAE805AB265DBB5E956CB40

                                            Execution Graph

                                            Execution Coverage:11%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:1.4%
                                            Total number of Nodes:208
                                            Total number of Limit Nodes:26
                                            execution_graph 42496 111d030 42497 111d048 42496->42497 42498 111d0a2 42497->42498 42505 67f024c 42497->42505 42513 67f24d0 42497->42513 42517 67f23b0 42497->42517 42523 67f6dc0 42497->42523 42531 67f23a3 42497->42531 42537 67f023c 42497->42537 42506 67f0257 42505->42506 42507 67f6e51 42506->42507 42510 67f6e41 42506->42510 42553 67f5b74 42507->42553 42509 67f6e4f 42541 67f6f68 42510->42541 42547 67f6f78 42510->42547 42514 67f24d4 42513->42514 42617 67f0274 42514->42617 42516 67f24e7 42516->42498 42518 67f23d6 42517->42518 42519 67f023c GetModuleHandleW 42518->42519 42520 67f23e2 42519->42520 42521 67f024c 2 API calls 42520->42521 42522 67f23f7 42521->42522 42522->42498 42526 67f6dc5 42523->42526 42524 67f6e51 42525 67f5b74 2 API calls 42524->42525 42528 67f6e4f 42525->42528 42526->42524 42527 67f6e41 42526->42527 42529 67f6f78 2 API calls 42527->42529 42530 67f6f68 2 API calls 42527->42530 42528->42528 42529->42528 42530->42528 42532 67f23ac 42531->42532 42533 67f023c GetModuleHandleW 42532->42533 42534 67f23e2 42533->42534 42535 67f024c 2 API calls 42534->42535 42536 67f23f7 42535->42536 42536->42498 42538 67f0247 42537->42538 42539 67f0274 GetModuleHandleW 42538->42539 42540 67f24e7 42539->42540 42540->42498 42543 67f6f86 42541->42543 42542 67f5b74 2 API calls 42542->42543 42543->42542 42544 67f705e 42543->42544 42560 67f7441 42543->42560 42565 67f7450 42543->42565 42544->42509 42549 67f6f86 42547->42549 42548 67f5b74 2 API calls 42548->42549 42549->42548 42550 67f705e 42549->42550 42551 67f7441 OleGetClipboard 42549->42551 42552 67f7450 OleGetClipboard 42549->42552 42550->42509 42551->42549 42552->42549 42554 67f5b7f 42553->42554 42555 67f70ba 42554->42555 42556 67f7164 42554->42556 42558 67f7112 CallWindowProcW 42555->42558 42559 67f70c1 42555->42559 42557 67f024c OleGetClipboard 42556->42557 42557->42559 42558->42559 42559->42509 42561 67f7446 42560->42561 42562 67f7436 42561->42562 42570 67f7608 42561->42570 42576 67f75f8 42561->42576 42562->42543 42566 67f746f 42565->42566 42567 67f7486 42566->42567 42568 67f7608 OleGetClipboard 42566->42568 42569 67f75f8 OleGetClipboard 42566->42569 42567->42543 42568->42566 42569->42566 42571 67f7610 42570->42571 42572 67f7624 42571->42572 42583 67f7643 42571->42583 42594 67f7650 42571->42594 42572->42561 42573 67f7639 42573->42561 42577 67f75af 42576->42577 42578 67f7606 42576->42578 42577->42561 42579 67f7624 42578->42579 42581 67f7643 OleGetClipboard 42578->42581 42582 67f7650 OleGetClipboard 42578->42582 42579->42561 42580 67f7639 42580->42561 42581->42580 42582->42580 42584 67f764a 42583->42584 42585 67f767d 42584->42585 42587 67f76c1 42584->42587 42590 67f7643 OleGetClipboard 42585->42590 42591 67f7650 OleGetClipboard 42585->42591 42586 67f7683 42586->42573 42589 67f7741 42587->42589 42605 67f7918 42587->42605 42609 67f7908 42587->42609 42588 67f775f 42588->42573 42589->42573 42590->42586 42591->42586 42595 67f7662 42594->42595 42596 67f767d 42595->42596 42598 67f76c1 42595->42598 42603 67f7643 OleGetClipboard 42596->42603 42604 67f7650 OleGetClipboard 42596->42604 42597 67f7683 42597->42573 42600 67f7741 42598->42600 42601 67f7918 OleGetClipboard 42598->42601 42602 67f7908 OleGetClipboard 42598->42602 42599 67f775f 42599->42573 42600->42573 42601->42599 42602->42599 42603->42597 42604->42597 42607 67f792d 42605->42607 42608 67f7953 42607->42608 42613 67f6d70 42607->42613 42608->42588 42611 67f7918 42609->42611 42610 67f6d70 OleGetClipboard 42610->42611 42611->42610 42612 67f7953 42611->42612 42612->42588 42614 67f79c0 OleGetClipboard 42613->42614 42616 67f7a5a 42614->42616 42618 67f027f 42617->42618 42620 67f25b7 42618->42620 42621 67f0118 42618->42621 42622 67f1150 GetModuleHandleW 42621->42622 42624 67f11c5 42622->42624 42624->42620 42637 67f114b 42638 67f1150 GetModuleHandleW 42637->42638 42640 67f11c5 42638->42640 42625 67f21f8 42626 67f2260 CreateWindowExW 42625->42626 42628 67f231c 42626->42628 42641 67f7828 42642 67f7833 42641->42642 42643 67f7843 42642->42643 42645 67f6c5c 42642->42645 42646 67f7878 OleInitialize 42645->42646 42647 67f78dc 42646->42647 42647->42643 42648 29f0848 42649 29f084e 42648->42649 42650 29f091b 42649->42650 42652 29f1343 42649->42652 42654 29f1356 42652->42654 42653 29f1444 42653->42649 42654->42653 42660 29ff130 42654->42660 42664 29ff140 42654->42664 42668 67f9520 42654->42668 42674 67f9511 42654->42674 42680 29f7e71 42654->42680 42661 29ff134 42660->42661 42663 29ff1c9 42661->42663 42685 29fe56c 42661->42685 42663->42654 42665 29ff152 42664->42665 42666 29fe56c GetModuleHandleW 42665->42666 42667 29ff1c9 42665->42667 42666->42667 42667->42654 42669 67f9528 42668->42669 42670 67f956d 42669->42670 42722 67f9571 42669->42722 42726 67f9602 42669->42726 42730 67f9580 42669->42730 42670->42654 42675 67f9528 42674->42675 42676 67f956d 42675->42676 42677 67f9602 SetWindowsHookExA 42675->42677 42678 67f9571 SetWindowsHookExA 42675->42678 42679 67f9580 SetWindowsHookExA 42675->42679 42676->42654 42677->42675 42678->42675 42679->42675 42681 29f7e7b 42680->42681 42682 29f7f31 42681->42682 42738 680f960 42681->42738 42743 680f951 42681->42743 42682->42654 42686 29fe577 42685->42686 42690 67f071b 42686->42690 42697 67f0730 42686->42697 42687 29ff3aa 42687->42663 42691 67f0728 42690->42691 42704 67f0bf9 42691->42704 42708 67f0c08 42691->42708 42692 67f07de 42693 67f0118 GetModuleHandleW 42692->42693 42694 67f080a 42692->42694 42693->42694 42698 67f0735 42697->42698 42702 67f0bf9 GetModuleHandleW 42698->42702 42703 67f0c08 GetModuleHandleW 42698->42703 42699 67f07de 42700 67f0118 GetModuleHandleW 42699->42700 42701 67f080a 42699->42701 42700->42701 42702->42699 42703->42699 42705 67f0c04 42704->42705 42705->42692 42706 67f0c13 42705->42706 42713 67f0e2e 42705->42713 42706->42692 42709 67f0c13 42708->42709 42710 67f0c17 42708->42710 42709->42692 42710->42692 42711 67f0d4e 42710->42711 42712 67f0e2e GetModuleHandleW 42710->42712 42712->42711 42714 67f0118 GetModuleHandleW 42713->42714 42715 67f0e49 42714->42715 42716 67f0118 GetModuleHandleW 42715->42716 42721 67f1014 42715->42721 42717 67f0f9a 42716->42717 42718 67f0118 GetModuleHandleW 42717->42718 42717->42721 42719 67f0fe8 42718->42719 42720 67f0118 GetModuleHandleW 42719->42720 42719->42721 42720->42721 42721->42706 42723 67f9580 42722->42723 42725 67f9600 42723->42725 42734 67f8fc8 42723->42734 42725->42669 42727 67f95bd 42726->42727 42728 67f8fc8 SetWindowsHookExA 42727->42728 42729 67f9600 42727->42729 42728->42727 42729->42669 42732 67f9585 42730->42732 42731 67f9600 42731->42669 42732->42731 42733 67f8fc8 SetWindowsHookExA 42732->42733 42733->42732 42737 67f9788 SetWindowsHookExA 42734->42737 42736 67f9812 42736->42723 42737->42736 42739 680f975 42738->42739 42740 680fb86 42739->42740 42741 680fbb0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 42739->42741 42742 680fba0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 42739->42742 42740->42682 42741->42739 42742->42739 42744 680f954 42743->42744 42745 680fb86 42744->42745 42746 680fba0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 42744->42746 42747 680fbb0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 42744->42747 42745->42682 42746->42744 42747->42744 42748 67f5de8 DuplicateHandle 42749 67f5e7e 42748->42749 42629 67f7370 42631 67f7378 42629->42631 42632 67f739b 42631->42632 42633 67f6a24 42631->42633 42634 67f73b0 KiUserCallbackDispatcher 42633->42634 42636 67f741e 42634->42636 42636->42631

                                            Executed Functions

                                            Function 06802358 Relevance: 9.0, Strings: 6, Instructions: 1486COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                            • API String ID: 0-2392861976
                                            • Opcode ID: 6cac94d91d5bf146aa13d9ce05b9cac2956d7784c06729581ad25bdb5e761552
                                            • Instruction ID: 9c016de7da71128eba088a4bd5e5c5dba944ba9a8f6ebe111ab4bee7bb3bbb4b
                                            • Opcode Fuzzy Hash: 6cac94d91d5bf146aa13d9ce05b9cac2956d7784c06729581ad25bdb5e761552
                                            • Instruction Fuzzy Hash: 9AD27D34E00609CFDBA4DB68C998A9DB7B2FF85304F5489A9D509EB295DB70ED81CF40
                                            Function 0680B218 Relevance: 8.3, Strings: 6, Instructions: 772COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                            • API String ID: 0-2392861976
                                            • Opcode ID: f64a993b6b01a597d2f4c4f42d09b8a69901bbb930d6b43557daee58665b8219
                                            • Instruction ID: 5ccb322c070b43191b12c0f24cfe190de642f278e382416fc1eac0fe625fa346
                                            • Opcode Fuzzy Hash: f64a993b6b01a597d2f4c4f42d09b8a69901bbb930d6b43557daee58665b8219
                                            • Instruction Fuzzy Hash: 82528130E102098FEFA4DB68D9907ADB7B2FB45314F208826E515EB395DB36DC85CB91
                                            Function 06807D68 Relevance: 3.0, Strings: 2, Instructions: 471COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1771 6807d68-6807d86 1774 6807d88-6807d8b 1771->1774 1775 6807d8d-6807da9 1774->1775 1776 6807dae-6807db1 1774->1776 1775->1776 1777 6807db3-6807dbd 1776->1777 1778 6807dbe-6807dc1 1776->1778 1780 6807de2-6807de5 1778->1780 1781 6807dc3-6807ddd 1778->1781 1782 6807de7-6807df5 1780->1782 1783 6807dfc-6807dfe 1780->1783 1781->1780 1789 6807e0e-6807e24 1782->1789 1790 6807df7 1782->1790 1785 6807e00 1783->1785 1786 6807e05-6807e08 1783->1786 1785->1786 1786->1774 1786->1789 1793 6807e2a-6807e33 1789->1793 1794 680803f-6808049 1789->1794 1790->1783 1795 6807e39-6807e56 1793->1795 1796 680804a-680807f 1793->1796 1803 680802c-6808039 1795->1803 1804 6807e5c-6807e84 1795->1804 1799 6808081-6808084 1796->1799 1801 6808131-6808134 1799->1801 1802 680808a-6808096 1799->1802 1805 6808136-6808152 1801->1805 1806 6808157-680815a 1801->1806 1809 68080a1-68080a3 1802->1809 1803->1793 1803->1794 1804->1803 1827 6807e8a-6807e93 1804->1827 1805->1806 1807 6808160-680816f 1806->1807 1808 680838f-6808391 1806->1808 1822 6808171-680818c 1807->1822 1823 680818e-68081d2 1807->1823 1813 6808393 1808->1813 1814 6808398-680839b 1808->1814 1811 68080a5-68080ab 1809->1811 1812 68080bb-68080bf 1809->1812 1817 68080ad 1811->1817 1818 68080af-68080b1 1811->1818 1819 68080c1-68080cb 1812->1819 1820 68080cd 1812->1820 1813->1814 1814->1799 1821 68083a1-68083aa 1814->1821 1817->1812 1818->1812 1825 68080d2-68080d4 1819->1825 1820->1825 1822->1823 1834 6808363-6808379 1823->1834 1835 68081d8-68081e9 1823->1835 1828 68080d6-68080d9 1825->1828 1829 68080eb-6808124 1825->1829 1827->1796 1831 6807e99-6807eb5 1827->1831 1828->1821 1829->1807 1853 6808126-6808130 1829->1853 1840 680801a-6808026 1831->1840 1841 6807ebb-6807ee5 1831->1841 1834->1808 1844 680834e-680835d 1835->1844 1845 68081ef-680820c 1835->1845 1840->1803 1840->1827 1856 6808010-6808015 1841->1856 1857 6807eeb-6807f13 1841->1857 1844->1834 1844->1835 1845->1844 1855 6808212-6808308 call 6806588 1845->1855 1906 6808316 1855->1906 1907 680830a-6808314 1855->1907 1856->1840 1857->1856 1863 6807f19-6807f47 1857->1863 1863->1856 1869 6807f4d-6807f56 1863->1869 1869->1856 1871 6807f5c-6807f8e 1869->1871 1878 6807f90-6807f94 1871->1878 1879 6807f99-6807fb5 1871->1879 1878->1856 1880 6807f96 1878->1880 1879->1840 1881 6807fb7-680800e call 6806588 1879->1881 1880->1879 1881->1840 1908 680831b-680831d 1906->1908 1907->1908 1908->1844 1909 680831f-6808324 1908->1909 1910 6808332 1909->1910 1911 6808326-6808330 1909->1911 1912 6808337-6808339 1910->1912 1911->1912 1912->1844 1913 680833b-6808347 1912->1913 1913->1844
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $^q$$^q
                                            • API String ID: 0-355816377
                                            • Opcode ID: f670fade110519e882d7e8817922118f226336ab310fb99dcd37c005f8d4144b
                                            • Instruction ID: 2302fb863ca98fa9f64fa6a3647eef608c0d153f6214bb6ee43405d28c64cd8e
                                            • Opcode Fuzzy Hash: f670fade110519e882d7e8817922118f226336ab310fb99dcd37c005f8d4144b
                                            • Instruction Fuzzy Hash: AD028D30B006199FEF94DB68D990A6EB7E2FF84314F148829D509DB794DB71EC86CB81
                                            Function 06805590 Relevance: 1.8, Strings: 1, Instructions: 595COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $
                                            • API String ID: 0-3993045852
                                            • Opcode ID: 5a103b88e25d78aff9a657aa63b87ef02c2ccba88bf794ac3bce62f3667300d3
                                            • Instruction ID: 7e2e4c8962553142adf0b341329beae57aecf139ea28df1e49e5d74c22204a7e
                                            • Opcode Fuzzy Hash: 5a103b88e25d78aff9a657aa63b87ef02c2ccba88bf794ac3bce62f3667300d3
                                            • Instruction Fuzzy Hash: 5A22C435E102158FEBA4DB64CA806AEB7B2FF45314F208869D559EB384DB31DD41CFA2
                                            Function 067F8FC8 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,067F95F0,00000000,00000000), ref: 067F9803
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193447280.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_67f0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: HookWindows
                                            • String ID:
                                            • API String ID: 2559412058-0
                                            • Opcode ID: 0211594854e44fccb111ce7c1a1b54cf12f38c527d298f817286275554373332
                                            • Instruction ID: 3a1e44a8e87f860fe31e1fda63bf8eb48c8b01565e7e4141cce4466e8f7fb52f
                                            • Opcode Fuzzy Hash: 0211594854e44fccb111ce7c1a1b54cf12f38c527d298f817286275554373332
                                            • Instruction Fuzzy Hash: 7D2132B1D002098FCB54DF9AC844BEEFBF5AB88320F10842AE519A7350CB74A944CFA1
                                            Function 068065D8 Relevance: .8, Instructions: 825COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2fc1243c2f466f9db7ecb58f89fc66940d07277fcf8217941b3ee0de71986c4c
                                            • Instruction ID: 0e0c6743ff0eaaeffb5cbf26a83adfb824baef4e5ebe7dcfbc2d0262a688d305
                                            • Opcode Fuzzy Hash: 2fc1243c2f466f9db7ecb58f89fc66940d07277fcf8217941b3ee0de71986c4c
                                            • Instruction Fuzzy Hash: 7D62A034E102058FEB94DB68D954BADBBF2EF84314F148969E505EB394EB35EC92CB40
                                            Function 0680C178 Relevance: .6, Instructions: 635COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5f13438c95593e5044e4ace93bf97bf8f44157bc7930b27a0f279c26250dacd0
                                            • Instruction ID: 54f399aef3a405ef1185ca2032ccd97266c6290d82a20da8122ecc45894a2e37
                                            • Opcode Fuzzy Hash: 5f13438c95593e5044e4ace93bf97bf8f44157bc7930b27a0f279c26250dacd0
                                            • Instruction Fuzzy Hash: DF328034A102099FEFA4DF68D980BADB7B2FB88314F108925D505EB795DB31EC46CB91
                                            Function 0680ACB0 Relevance: 10.4, Strings: 8, Instructions: 393COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 680acb0-680acce 4 680acd0-680acd3 0->4 5 680acd5-680acf1 4->5 6 680acf6-680acf9 4->6 5->6 7 680aecd-680aed6 6->7 8 680acff-680ad02 6->8 11 680ad11-680ad1a 7->11 12 680aedc-680aee6 7->12 9 680ad04-680ad09 8->9 10 680ad0c-680ad0f 8->10 9->10 10->11 14 680ad29-680ad2c 10->14 15 680ad20-680ad24 11->15 16 680aee7-680aef1 11->16 17 680ad40-680ad43 14->17 18 680ad2e-680ad3b 14->18 15->14 27 680aef3-680af1e 16->27 28 680af68-680af69 16->28 20 680ad54-680ad57 17->20 21 680ad45-680ad49 17->21 18->17 25 680ad67-680ad6a 20->25 26 680ad59-680ad62 20->26 21->12 24 680ad4f 21->24 24->20 32 680ad84-680ad86 25->32 33 680ad6c-680ad7f 25->33 26->25 31 680af20-680af23 27->31 29 680b1d2-680b1d5 28->29 30 680af6d 28->30 36 680b1e4-680b1e6 29->36 37 680b1d7 29->37 38 680af6f-680afaa 30->38 39 680af25-680af41 31->39 40 680af46-680af49 31->40 34 680ad88 32->34 35 680ad8d-680ad90 32->35 33->32 34->35 35->4 42 680ad96-680adba 35->42 45 680b1e8 36->45 46 680b1ed-680b1f0 36->46 129 680b1d7 call 680b208 37->129 130 680b1d7 call 680b218 37->130 55 680afb0-680afbc 38->55 56 680b19d-680b1b0 38->56 39->40 43 680af56-680af59 40->43 44 680af4b-680af4f 40->44 63 680adc0-680adcf 42->63 64 680aeca 42->64 50 680af66 43->50 51 680af5b-680af65 43->51 44->38 48 680af51 44->48 45->46 46->31 52 680b1f6-680b200 46->52 48->43 49 680b1dd-680b1df 49->36 50->28 61 680afdc-680b020 55->61 62 680afbe-680afd7 55->62 57 680b1b2 56->57 57->29 80 680b022-680b034 61->80 81 680b03c-680b07b 61->81 62->57 67 680add1-680add7 63->67 68 680ade7-680ae22 call 6806588 63->68 64->7 70 680add9 67->70 71 680addb-680addd 67->71 87 680ae24-680ae2a 68->87 88 680ae3a-680ae51 68->88 70->68 71->68 80->81 85 680b081-680b15c call 6806588 81->85 86 680b162-680b177 81->86 85->86 86->56 90 680ae2c 87->90 91 680ae2e-680ae30 87->91 98 680ae53-680ae59 88->98 99 680ae69-680ae7a 88->99 90->88 91->88 100 680ae5b 98->100 101 680ae5d-680ae5f 98->101 104 680ae92-680aec3 99->104 105 680ae7c-680ae82 99->105 100->99 101->99 104->64 107 680ae84 105->107 108 680ae86-680ae88 105->108 107->104 108->104 129->49 130->49
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                            • API String ID: 0-3823777903
                                            • Opcode ID: 36003c963622f88b1da098a61958ae2bb0616aaf3c9b8281b5a09a588456f6eb
                                            • Instruction ID: 77f4aa3ad89aff574b5e137ad4ec419b26d088503620680d1b376c3abafd3d58
                                            • Opcode Fuzzy Hash: 36003c963622f88b1da098a61958ae2bb0616aaf3c9b8281b5a09a588456f6eb
                                            • Instruction Fuzzy Hash: CCE17130E1030A8FEB99DF68D9906AEB7B6FF85304F108929D905DB395DB71D846CB81
                                            Function 06809138 Relevance: 5.2, Strings: 4, Instructions: 231COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 865 6809138-680915d 867 680915f-6809162 865->867 868 6809164-6809183 867->868 869 6809188-680918b 867->869 868->869 870 6809191-68091a6 869->870 871 6809a4b-6809a4d 869->871 878 68091a8-68091ae 870->878 879 68091be-68091d4 870->879 873 6809a54-6809a57 871->873 874 6809a4f 871->874 873->867 875 6809a5d-6809a67 873->875 874->873 880 68091b0 878->880 881 68091b2-68091b4 878->881 883 68091df-68091e1 879->883 880->879 881->879 884 68091e3-68091e9 883->884 885 68091f9-680926a 883->885 886 68091eb 884->886 887 68091ed-68091ef 884->887 896 6809296-68092b2 885->896 897 680926c-680928f 885->897 886->885 887->885 902 68092b4-68092d7 896->902 903 68092de-68092f9 896->903 897->896 902->903 908 6809324-680933f 903->908 909 68092fb-680931d 903->909 914 6809341-6809363 908->914 915 680936a-6809374 908->915 909->908 914->915 916 6809384-68093fe 915->916 917 6809376-680937f 915->917 923 6809400-680941e 916->923 924 680944b-6809460 916->924 917->875 928 6809420-680942f 923->928 929 680943a-6809449 923->929 924->871 928->929 929->923 929->924
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $^q$$^q$$^q$$^q
                                            • API String ID: 0-2125118731
                                            • Opcode ID: cc4dd58c73a3396347d7dbb386ffdca626cf24b4f790167b5dc93ca8988a1d71
                                            • Instruction ID: e8e98e4b549d698e3d3e4ea991b7bc397541b45a8db017921dd89570242fa0f6
                                            • Opcode Fuzzy Hash: cc4dd58c73a3396347d7dbb386ffdca626cf24b4f790167b5dc93ca8988a1d71
                                            • Instruction Fuzzy Hash: 8C917130F0060A9FDF94DB64D9507AEB7F6AFC9204F108869C40DEB788EB709C468B91
                                            Function 0680CF30 Relevance: 4.6, Strings: 3, Instructions: 804COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 932 680cf30-680cf4b 933 680cf4d-680cf50 932->933 934 680cf52-680cf68 933->934 935 680cf6d-680cf70 933->935 934->935 936 680cf72-680cf74 935->936 937 680cf7f-680cf82 935->937 938 680d2d7-680d2e0 936->938 939 680cf7a 936->939 940 680cf88-680cf8b 937->940 941 680d41c-680d428 937->941 943 680d2e2-680d2e7 938->943 944 680d2ef-680d2fb 938->944 939->937 945 680cfd4-680cfd7 940->945 946 680cf8d-680cfcf 940->946 947 680d071-680d080 941->947 948 680d42e-680d71b 941->948 943->944 951 680d301-680d315 944->951 952 680d40c-680d411 944->952 949 680d020-680d023 945->949 950 680cfd9-680d01b 945->950 946->945 953 680d082-680d087 947->953 954 680d08f-680d09b 947->954 1150 680d721-680d727 948->1150 1151 680d942-680d94c 948->1151 957 680d025-680d067 949->957 958 680d06c-680d06f 949->958 950->949 969 680d419 951->969 970 680d31b-680d32d 951->970 952->969 953->954 959 680d0a1-680d0b3 954->959 960 680d94d-680d95e 954->960 957->958 958->947 964 680d0b8-680d0bb 958->964 959->964 980 680d960-680d962 960->980 981 680d966 960->981 967 680d104-680d107 964->967 968 680d0bd-680d0cc 964->968 978 680d150-680d153 967->978 979 680d109-680d14b 967->979 975 680d0db-680d0e7 968->975 976 680d0ce-680d0d3 968->976 969->941 998 680d351-680d353 970->998 999 680d32f-680d335 970->999 975->960 984 680d0ed-680d0ff 975->984 976->975 985 680d155-680d197 978->985 986 680d19c-680d19f 978->986 979->978 989 680d964-680d965 980->989 990 680d96a-680d96c 980->990 991 680d968-680d969 981->991 992 680d96d-680d986 981->992 984->967 985->986 993 680d1a1-680d1e3 986->993 994 680d1e8-680d1eb 986->994 989->981 990->992 991->990 997 680d988-680d98b 992->997 993->994 1006 680d1f5-680d1f8 994->1006 1007 680d1ed-680d1f2 994->1007 1000 680d98d-680d9b9 997->1000 1001 680d9be-680d9c1 997->1001 1008 680d35d-680d369 998->1008 1009 680d337 999->1009 1010 680d339-680d345 999->1010 1000->1001 1017 680d9c3-680d9df 1001->1017 1018 680d9e4-680d9e7 1001->1018 1015 680d207-680d20a 1006->1015 1016 680d1fa-680d1fc 1006->1016 1007->1006 1032 680d377 1008->1032 1033 680d36b-680d375 1008->1033 1019 680d347-680d34f 1009->1019 1010->1019 1024 680d253-680d256 1015->1024 1025 680d20c-680d24e 1015->1025 1016->969 1023 680d202 1016->1023 1017->1018 1027 680d9f6-680d9f8 1018->1027 1028 680d9e9 1018->1028 1019->1008 1023->1015 1040 680d258-680d29a 1024->1040 1041 680d29f-680d2a2 1024->1041 1025->1024 1038 680d9fa 1027->1038 1039 680d9ff-680da02 1027->1039 1197 680d9e9 call 680daa5 1028->1197 1198 680d9e9 call 680dab8 1028->1198 1042 680d37c-680d37e 1032->1042 1033->1042 1038->1039 1039->997 1050 680da04-680da13 1039->1050 1040->1041 1044 680d2a4-680d2c0 1041->1044 1045 680d2c5-680d2c7 1041->1045 1042->969 1052 680d384-680d3a0 call 6806588 1042->1052 1044->1045 1054 680d2c9 1045->1054 1055 680d2ce-680d2d1 1045->1055 1048 680d9ef-680d9f1 1048->1027 1063 680da15-680da78 call 6806588 1050->1063 1064 680da7a-680da8f 1050->1064 1080 680d3a2-680d3a7 1052->1080 1081 680d3af-680d3bb 1052->1081 1054->1055 1055->933 1055->938 1063->1064 1080->1081 1081->952 1086 680d3bd-680d40a 1081->1086 1086->969 1152 680d736-680d73f 1150->1152 1153 680d729-680d72e 1150->1153 1152->960 1154 680d745-680d758 1152->1154 1153->1152 1156 680d932-680d93c 1154->1156 1157 680d75e-680d764 1154->1157 1156->1150 1156->1151 1158 680d773-680d77c 1157->1158 1159 680d766-680d76b 1157->1159 1158->960 1160 680d782-680d7a3 1158->1160 1159->1158 1163 680d7b2-680d7bb 1160->1163 1164 680d7a5-680d7aa 1160->1164 1163->960 1165 680d7c1-680d7de 1163->1165 1164->1163 1165->1156 1168 680d7e4-680d7ea 1165->1168 1168->960 1169 680d7f0-680d809 1168->1169 1171 680d925-680d92c 1169->1171 1172 680d80f-680d836 1169->1172 1171->1156 1171->1168 1172->960 1175 680d83c-680d846 1172->1175 1175->960 1176 680d84c-680d863 1175->1176 1178 680d872-680d88d 1176->1178 1179 680d865-680d870 1176->1179 1178->1171 1184 680d893-680d8ac call 6806588 1178->1184 1179->1178 1188 680d8bb-680d8c4 1184->1188 1189 680d8ae-680d8b3 1184->1189 1188->960 1190 680d8ca-680d91e 1188->1190 1189->1188 1190->1171 1197->1048 1198->1048
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $^q$$^q$$^q
                                            • API String ID: 0-831282457
                                            • Opcode ID: df065b6d88599a08a3f28978abdb9b2ff7c0e4851b9ada5c6de514f174b91295
                                            • Instruction ID: da89e3a54098c040e7979edbfdfb1f5e79108562b2400cf9d9a6b001b9816aed
                                            • Opcode Fuzzy Hash: df065b6d88599a08a3f28978abdb9b2ff7c0e4851b9ada5c6de514f174b91295
                                            • Instruction Fuzzy Hash: 26624334A1020A9FDB55EB68DA90A5EB7F2FF84304F208A29D015DF759DB71EC46CB84
                                            Function 06804B58 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1199 6804b58-6804b7c 1201 6804b7e-6804b81 1199->1201 1202 6804ba2-6804ba5 1201->1202 1203 6804b83-6804b9b 1201->1203 1204 6805284-6805286 1202->1204 1205 6804bab-6804ca3 1202->1205 1214 6804b39 1203->1214 1215 6804b9d 1203->1215 1206 6805288 1204->1206 1207 680528d-6805290 1204->1207 1239 6804d26-6804d2d 1205->1239 1240 6804ca9-6804cf1 1205->1240 1206->1207 1207->1201 1209 6805296-68052a3 1207->1209 1217 6804b3b-6804b41 1214->1217 1218 6804ade-6804ae1 1214->1218 1215->1202 1219 6804ae3-6804af2 1218->1219 1220 6804af7-6804afa 1218->1220 1219->1220 1221 6804b11-6804b14 1220->1221 1222 6804afc-6804b0c 1220->1222 1225 6804b16-6804b28 1221->1225 1226 6804b2d-6804b2f 1221->1226 1222->1221 1225->1226 1229 6804b31 1226->1229 1230 6804b36 1226->1230 1229->1230 1230->1214 1241 6804db1-6804dba 1239->1241 1242 6804d33-6804da3 1239->1242 1262 6804cf6 call 6805410 1240->1262 1263 6804cf6 call 6805401 1240->1263 1241->1209 1259 6804da5 1242->1259 1260 6804dae 1242->1260 1253 6804cfc-6804d18 1256 6804d23-6804d24 1253->1256 1257 6804d1a 1253->1257 1256->1239 1257->1256 1259->1260 1260->1241 1262->1253 1263->1253
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: fcq$XPcq$\Ocq
                                            • API String ID: 0-3575482020
                                            • Opcode ID: 25bc3a236e3d6532b75902c446f3c7b205df82b787df49c05d7d32a6fec38f7f
                                            • Instruction ID: 0df74a645208f6fcf86f48d153bb64920241c98f7a6b7949d807bea3c301b82c
                                            • Opcode Fuzzy Hash: 25bc3a236e3d6532b75902c446f3c7b205df82b787df49c05d7d32a6fec38f7f
                                            • Instruction Fuzzy Hash: 62616130E102199FEB559FA8C8547AEBAF2FF88304F20842AD509EB3D4DB758C458B91
                                            Function 06809127 Relevance: 2.7, Strings: 2, Instructions: 170COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2019 6809127-680912e 2021 6809130-6809132 2019->2021 2022 6809135 2019->2022 2023 6809139-680915d 2021->2023 2024 6809134 2021->2024 2022->2023 2025 680915f-6809162 2023->2025 2024->2022 2026 6809164-6809183 2025->2026 2027 6809188-680918b 2025->2027 2026->2027 2028 6809191-68091a6 2027->2028 2029 6809a4b-6809a4d 2027->2029 2036 68091a8-68091ae 2028->2036 2037 68091be-68091d4 2028->2037 2031 6809a54-6809a57 2029->2031 2032 6809a4f 2029->2032 2031->2025 2033 6809a5d-6809a67 2031->2033 2032->2031 2038 68091b0 2036->2038 2039 68091b2-68091b4 2036->2039 2041 68091df-68091e1 2037->2041 2038->2037 2039->2037 2042 68091e3-68091e9 2041->2042 2043 68091f9-680926a 2041->2043 2044 68091eb 2042->2044 2045 68091ed-68091ef 2042->2045 2054 6809296-68092b2 2043->2054 2055 680926c-680928f 2043->2055 2044->2043 2045->2043 2060 68092b4-68092d7 2054->2060 2061 68092de-68092f9 2054->2061 2055->2054 2060->2061 2066 6809324-680933f 2061->2066 2067 68092fb-680931d 2061->2067 2072 6809341-6809363 2066->2072 2073 680936a-6809374 2066->2073 2067->2066 2072->2073 2074 6809384-68093fe 2073->2074 2075 6809376-680937f 2073->2075 2081 6809400-680941e 2074->2081 2082 680944b-6809460 2074->2082 2075->2033 2086 6809420-680942f 2081->2086 2087 680943a-6809449 2081->2087 2082->2029 2086->2087 2087->2081 2087->2082
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $^q$$^q
                                            • API String ID: 0-355816377
                                            • Opcode ID: 7b6001ec21145fbbb2481e956810e1a5987956b0ef7bd00d0b060446a3bc8bfe
                                            • Instruction ID: cc97f191315e321bc224f6defae408e7ef262d0170b66afe9c615e569dd85f36
                                            • Opcode Fuzzy Hash: 7b6001ec21145fbbb2481e956810e1a5987956b0ef7bd00d0b060446a3bc8bfe
                                            • Instruction Fuzzy Hash: 46519330F005099FEF94DB64D950BAE77F6EBC8248F10982AC50DDB789DA70DC428B92
                                            Function 06804B49 Relevance: 2.7, Strings: 2, Instructions: 154COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2090 6804b49-6804b4e 2091 6804b50-6804b54 2090->2091 2092 6804b55-6804b56 2090->2092 2091->2092 2093 6804b90-6804b9b 2091->2093 2094 6804b58-6804b5c 2092->2094 2095 6804b5d-6804b7c 2092->2095 2100 6804b39 2093->2100 2101 6804b9d 2093->2101 2094->2095 2096 6804b7e-6804b81 2095->2096 2097 6804ba2-6804ba5 2096->2097 2098 6804b83-6804b8f 2096->2098 2102 6805284-6805286 2097->2102 2103 6804bab-6804ca3 2097->2103 2098->2093 2107 6804b3b-6804b41 2100->2107 2108 6804ade-6804ae1 2100->2108 2101->2097 2104 6805288 2102->2104 2105 680528d-6805290 2102->2105 2133 6804d26-6804d2d 2103->2133 2134 6804ca9-6804cf1 2103->2134 2104->2105 2105->2096 2109 6805296-68052a3 2105->2109 2110 6804ae3-6804af2 2108->2110 2111 6804af7-6804afa 2108->2111 2110->2111 2113 6804b11-6804b14 2111->2113 2114 6804afc-6804b0c 2111->2114 2117 6804b16-6804b28 2113->2117 2118 6804b2d-6804b2f 2113->2118 2114->2113 2117->2118 2120 6804b31 2118->2120 2121 6804b36 2118->2121 2120->2121 2121->2100 2135 6804db1-6804dba 2133->2135 2136 6804d33-6804da3 2133->2136 2156 6804cf6 call 6805410 2134->2156 2157 6804cf6 call 6805401 2134->2157 2135->2109 2153 6804da5 2136->2153 2154 6804dae 2136->2154 2147 6804cfc-6804d18 2150 6804d23-6804d24 2147->2150 2151 6804d1a 2147->2151 2150->2133 2151->2150 2153->2154 2154->2135 2156->2147 2157->2147
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: fcq$XPcq
                                            • API String ID: 0-936005338
                                            • Opcode ID: 263d2995f349e51e976c07a99f80b6ea7da5060436d3bbc0559f53a5c6c28344
                                            • Instruction ID: 8561577bd2e1251d1ba577a8f35ea1b072c4cba29beb11712e8e866a36d8a395
                                            • Opcode Fuzzy Hash: 263d2995f349e51e976c07a99f80b6ea7da5060436d3bbc0559f53a5c6c28344
                                            • Instruction Fuzzy Hash: 15518331F102089FEB559FA5C854BAEBBF6FF88700F208529D605EB3D5DA748C458B51
                                            Function 029FEA28 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2532 29fea28-29fea33 2533 29fea5d-29fea7c call 29fe190 2532->2533 2534 29fea35-29fea5c 2532->2534 2539 29fea7e-29fea81 2533->2539 2540 29fea82-29feac6 2533->2540 2545 29feacd-29feace 2540->2545 2546 29feac8-29feacb 2540->2546 2547 29fead5-29feae1 2545->2547 2548 29fead0 2545->2548 2546->2547 2551 29feae7-29feafe 2547->2551 2552 29feae3-29feae6 2547->2552 2548->2547 2554 29feb05-29feb74 GlobalMemoryStatusEx 2551->2554 2555 29feb00-29feb04 2551->2555 2557 29feb7d-29feba5 2554->2557 2558 29feb76-29feb7c 2554->2558 2555->2554 2558->2557
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4189514329.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_29f0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f647879a2cba3087da6e5ce5723b5eb6dd56bb97f625512fcbaccb1de9ff910c
                                            • Instruction ID: 9c783f99a91a7807658bc6834adb32161e49cb53d4af85e303da4e8d4600ffb8
                                            • Opcode Fuzzy Hash: f647879a2cba3087da6e5ce5723b5eb6dd56bb97f625512fcbaccb1de9ff910c
                                            • Instruction Fuzzy Hash: CA411431E043998FCB54DF7AD8046AEBBF5EF89314F1485AAD644A7260DB74D840CBD1
                                            Function 067F21F3 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2561 67f21f3-67f225e 2563 67f2269-67f2270 2561->2563 2564 67f2260-67f2266 2561->2564 2565 67f227b-67f22b3 2563->2565 2566 67f2272-67f2278 2563->2566 2564->2563 2567 67f22bb-67f231a CreateWindowExW 2565->2567 2566->2565 2568 67f231c-67f2322 2567->2568 2569 67f2323-67f235b 2567->2569 2568->2569 2573 67f235d-67f2360 2569->2573 2574 67f2368 2569->2574 2573->2574 2575 67f2369 2574->2575 2575->2575
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 067F230A
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193447280.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_67f0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 6d605890322c0af4f4fc6bcf3bb7f3e41d064ab7caa93a1853c709bc40528b07
                                            • Instruction ID: f2f9af47787a84778635a2a42c893912e6e0f466553db1d4f76a88207e33242e
                                            • Opcode Fuzzy Hash: 6d605890322c0af4f4fc6bcf3bb7f3e41d064ab7caa93a1853c709bc40528b07
                                            • Instruction Fuzzy Hash: 5551CFB1D10309DFDB14CFAAC884ADEBBB5BF48310F24812AE518AB211D7759985CF91
                                            Function 067F21F8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2576 67f21f8-67f225e 2577 67f2269-67f2270 2576->2577 2578 67f2260-67f2266 2576->2578 2579 67f227b-67f231a CreateWindowExW 2577->2579 2580 67f2272-67f2278 2577->2580 2578->2577 2582 67f231c-67f2322 2579->2582 2583 67f2323-67f235b 2579->2583 2580->2579 2582->2583 2587 67f235d-67f2360 2583->2587 2588 67f2368 2583->2588 2587->2588 2589 67f2369 2588->2589 2589->2589
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 067F230A
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193447280.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_67f0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: d0206239dfc6f80f51dfca703dee6bf44578fdf0761da576d134bdc7c4ddb150
                                            • Instruction ID: badae8f45b675b94906716de9d56707ee36958588a69a3e8782535b044350d6b
                                            • Opcode Fuzzy Hash: d0206239dfc6f80f51dfca703dee6bf44578fdf0761da576d134bdc7c4ddb150
                                            • Instruction Fuzzy Hash: 5341CFB1D10309DFDB14CFAAC884ADEBBB5BF48310F64812AE518AB211D775A985CF91
                                            Function 067F5B74 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2590 67f5b74-67f70b4 2593 67f70ba-67f70bf 2590->2593 2594 67f7164-67f7184 call 67f024c 2590->2594 2596 67f7112-67f714a CallWindowProcW 2593->2596 2597 67f70c1-67f70f8 2593->2597 2601 67f7187-67f7194 2594->2601 2598 67f714c-67f7152 2596->2598 2599 67f7153-67f7162 2596->2599 2603 67f70fa-67f7100 2597->2603 2604 67f7101-67f7110 2597->2604 2598->2599 2599->2601 2603->2604 2604->2601
                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 067F7139
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193447280.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_67f0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: cf157a96180c9462d2c1b55b7c446b1a29cd9a6f4e9575a9773b0b6d08adde6a
                                            • Instruction ID: a678cf07bf33d0128de85428e863c8195151e9f334159ac925462ce945c53cba
                                            • Opcode Fuzzy Hash: cf157a96180c9462d2c1b55b7c446b1a29cd9a6f4e9575a9773b0b6d08adde6a
                                            • Instruction Fuzzy Hash: 9E4147B4A10208CFDB54CF99C888EAABBF5FB88314F24C459D518AB321C774A845CFA0
                                            Function 067F79B4 Relevance: 1.6, APIs: 1, Instructions: 77comclipboardCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193447280.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_67f0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: Clipboard
                                            • String ID:
                                            • API String ID: 220874293-0
                                            • Opcode ID: babd03f69716629a2f6f24ee917d21de3b1459ecc60db3b3aceb246609358dc9
                                            • Instruction ID: 60ab50492d1f3447386ea00535207f2f3f4edf3ddfb3533f476fd5e331acc345
                                            • Opcode Fuzzy Hash: babd03f69716629a2f6f24ee917d21de3b1459ecc60db3b3aceb246609358dc9
                                            • Instruction Fuzzy Hash: 533122B0D01208EFDB54CFA9D984BDEBBF5AF48304F248059E504BB394DB74A985CBA5
                                            Function 067F6D70 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193447280.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_67f0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: Clipboard
                                            • String ID:
                                            • API String ID: 220874293-0
                                            • Opcode ID: 8b1af968ad4fee385cb21ff4c2835fb262921b8771dbc857524b8318ec0d7888
                                            • Instruction ID: 52746de5b8e3a8cd808d86f482d5d0f8723f998e4b063a64afafbd84d23b7d50
                                            • Opcode Fuzzy Hash: 8b1af968ad4fee385cb21ff4c2835fb262921b8771dbc857524b8318ec0d7888
                                            • Instruction Fuzzy Hash: B73120B0D00208DFDB54DFA9D984B9EBBF5AF48304F248059E504AB390DBB4A985CFA5
                                            Function 067F5DE0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 067F5E6F
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193447280.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_67f0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: d6920a75ce234d9e0d97a7591dd7a1826fcaa7dd449c250904292e0c43dfa6e1
                                            • Instruction ID: f1a6ad84ac11ce32a180321c2b2e7ec5a02cf5b07dd1fe0dad79ce962cb0e20c
                                            • Opcode Fuzzy Hash: d6920a75ce234d9e0d97a7591dd7a1826fcaa7dd449c250904292e0c43dfa6e1
                                            • Instruction Fuzzy Hash: 5A21E3B59102589FDB10CFA9D984AEEBFF5FB48310F14801AE954A7350D378A945CF61
                                            Function 067F5DE8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 067F5E6F
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193447280.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_67f0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 128ed6ff77020152f7bfe4e4d6340c1d556fe0deaf94c0b8bea46aba9e53f40d
                                            • Instruction ID: a0aecaad0acda7e999d0252a16712635e5e053bdc533ade5f1a6bcc4e8478c61
                                            • Opcode Fuzzy Hash: 128ed6ff77020152f7bfe4e4d6340c1d556fe0deaf94c0b8bea46aba9e53f40d
                                            • Instruction Fuzzy Hash: EE21C4B59002589FDB10CF9AD984ADEFBF5FB48310F14841AE954A7350D378A944CFA5
                                            Function 067F9783 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,067F95F0,00000000,00000000), ref: 067F9803
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193447280.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_67f0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: HookWindows
                                            • String ID:
                                            • API String ID: 2559412058-0
                                            • Opcode ID: 7bf0da054530a2e49d0cf6beca0a1d9fd396bd02339f5194fb74b49f7b0c3dda
                                            • Instruction ID: 6a01d9c24fbf4ffd23acec2ced2652929d1351252b587e33e71ef5b674637a77
                                            • Opcode Fuzzy Hash: 7bf0da054530a2e49d0cf6beca0a1d9fd396bd02339f5194fb74b49f7b0c3dda
                                            • Instruction Fuzzy Hash: E32134B1D002098FCB14CF9AC844BEEFBF5AF88320F10842AE558A7250C775A944CFA1
                                            Function 029FE190 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                            Download Yara Rule
                                            APIs
                                            • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,029FEA7A), ref: 029FEB67
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4189514329.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_29f0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: GlobalMemoryStatus
                                            • String ID:
                                            • API String ID: 1890195054-0
                                            • Opcode ID: 641baaa35969f095c11dbe74bbc7f7bd39bbbc3dbca3db6fe9a78b22ac01d7b3
                                            • Instruction ID: 93296c4e78f2d0e3934edefed84273aa4b8b64379dda9773a15dcb9c21894ace
                                            • Opcode Fuzzy Hash: 641baaa35969f095c11dbe74bbc7f7bd39bbbc3dbca3db6fe9a78b22ac01d7b3
                                            • Instruction Fuzzy Hash: DB1142B1C002699BCB10DF9AC444BEEFBF4EF08320F10816AE918B7250D378A944CFA5
                                            Function 029FEAF8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                            Download Yara Rule
                                            APIs
                                            • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,029FEA7A), ref: 029FEB67
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4189514329.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_29f0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: GlobalMemoryStatus
                                            • String ID:
                                            • API String ID: 1890195054-0
                                            • Opcode ID: cfcd94bb6522fe0b679aafe61e398388011af769e261ce52e04823dc5b5ae611
                                            • Instruction ID: fa709ed79cc358e4c0d7ae26a9148db3053186019bd3bf6c544d0a64b9d69fd1
                                            • Opcode Fuzzy Hash: cfcd94bb6522fe0b679aafe61e398388011af769e261ce52e04823dc5b5ae611
                                            • Instruction Fuzzy Hash: ED1142B1C002699BCB10CFAAC448BDEFBF4AF48324F14816AD958B7250D378A940CFA5
                                            Function 067F0118 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 067F11B6
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193447280.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_67f0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 9d9d54f0888378c0830718b258fa2a14e366ca1825aa0b41d117e968c2639eac
                                            • Instruction ID: 2f49b5950a9704bf1e429b1ef49d5ebbfaa2f91075da9c0c9efd2387db758cde
                                            • Opcode Fuzzy Hash: 9d9d54f0888378c0830718b258fa2a14e366ca1825aa0b41d117e968c2639eac
                                            • Instruction Fuzzy Hash: 9D11F0B5C00249CFDB10DF9AC844ADEFBF5AB48214F50842AD919B7310C379A545CFA5
                                            Function 067F114B Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 067F11B6
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193447280.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_67f0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: f75049c8ab8485b3a6516fd32c1607b2dd48de008e0f7929ac8c6e6228f15e29
                                            • Instruction ID: e84a55b53a83e9d1a7dfa00d53a9e3ef2853355198f18b9a9f3e1a246af70f02
                                            • Opcode Fuzzy Hash: f75049c8ab8485b3a6516fd32c1607b2dd48de008e0f7929ac8c6e6228f15e29
                                            • Instruction Fuzzy Hash: 4411F0B5C00249CFCB10DF9AC848ADEFBF5AB88214F54842AD518A7310C379A545CFA1
                                            Function 067F6C59 Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OleInitialize.OLE32(00000000), ref: 067F78CD
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193447280.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_67f0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: Initialize
                                            • String ID:
                                            • API String ID: 2538663250-0
                                            • Opcode ID: e08ec15d0e751d68e2239463e2082d76ba9739c386adbcea44af1c161a75cfda
                                            • Instruction ID: aa713b69c5f48ef184a8dd6b11fa8edc5d62b63ece1b0fe7e3305d15558fe2f3
                                            • Opcode Fuzzy Hash: e08ec15d0e751d68e2239463e2082d76ba9739c386adbcea44af1c161a75cfda
                                            • Instruction Fuzzy Hash: D311F2B58143488FDB20DF9AD488B9EBBF4EB48320F148469D559A7310C378A944CFA5
                                            Function 067F6C5C Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OleInitialize.OLE32(00000000), ref: 067F78CD
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193447280.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_67f0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: Initialize
                                            • String ID:
                                            • API String ID: 2538663250-0
                                            • Opcode ID: 043748d5dfa44c5ace95335950ae6b6a7c7bb5761314a129ed0df455af474119
                                            • Instruction ID: 9c9013da2427d881be221485f729d9c9f216f4464412c72c0a4685464d8b5b4f
                                            • Opcode Fuzzy Hash: 043748d5dfa44c5ace95335950ae6b6a7c7bb5761314a129ed0df455af474119
                                            • Instruction Fuzzy Hash: D61115B19003488FDB20DF9AD488BDEFBF4EB48320F108469D519A7350C378A944CFA5
                                            Function 067F6A24 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,067F7385), ref: 067F740F
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193447280.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_67f0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: CallbackDispatcherUser
                                            • String ID:
                                            • API String ID: 2492992576-0
                                            • Opcode ID: 9f5e4bd4ab4aea4ef19eaf2b6307613053d90da8904a320886fea437a2821595
                                            • Instruction ID: 1c1571237e0286da5c4f086b2ceaa7aa36af6a5570316569410f33ba88d702ec
                                            • Opcode Fuzzy Hash: 9f5e4bd4ab4aea4ef19eaf2b6307613053d90da8904a320886fea437a2821595
                                            • Instruction Fuzzy Hash: A21106B1800258CFDB10DF9AD444BDEFBF4EB48324F208469D658A7350D774A944CFA5
                                            Function 067F73A8 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,067F7385), ref: 067F740F
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193447280.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_67f0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: CallbackDispatcherUser
                                            • String ID:
                                            • API String ID: 2492992576-0
                                            • Opcode ID: c7693a6dcdf32cde3c5592b0266e9858eb2585d96e1c72042b0d185a71e9553f
                                            • Instruction ID: c43d507d3cf9228e2bf14467be0f40225c7030d96f2ea94d1453acc85ab75425
                                            • Opcode Fuzzy Hash: c7693a6dcdf32cde3c5592b0266e9858eb2585d96e1c72042b0d185a71e9553f
                                            • Instruction Fuzzy Hash: A611F2B18002588FCB20DF9AD844BEEFBF4EB48324F20846AD558A7350D779A944CFA5
                                            Function 067F7871 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OleInitialize.OLE32(00000000), ref: 067F78CD
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193447280.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_67f0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: Initialize
                                            • String ID:
                                            • API String ID: 2538663250-0
                                            • Opcode ID: 56d953b31290f940c2aee7fd7988f4e70ab00b8dd62b2665cdef1d0354991a43
                                            • Instruction ID: f96a2572742df48be875b396b884cdb958232fb968690af68eacb2d4a1be6b7d
                                            • Opcode Fuzzy Hash: 56d953b31290f940c2aee7fd7988f4e70ab00b8dd62b2665cdef1d0354991a43
                                            • Instruction Fuzzy Hash: 2A11F2B58002498FDB20DFAAD444BDEFBF8AB48324F108559D558A7210C378A544CFA5
                                            Function 0680DAA5 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PH^q
                                            • API String ID: 0-2549759414
                                            • Opcode ID: 5a4b6b2b9c5ad514529ad93a1e710853ebc3dda3de1ca706a10099f266c65e60
                                            • Instruction ID: da20ca068ed3dda5c31f7f7884635c3e42f9c4e0b4b66971bf30a9d507354277
                                            • Opcode Fuzzy Hash: 5a4b6b2b9c5ad514529ad93a1e710853ebc3dda3de1ca706a10099f266c65e60
                                            • Instruction Fuzzy Hash: 8641D630E003099FEFA5DFA5C85469EBBB2FF85304F244929D905EB284DB75D846CB51
                                            Function 0680DAB8 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PH^q
                                            • API String ID: 0-2549759414
                                            • Opcode ID: 4b887048bb3aa197626024d95f473c97b7c43736845200f6904bd9fbed021ad7
                                            • Instruction ID: 0c4cc6aa33f35e84868f7f83db430872148a3b0055caacfbb4b18b8510a7714d
                                            • Opcode Fuzzy Hash: 4b887048bb3aa197626024d95f473c97b7c43736845200f6904bd9fbed021ad7
                                            • Instruction Fuzzy Hash: 1141B430E003099FEBA5DFA5C9546AEBBB2FF85304F204929D505E7384DB75D846CB81
                                            Function 068021BD Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PH^q
                                            • API String ID: 0-2549759414
                                            • Opcode ID: 1abffed4af65d42d6329cc825fed811706c3264a951c622e6793164fd3b8f684
                                            • Instruction ID: 38553d6deb66891b9db35469a9950d382736135a45e321b80196b6ded639d738
                                            • Opcode Fuzzy Hash: 1abffed4af65d42d6329cc825fed811706c3264a951c622e6793164fd3b8f684
                                            • Instruction Fuzzy Hash: C7311530B102019FEB999B74D92866E7BE2BB89304F108439D406DB394EF79CD46CBA5
                                            Function 068021D0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PH^q
                                            • API String ID: 0-2549759414
                                            • Opcode ID: b4e8375789cac8983f691873568cf6581f097c7fd1822a820cdd2c8b4eba1d5a
                                            • Instruction ID: 43d8fa62f6a153f24597a7baa8b5b4a8dd1c4620854ea208bab205ec7ad6b501
                                            • Opcode Fuzzy Hash: b4e8375789cac8983f691873568cf6581f097c7fd1822a820cdd2c8b4eba1d5a
                                            • Instruction Fuzzy Hash: 4A31F630B102059FEB999BB4D92866F7BE3AB89204F104838D406DB394DF75DD45CBA5
                                            Function 0680B208 Relevance: .3, Instructions: 298COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 52316a4da61d2c79f1a05f2d0fa4a447c06679b27e7e8d5590a38b1911f1615b
                                            • Instruction ID: a97be3842a7cf46a8a0a69dd6c425d0514586a3b698b5694ff8418f0735e1fe1
                                            • Opcode Fuzzy Hash: 52316a4da61d2c79f1a05f2d0fa4a447c06679b27e7e8d5590a38b1911f1615b
                                            • Instruction Fuzzy Hash: 54B19334E102099FFFA4DBA8D9907AEB7B6EB89310F204C25E505E73D5CA36DC818B51
                                            Function 068061D8 Relevance: .2, Instructions: 229COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 523bc624b68ad0eb22d4438cbb7a2b691078638f9e0f5bf5d874ebd935171778
                                            • Instruction ID: ae63e23cc9c87df4a74ca41f60795539b3373babbd3d485bb6a8d8e5f66e1afa
                                            • Opcode Fuzzy Hash: 523bc624b68ad0eb22d4438cbb7a2b691078638f9e0f5bf5d874ebd935171778
                                            • Instruction Fuzzy Hash: 7A61E171F000214FDB509A7DCC8466FAAD7AFC8214B25483AE80EDB364EE65DD5287D2
                                            Function 06804289 Relevance: .2, Instructions: 221COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 643a32d569da42b12a3a13995bd2da279e2930497820539708bfc215de98d356
                                            • Instruction ID: 293697ed125ff648f5fb7cc63448d3d04e35106cf2770fd1e381c26682b6cdf8
                                            • Opcode Fuzzy Hash: 643a32d569da42b12a3a13995bd2da279e2930497820539708bfc215de98d356
                                            • Instruction Fuzzy Hash: 3F815E34B006099FDF94DFA8D95476E7BF2AF89304F108829D50AEB394EB70DC428B81
                                            Function 068045A8 Relevance: .2, Instructions: 220COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e4b690e790115876430ee41c56d75fc96a38263965cd09aa95381890a94c008b
                                            • Instruction ID: fa33355951e8d97654f1d1133affd682033a07d1b61a237573e6264e0f51666d
                                            • Opcode Fuzzy Hash: e4b690e790115876430ee41c56d75fc96a38263965cd09aa95381890a94c008b
                                            • Instruction Fuzzy Hash: A4913D30E102198FEB50DF68C890B9DB7B1FF89300F208995D659EB295EB70A985CF91
                                            Function 06804298 Relevance: .2, Instructions: 218COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 595f77c50bf8b67b8c3dfc3c43548a647d57f66ad62babd3c8aa058139976437
                                            • Instruction ID: a92d8bd9ffa231fdbf21437f1be821646ebb914b5870c7d7fc82703b93226c9c
                                            • Opcode Fuzzy Hash: 595f77c50bf8b67b8c3dfc3c43548a647d57f66ad62babd3c8aa058139976437
                                            • Instruction Fuzzy Hash: 88814E34B006099FDF94DFA8D95476EB7F6AF89304F108829D50AEB394EB30DC428B91
                                            Function 068045C0 Relevance: .2, Instructions: 210COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5bbd9aadab71b04c8c18b4b122d0da8f388f7ca741b49d82fdc21f1c096d8d1b
                                            • Instruction ID: 4f56c2a4b99e4e2afefa8d6e50860a66dbe6b9c077e1dd36b9b456a83518c9a5
                                            • Opcode Fuzzy Hash: 5bbd9aadab71b04c8c18b4b122d0da8f388f7ca741b49d82fdc21f1c096d8d1b
                                            • Instruction Fuzzy Hash: C2913F30E102198BEF54DF68C880B9DB7B1FF85304F208995D659EB395EB70A985CF91
                                            Function 0680EB00 Relevance: .2, Instructions: 209COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ed52e80c80da15ab0b7887a8b272286564316ff9d007db0144bfa3f9954f6552
                                            • Instruction ID: c40f5efa7036e0657f353921c7a9fca0720956ae6d6b6ab39ba6a60b1e6dbf10
                                            • Opcode Fuzzy Hash: ed52e80c80da15ab0b7887a8b272286564316ff9d007db0144bfa3f9954f6552
                                            • Instruction Fuzzy Hash: 78813F30B002098FEB95DFA8D994A9EBBF6FF84314F148829D515EB395DB31E946CB40
                                            Function 0680EB10 Relevance: .2, Instructions: 201COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 063db5e2f94dee49b3d3b929520064556541f352c108bc802877ca9551ba83ce
                                            • Instruction ID: 7164b0b9d26dbe42b926f56e46d789a8a4c967c122aa3280ec3f000c5ac07211
                                            • Opcode Fuzzy Hash: 063db5e2f94dee49b3d3b929520064556541f352c108bc802877ca9551ba83ce
                                            • Instruction Fuzzy Hash: 03712A30A002099FEB94DFA8D994A9EBBF6FF84304F148829D515EB395DB30ED46CB51
                                            Function 0680FBB0 Relevance: .2, Instructions: 171COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 60948004fe29e1b59872f45eae298b721158855a60507f3451ed4820364d8465
                                            • Instruction ID: 925bd4026c20ddd1cfa2a4c403decdc192de3d9a3f6c78116c0ece8f642b82f0
                                            • Opcode Fuzzy Hash: 60948004fe29e1b59872f45eae298b721158855a60507f3451ed4820364d8465
                                            • Instruction Fuzzy Hash: 5A51E231E00119DFEFB4EB68E8556ADB7B2FB84315F10C879EA0AD7290DB358845CB81
                                            Function 0680F951 Relevance: .2, Instructions: 171COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3bdc263840bff17bc731191486be8cd31f97de57ff0983cac066acf1f437b9b6
                                            • Instruction ID: e8ba24dde99844aa79eafba81b21ad5653da043747c5a3824c477712101195d9
                                            • Opcode Fuzzy Hash: 3bdc263840bff17bc731191486be8cd31f97de57ff0983cac066acf1f437b9b6
                                            • Instruction Fuzzy Hash: 0551B434B102049FFFF4966CDD6472F265AE789714F208C26EB0AE37D9CA29CC458792
                                            Function 0680F960 Relevance: .2, Instructions: 163COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 315037e10f7f59a67d390023dfc3194eaba1f51657abc31ebaed0302f4c6d779
                                            • Instruction ID: 7dffbbd16b6938ba667e4387b03797f5b8a72a159faeb2e39f298b4af3a4d53f
                                            • Opcode Fuzzy Hash: 315037e10f7f59a67d390023dfc3194eaba1f51657abc31ebaed0302f4c6d779
                                            • Instruction Fuzzy Hash: 9B517334B102049BFFB4566CDD5472F365AE789714F208C2AEB0AD37D9CA69CC458792
                                            Function 06805410 Relevance: .1, Instructions: 126COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 02a8a415a4847a4b858b2e528fe0bf2c5306fbcaa653409b8d23fadbf97d33a9
                                            • Instruction ID: e070ae4719511e82f39b0914be3ad22468e5d3384c62f97ceb1e659c64bdaa31
                                            • Opcode Fuzzy Hash: 02a8a415a4847a4b858b2e528fe0bf2c5306fbcaa653409b8d23fadbf97d33a9
                                            • Instruction Fuzzy Hash: BD414F75E006099BEFB0CE99DDC0AAEF7B2EB44210F104D2AD256D7690D730E8558FA2
                                            Function 0680FBA0 Relevance: .1, Instructions: 108COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5b9fdbec5f12163ceb27074377f9a7cd3d1daaa2b46aec43cee0632d83d319c7
                                            • Instruction ID: 458f67a2725ec028e8d2ba404971a0fa5d07ea057fd9faf548083fb55fb182ca
                                            • Opcode Fuzzy Hash: 5b9fdbec5f12163ceb27074377f9a7cd3d1daaa2b46aec43cee0632d83d319c7
                                            • Instruction Fuzzy Hash: 3231F632E105059FEB65AB78E85416EBBB3FF84215F10CC79DA0AD7290DF31985ACB81
                                            Function 06802080 Relevance: .1, Instructions: 95COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5d7c881828be67c47dcc1e4106db7962a3a06cd18ee250ce21f42a725aeb64d5
                                            • Instruction ID: 8646a25ac1fa22f79a0b254e9ec3aafdbb2af61c81f68326ac798f5791410ea7
                                            • Opcode Fuzzy Hash: 5d7c881828be67c47dcc1e4106db7962a3a06cd18ee250ce21f42a725aeb64d5
                                            • Instruction Fuzzy Hash: F8318134E102069FDB55CF64D89869EB7B2FF89304F54C92AE915E7380DBB1AD42CB40
                                            Function 06802090 Relevance: .1, Instructions: 91COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5fed31d9644cc073158bc68d34e8d38f9f9b2b3af2ca968647cbf40d5109384c
                                            • Instruction ID: 9bf62200e33a7c14adaf57ce3209b582e0a0fa1ecb1e1132d2752ea8e54952d5
                                            • Opcode Fuzzy Hash: 5fed31d9644cc073158bc68d34e8d38f9f9b2b3af2ca968647cbf40d5109384c
                                            • Instruction Fuzzy Hash: A3318334E102099FDB55CF64D89869EB7F6BF89304F14C929E915E7380DBB1AD42CB40
                                            Function 06803A88 Relevance: .1, Instructions: 83COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9213203f431f7dbbddf0e3b3f8995ae8a5fd39c830ad9218353ab535e30cfb49
                                            • Instruction ID: 511a42da1edd0f9de6d5ac9c367b6ecc9758d4606e47a62c310cea1f56f043d0
                                            • Opcode Fuzzy Hash: 9213203f431f7dbbddf0e3b3f8995ae8a5fd39c830ad9218353ab535e30cfb49
                                            • Instruction Fuzzy Hash: 6A219675F006099FDF90DFA9DD41B9E7BF1AB48754F104429E944E7391E730D9018B91
                                            Function 06803A98 Relevance: .1, Instructions: 78COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 273fcbc8039de72588cd04ad017afe4fea261f13bfe4badaa50782d9a3088e9f
                                            • Instruction ID: eeee6a3f13fb78fc12f0ae8a89e31c0fa247f5df574291b2ede4f2099af2516c
                                            • Opcode Fuzzy Hash: 273fcbc8039de72588cd04ad017afe4fea261f13bfe4badaa50782d9a3088e9f
                                            • Instruction Fuzzy Hash: 6D219F75F00A199FEB90DF69DD41AAEBBF1FB48714F108429E905E7390E730D9018B91
                                            Function 0111D030 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4189309138.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_111d000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 285b71e9c5b918f1115bd7a1fb5f9d01bcbe0d24af3877be1edc59dd10873687
                                            • Instruction ID: a68a018b199427d66719e6c8ca6f13d68ee41276579473aba7215e994f02d065
                                            • Opcode Fuzzy Hash: 285b71e9c5b918f1115bd7a1fb5f9d01bcbe0d24af3877be1edc59dd10873687
                                            • Instruction Fuzzy Hash: 0C212271604200DFCF19DF58E988B2AFBA5EB84314F20C67DD8094B25AC33AD846CA62
                                            Function 0111D1F8 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4189309138.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_111d000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8d50366f2257e7741020a05f9d34db3cc73fabe85e5e5c2167a90827a49ca7a2
                                            • Instruction ID: d917758c3ebe766563200b5cd2f108fad5d61202e12faeceeffaf28b4bc75ad7
                                            • Opcode Fuzzy Hash: 8d50366f2257e7741020a05f9d34db3cc73fabe85e5e5c2167a90827a49ca7a2
                                            • Instruction Fuzzy Hash: E0212971504200DFDF19DF98E5C8B6AFB65FB84324F20C57DD8194B24AC376D446C662
                                            Function 0111D3A8 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4189309138.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_111d000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 89389f26306ebefc71d8eecd8e1dba80754789e6f8ba70a714e7fc570f0c5e77
                                            • Instruction ID: dc7f90b248b7d4c0ae7a0abcd7eaebbf17db68624d3f1b2f371d685d40915ffa
                                            • Opcode Fuzzy Hash: 89389f26306ebefc71d8eecd8e1dba80754789e6f8ba70a714e7fc570f0c5e77
                                            • Instruction Fuzzy Hash: 5E2137B1544200DFCF09DF58E5C8B26FB65FB84314F20C57DD9094BA5AC336E446CA62
                                            Function 06806D00 Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f4cd1e471a9e147441f7ca332fdae43d43dbd83ecc3029b88303892f99f0b8c3
                                            • Instruction ID: 0fb982e6ac12adcb0f4e594b49573c145e063d7addc7dec1e45d3597d8b1fd2f
                                            • Opcode Fuzzy Hash: f4cd1e471a9e147441f7ca332fdae43d43dbd83ecc3029b88303892f99f0b8c3
                                            • Instruction Fuzzy Hash: 8121E731F101099FEF94DB69E95066EB7B6EF84314F248825D905DB380EB32EC918B85
                                            Function 06805401 Relevance: .1, Instructions: 67COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3f88b6ff1d370eb1886b68f7b226ae683a6c9c74049d5eed67e3c3bcf476d842
                                            • Instruction ID: c40b416fffbb84e3d1b9407273199e4970de338052914fd4080ea9a00cf6c19f
                                            • Opcode Fuzzy Hash: 3f88b6ff1d370eb1886b68f7b226ae683a6c9c74049d5eed67e3c3bcf476d842
                                            • Instruction Fuzzy Hash: A4214C71A00B099FDB70CFA9CD809AFFBB2FB84210F144929D255D7691D770A8558FA1
                                            Function 06803BA8 Relevance: .1, Instructions: 59COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5ad0565bdbf056c3e5279eef6c0e433e12d3a76b7a159b993351664e6100708f
                                            • Instruction ID: d4df9270010b8ada3c7434dc705bee7201e48b1380738e652fb6e8d633cccaa5
                                            • Opcode Fuzzy Hash: 5ad0565bdbf056c3e5279eef6c0e433e12d3a76b7a159b993351664e6100708f
                                            • Instruction Fuzzy Hash: F611A136B105295FEF949679CC14AAE77AAABC8214B00883AD50AE7384DF75DC428BD1
                                            Function 068041E8 Relevance: .1, Instructions: 58COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4f86e8e7f367fd264360bd4111f3853bd88020df3f22ba9d7974a12f92eabc8a
                                            • Instruction ID: 971ed14fb8e15f3404ed5e063b04884aa5cadf64f30d2d48e80a5d155652f2f3
                                            • Opcode Fuzzy Hash: 4f86e8e7f367fd264360bd4111f3853bd88020df3f22ba9d7974a12f92eabc8a
                                            • Instruction Fuzzy Hash: A301F531F101105FEBA1A17DA81072EB7EACBCA214F14CC3AE60DC7395DA50CC428391
                                            Function 06803B98 Relevance: .1, Instructions: 57COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 123a51003ac4d04debd15f7c559a2bcffb2e6e29fd94aaf9ab1c0f897c40dd69
                                            • Instruction ID: 68fb4f93935e58c892c6f04cbe2f52e403d8e9b9ea2b171df6f04df3bf4c2b3b
                                            • Opcode Fuzzy Hash: 123a51003ac4d04debd15f7c559a2bcffb2e6e29fd94aaf9ab1c0f897c40dd69
                                            • Instruction Fuzzy Hash: 0701DD36F2081A5FFFD49569DC25AEF77AE9BC4228F00483AD509E3284EE64C94247D2
                                            Function 06803860 Relevance: .1, Instructions: 55COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2d4afc42280795f3a74b021259a0695c31f380ff0a4b0615dfa09ec50af7fd8b
                                            • Instruction ID: 725d83f313d4910a79584324c0b941aa22689e439727e11a2a475f100be9ea28
                                            • Opcode Fuzzy Hash: 2d4afc42280795f3a74b021259a0695c31f380ff0a4b0615dfa09ec50af7fd8b
                                            • Instruction Fuzzy Hash: 5121CFB1D01219AFDB50DF9AD884ADEFBB4FB48320F50856AE918A7250C374A944CFA5
                                            Function 0680ED80 Relevance: .1, Instructions: 55COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cdc878ec97d9b842430429d1d4943be749e37b0a3442623b8e87d1442e318842
                                            • Instruction ID: 331ad6abdf871e03f7089b1586316917de681a7aa33913f6601161faf5ae6432
                                            • Opcode Fuzzy Hash: cdc878ec97d9b842430429d1d4943be749e37b0a3442623b8e87d1442e318842
                                            • Instruction Fuzzy Hash: 6D01F935B101104FDB56DA3CE85862FB7E6DBCA614F148C6AEA0ACB381DE21DC034785
                                            Function 0680A2E9 Relevance: .1, Instructions: 54COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 18a66ec776599985e84bcf9cd7e988e7d12ecc9d2d7e167c0cc9205a588b786c
                                            • Instruction ID: 4461dcce1f3b38e8db719fac6c9b34a96f6afd5916e11f1200bf875640ba5ef1
                                            • Opcode Fuzzy Hash: 18a66ec776599985e84bcf9cd7e988e7d12ecc9d2d7e167c0cc9205a588b786c
                                            • Instruction Fuzzy Hash: 5601B930B106010FE7F9E678E96071E7BD5E78E614F10883AE609C73D6ED25DC428785
                                            Function 0111D1F3 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4189309138.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_111d000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
                                            • Instruction ID: b57aef8477d256fc061caa228ac2eaca39bead0d32a074686b6abd562c69b465
                                            • Opcode Fuzzy Hash: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
                                            • Instruction Fuzzy Hash: 7B11B275504280CFDB16CF54E5C8B55FF71FB84324F24C6AAD8494B65AC33AD40ACB92
                                            Function 0111D3A3 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4189309138.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_111d000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                            • Instruction ID: d9cda0acaf697e2bd125152e667db4793edb1b4e3af2e97b12ae113422e5fb13
                                            • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                            • Instruction Fuzzy Hash: 76110075544240CFCB06CF54D5C8B15FF61FB84314F24C6AED9094BA56C33AE40ACB52
                                            Function 0111D02B Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4189309138.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_111d000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                            • Instruction ID: d501e67a670fed5df8b19e0a9e4e1150fd6df58e6f23b57d88c6f4d20eea1c58
                                            • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                            • Instruction Fuzzy Hash: 0F11D075504280CFDB16CF58D5C4B15FF71FB84314F24C6AAD8494B656C33AD44ACB62
                                            Function 06803048 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 46fe695146a3d5baa85070242e54a2495926b2e4325c2aacb54b822dce503e01
                                            • Instruction ID: a8291fce3d22e421cf0e8b121f332ef4efa063fd74f71824cdcfc1870ce88dde
                                            • Opcode Fuzzy Hash: 46fe695146a3d5baa85070242e54a2495926b2e4325c2aacb54b822dce503e01
                                            • Instruction Fuzzy Hash: 63016171E012199BEBA8DB79DC405DEF7B5EB89310F1089AAD505E7240DA31D941CF91
                                            Function 06803868 Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7c60d44243369e7963b27c068baa8851d97ddfc1548f4e5c485a99249b985af7
                                            • Instruction ID: e1331e3f3ac1ba3df47d948bf402d683133fa81018dce9c3978cb4c9e70162a2
                                            • Opcode Fuzzy Hash: 7c60d44243369e7963b27c068baa8851d97ddfc1548f4e5c485a99249b985af7
                                            • Instruction Fuzzy Hash: 9C11D0B1D01219AFCB10DF9AD884ADEFBB4FB48320F10852AE918A7240C374A944CFA5
                                            Function 068041F8 Relevance: .1, Instructions: 51COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a563c38034786e229cac156d26b2b198e7079d1263e6656277885995b68f68b3
                                            • Instruction ID: 06958f9a0788735320ffef8bdddcb61b95701fdfdc31661a6dd5a291ffafc86f
                                            • Opcode Fuzzy Hash: a563c38034786e229cac156d26b2b198e7079d1263e6656277885995b68f68b3
                                            • Instruction Fuzzy Hash: 8F01D131F100105BEBA4E5BDA80072FA3DADBCE624F20883AE60EC7394DE61DC424395
                                            Function 0680ED90 Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8a54e07dd2349c6f60135be9a47cbe8aef21e16aa5429457dcd72a3505ceab6f
                                            • Instruction ID: f136df34886c74b3f0bd31770491c8a70697ece8243b7b3d16244e90d3dc593d
                                            • Opcode Fuzzy Hash: 8a54e07dd2349c6f60135be9a47cbe8aef21e16aa5429457dcd72a3505ceab6f
                                            • Instruction Fuzzy Hash: C201F430B101115BEBA4DA3DE88872F63DADBCA610F108C3AFA0AC7380DE21DC024785
                                            Function 0680A2F8 Relevance: .0, Instructions: 46COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d280154616a195dc1da260bf224f694c06802ceee22d2e082d34b286a3fb25d1
                                            • Instruction ID: f3e9cc5c58017e05f3aa5ca137ccd78a276e310b9dd2dfc6403b805b008e87fe
                                            • Opcode Fuzzy Hash: d280154616a195dc1da260bf224f694c06802ceee22d2e082d34b286a3fb25d1
                                            • Instruction Fuzzy Hash: 1801A430B105110FEBA8E67CE95171EB7DAEB8E754F108839E60AC73D5EE25DC028785
                                            Function 0680C7C0 Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 041895357cdcccf3a9a966807143fa6860b02f4acb3edfa48c1bcd15d1de746e
                                            • Instruction ID: d05c8afc765300a4f4e166539c04d56d0732dbdadd5def8a31da7620de152d47
                                            • Opcode Fuzzy Hash: 041895357cdcccf3a9a966807143fa6860b02f4acb3edfa48c1bcd15d1de746e
                                            • Instruction Fuzzy Hash: EFF0A736F212689BDB945A69DC0099EB379F784358F104929DE01E7788D7316800C7C4
                                            Function 06806458 Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bb8e0cc0388903fe64571b62f1478944572cc5df6796e3fe6ae97a95d863ddbd
                                            • Instruction ID: a02875e3ded24d87b86f0182986b0e56828d38316da286717d4f7728c71220c6
                                            • Opcode Fuzzy Hash: bb8e0cc0388903fe64571b62f1478944572cc5df6796e3fe6ae97a95d863ddbd
                                            • Instruction Fuzzy Hash: 94F0E571E286487BEBB0CE78DC0576E7B689B02228F10CD96E448DB1D1F576CA51ABC1
                                            Function 06806468 Relevance: .0, Instructions: 22COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: aa976699a50b98a0a6b50c08d3026a88d70fc42e5459dfcadbf44bb0d2ea6d04
                                            • Instruction ID: 97eae141f3efc3535430f4a245d637d430bec12ac7ef2181b38d1ec886bc8596
                                            • Opcode Fuzzy Hash: aa976699a50b98a0a6b50c08d3026a88d70fc42e5459dfcadbf44bb0d2ea6d04
                                            • Instruction Fuzzy Hash: 80E08C71E10109BBEFA0CEA48D0575E77ACDB01218F2088A4D508C7281F172CA918380

                                            Non-executed Functions

                                            Function 06807688 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                            • API String ID: 0-2222239885
                                            • Opcode ID: aa823414e81c87d7a86d5d858b0eebc48a42fc2b8edad7805091516d0363d81b
                                            • Instruction ID: 2d08fa116b0c679c379e219daa68013cb1f6d51882a4d85d665919fb0a258f46
                                            • Opcode Fuzzy Hash: aa823414e81c87d7a86d5d858b0eebc48a42fc2b8edad7805091516d0363d81b
                                            • Instruction Fuzzy Hash: 8C120F30E006198FEBA8DF65D954A9DB7F6BF88304F208969D509EB354DB30AD85CF81
                                            Function 0680A918 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                            • API String ID: 0-3823777903
                                            • Opcode ID: 80a74712aa080dd66186bb2ae69736d67f4e23f37a897a812ecee1595c350a93
                                            • Instruction ID: 35a78bbaa0bec906b90c240b8c7f3de6daa6ea936ba1f24fdb9100b0acf1ed27
                                            • Opcode Fuzzy Hash: 80a74712aa080dd66186bb2ae69736d67f4e23f37a897a812ecee1595c350a93
                                            • Instruction Fuzzy Hash: 07917E30E103099FFBA8DB64DA55B6E7BB2AF84304F208929D401EB2D5DB759885CB90
                                            Function 06807088 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
                                            • API String ID: 0-390881366
                                            • Opcode ID: fa75b8fa899f519a7ef85e3a4c4f7d86b0fcc5be2e5caa8a58cf943990fe2519
                                            • Instruction ID: 39d79ae28ebc6f0509f3658273046ac0b399c1647fb7bd78bdf0f4336f20a6b2
                                            • Opcode Fuzzy Hash: fa75b8fa899f519a7ef85e3a4c4f7d86b0fcc5be2e5caa8a58cf943990fe2519
                                            • Instruction Fuzzy Hash: 0FF14034B00209CFEB99EB64C944A6EBBB7BF84304F148929D515DB799DB31EC42CB91
                                            Function 068083C0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $^q$$^q$$^q$$^q
                                            • API String ID: 0-2125118731
                                            • Opcode ID: 551d6e67cf6d0600ffc8d1ad6f3d5b8ef5b2a0a08b99f33fd643b973e5068191
                                            • Instruction ID: 3e954c554f3c470ed2115171ec62a8f36ebda78d6f9f2bc7fec21b058dbdf1dc
                                            • Opcode Fuzzy Hash: 551d6e67cf6d0600ffc8d1ad6f3d5b8ef5b2a0a08b99f33fd643b973e5068191
                                            • Instruction Fuzzy Hash: 1BB14D70B10209CFEBA8DB68C98466EB7B6BF84304F148929D515DB399DB75DC82CB81
                                            Function 068087D8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LR^q$LR^q$$^q$$^q
                                            • API String ID: 0-2454687669
                                            • Opcode ID: 4af72dede8883735f9a2252b370eb59107d73e4910da6b47e9b853224a262a70
                                            • Instruction ID: 65cc16ebdc3ea7752ac19cdd3697391c1945358bbbbefc0d179e1812e64207d9
                                            • Opcode Fuzzy Hash: 4af72dede8883735f9a2252b370eb59107d73e4910da6b47e9b853224a262a70
                                            • Instruction Fuzzy Hash: 4051B430B002058FEF98EB28D941A6EB7A6FF85308F148968E515DB399DB71EC85CB41
                                            Function 0680ACA3 Relevance: 5.2, Strings: 4, Instructions: 163COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.4193494559.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6800000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $^q$$^q$$^q$$^q
                                            • API String ID: 0-2125118731
                                            • Opcode ID: da662b43365711516d6a7a7e526c85239f400b6dd7f9ecbecc66a3ce841a2946
                                            • Instruction ID: 3333aa0e4036e7cbfeeb9a7e68cbe7786a4bf5c4e1dc90eaa238346a5deb760a
                                            • Opcode Fuzzy Hash: da662b43365711516d6a7a7e526c85239f400b6dd7f9ecbecc66a3ce841a2946
                                            • Instruction Fuzzy Hash: 86519030E103098FEFE9DB68D9806ADB7B2EB84314F108929D905DB396DB31DC41CB91