Edit tour

Windows Analysis Report
hesaphareketi_1.exe

Overview

General Information

Sample name:	hesaphareketi_1.exe
Analysis ID:	1447918
MD5:	f95b9a1c5289b35be63e254949d22041
SHA1:	6f6ea15d0e4c24b9cedc2c9d92b71de39fdcd89f
SHA256:	59488d405e3242fe18b8cc30a362da1e3170d2facc85a3d7be83fe0d7b0080ef
Tags:	exe
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Detected potential crypto function

One or more processes crash

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

hesaphareketi_1.exe (PID: 1072 cmdline: "C:\Users\user\Desktop\hesaphareketi_1.exe" MD5: F95B9A1C5289B35BE63E254949D22041)

WerFault.exe (PID: 1704 cmdline: C:\Windows\system32\WerFault.exe -u -p 1072 -s 876 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: hesaphareketi_1.exe	ReversingLabs: Detection: 34%
Source: hesaphareketi_1.exe	Virustotal: Detection: 36%			Perma Link

Machine Learning detection for sample

Source: hesaphareketi_1.exe

Joe Sandbox ML: detected

Source: hesaphareketi_1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Drawing.pdbMZ@ source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: hesaphareketi_1.exe, 00000000.00000002.1794842691.000001D89A5EE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: em\S0_4.0..tex `9\System.Core.pdb source: hesaphareketi_1.exe, 00000000.00000002.1794662194.000000033FCF4000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Core.pdbsP source: hesaphareketi_1.exe, 00000000.00000002.1795845051.000001D8B48C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: indoC:\Windows\System.Core.pdb source: hesaphareketi_1.exe, 00000000.00000002.1794662194.000000033FCF4000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Core.pdbTP source: hesaphareketi_1.exe, 00000000.00000002.1795845051.000001D8B48C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb` source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: hesaphareketi_1.exe, 00000000.00000002.1795845051.000001D8B48C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: Microsoft.CSharp.pdb source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Users\user\Desktop\hesaphareketi_1.PDB source: hesaphareketi_1.exe, 00000000.00000002.1794842691.000001D89A5EE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: System.Windows.Forms.pdb` source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: System.pdb source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbH source: hesaphareketi_1.exe, 00000000.00000002.1794842691.000001D89A5EE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdb source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: hesaphareketi_1.exe, 00000000.00000002.1794842691.000001D89A5EE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdblT source: hesaphareketi_1.exe, 00000000.00000002.1794842691.000001D89A5EE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb&3 source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: mscorlib.pdbb source: hesaphareketi_1.exe, 00000000.00000002.1795845051.000001D8B48C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: mscorlib.pdb source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: hesaphareketi_1.exe, 00000000.00000002.1794842691.000001D89A5EE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Core.pdb source: hesaphareketi_1.exe, 00000000.00000002.1795845051.000001D8B48C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: keti.PDB source: hesaphareketi_1.exe, 00000000.00000002.1794662194.000000033FCF4000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Dynamic.pdb source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb]R source: hesaphareketi_1.exe, 00000000.00000002.1795845051.000001D8B48C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: indows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: hesaphareketi_1.exe, 00000000.00000002.1794842691.000001D89A5EE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: mscorlib.ni.pdb source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: System.Core.pdbID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: hesaphareketi_1.exe, 00000000.00000002.1795845051.000001D8B48C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdblP#K source: hesaphareketi_1.exe, 00000000.00000002.1795845051.000001D8B48C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: hesaphareketi_1.exe, 00000000.00000002.1795845051.000001D8B48C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbZ source: hesaphareketi_1.exe, 00000000.00000002.1795845051.000001D8B48C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER2B2E.tmp.dmp.3.dr

Source: Amcache.hve.3.dr

String found in binary or memory: http://upx.sf.net

Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Code function: 0_2_00007FFD9B881E9A	0_2_00007FFD9B881E9A
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Code function: 0_2_00007FFD9B8845E8	0_2_00007FFD9B8845E8
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Code function: 0_2_00007FFD9B888A40	0_2_00007FFD9B888A40
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Code function: 0_2_00007FFD9B884698	0_2_00007FFD9B884698
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Code function: 0_2_00007FFD9B8805D3	0_2_00007FFD9B8805D3
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Code function: 0_2_00007FFD9B8808A5	0_2_00007FFD9B8808A5

Source: C:\Users\user\Desktop\hesaphareketi_1.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1072 -s 876

Source: hesaphareketi_1.exe

Static PE information: No import functions for PE file found

Source: hesaphareketi_1.exe, 00000000.00000000.1627780843.000001D89A40C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameIpogazezowamifayL vs hesaphareketi_1.exe
Source: hesaphareketi_1.exe, 00000000.00000000.1627760546.000001D89A402000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNativeMethods.dll" vs hesaphareketi_1.exe
Source: hesaphareketi_1.exe	Binary or memory string: OriginalFilenameNativeMethods.dll" vs hesaphareketi_1.exe
Source: hesaphareketi_1.exe	Binary or memory string: OriginalFilenameIpogazezowamifayL vs hesaphareketi_1.exe

Source: classification engine

Classification label: mal52.winEXE@2/5@0/0

Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1072

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\91fa9421-19a8-47e7-b0ba-e9e203b2689d

Jump to behavior

Source: hesaphareketi_1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: hesaphareketi_1.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\hesaphareketi_1.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: hesaphareketi_1.exe	ReversingLabs: Detection: 34%
Source: hesaphareketi_1.exe	Virustotal: Detection: 36%

Source: C:\Users\user\Desktop\hesaphareketi_1.exe

File read: C:\Users\user\Desktop\hesaphareketi_1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\hesaphareketi_1.exe "C:\Users\user\Desktop\hesaphareketi_1.exe"
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1072 -s 876

Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi_1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi_1.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: hesaphareketi_1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: hesaphareketi_1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: hesaphareketi_1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: System.Drawing.pdbMZ@ source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: hesaphareketi_1.exe, 00000000.00000002.1794842691.000001D89A5EE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: em\S0_4.0..tex `9\System.Core.pdb source: hesaphareketi_1.exe, 00000000.00000002.1794662194.000000033FCF4000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Core.pdbsP source: hesaphareketi_1.exe, 00000000.00000002.1795845051.000001D8B48C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: indoC:\Windows\System.Core.pdb source: hesaphareketi_1.exe, 00000000.00000002.1794662194.000000033FCF4000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Core.pdbTP source: hesaphareketi_1.exe, 00000000.00000002.1795845051.000001D8B48C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb` source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: hesaphareketi_1.exe, 00000000.00000002.1795845051.000001D8B48C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: Microsoft.CSharp.pdb source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Users\user\Desktop\hesaphareketi_1.PDB source: hesaphareketi_1.exe, 00000000.00000002.1794842691.000001D89A5EE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: System.Windows.Forms.pdb` source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: System.pdb source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbH source: hesaphareketi_1.exe, 00000000.00000002.1794842691.000001D89A5EE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdb source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: hesaphareketi_1.exe, 00000000.00000002.1794842691.000001D89A5EE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdblT source: hesaphareketi_1.exe, 00000000.00000002.1794842691.000001D89A5EE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb&3 source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: mscorlib.pdbb source: hesaphareketi_1.exe, 00000000.00000002.1795845051.000001D8B48C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: mscorlib.pdb source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: hesaphareketi_1.exe, 00000000.00000002.1794842691.000001D89A5EE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Core.pdb source: hesaphareketi_1.exe, 00000000.00000002.1795845051.000001D8B48C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: keti.PDB source: hesaphareketi_1.exe, 00000000.00000002.1794662194.000000033FCF4000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Dynamic.pdb source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb]R source: hesaphareketi_1.exe, 00000000.00000002.1795845051.000001D8B48C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: indows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: hesaphareketi_1.exe, 00000000.00000002.1794842691.000001D89A5EE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: mscorlib.ni.pdb source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: System.Core.pdbID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: hesaphareketi_1.exe, 00000000.00000002.1795845051.000001D8B48C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdblP#K source: hesaphareketi_1.exe, 00000000.00000002.1795845051.000001D8B48C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: hesaphareketi_1.exe, 00000000.00000002.1795845051.000001D8B48C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbZ source: hesaphareketi_1.exe, 00000000.00000002.1795845051.000001D8B48C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER2B2E.tmp.dmp.3.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER2B2E.tmp.dmp.3.dr

Source: hesaphareketi_1.exe

Static PE information: 0xD7B7C12B [Thu Sep 7 05:46:19 2084 UTC]

Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Code function: 0_2_00007FFD9B8859E7 push es; retf		0_2_00007FFD9B885A27
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Code function: 0_2_00007FFD9B8800BD pushad ; iretd		0_2_00007FFD9B8800C1

Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Memory allocated: 1D89A730000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Memory allocated: 1D8B4180000 memory reserve \| memory write watch			Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi_1.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Queries volume information: C:\Users\user\Desktop\hesaphareketi_1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi_1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
hesaphareketi_1.exe	34%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
hesaphareketi_1.exe	37%	Virustotal		Browse
hesaphareketi_1.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.3.dr	false	URL Reputation: safe URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1447918
Start date and time:	2024-05-27 12:29:01 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	hesaphareketi_1.exe
Detection:	MAL
Classification:	mal52.winEXE@2/5@0/0
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.20
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target hesaphareketi_1.exe, PID 1072 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:30:04	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_hesaphareketi_1._249f7061c93968d61f11176880c786d0825038ed_7ae9667d_914613ef-3e3c-4d5a-921c-68d5898b3235\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9745005047560896
Encrypted:	false
SSDEEP:	192:9MJRotZ/PsJD0DNxkNnaWBeNzuiF0Z24lO8eKb:QRothPtDNxkNnamEzuiF0Y4lO8eo
MD5:	34BEBBA79414EF7F828747766569413B
SHA1:	73FD4E2D3531E7D15275CB5041AB58F155C08FE7
SHA-256:	A585DAB64BEBA1C8336651F6455FDABD15DCDB7D7CDE0C8E803AB4F73048C7A4
SHA-512:	AB09CA5B313BA266824A501EACA58B9D125C6885BA09269A3563EBC64818FA25D7461F795982578800ED33E9C1004A30AF2DBFFD13EC5013FE340892056F528C
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.1.2.7.9.3.9.0.0.5.9.6.3.4.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.1.2.7.9.3.9.0.5.2.8.3.8.0.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.1.4.6.1.3.e.f.-.3.e.3.c.-.4.d.5.a.-.9.2.1.c.-.6.8.d.5.8.9.8.b.3.2.3.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.5.6.e.2.2.4.2.-.f.a.4.b.-.4.4.8.7.-.8.6.9.a.-.5.8.4.0.c.2.4.b.4.f.3.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.h.e.s.a.p.h.a.r.e.k.e.t.i._.1...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.I.p.o.g.a.z.e.z.o.w.a.m.i.f.a.y.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.4.3.0.-.0.0.0.1.-.0.0.1.4.-.7.d.a.8.-.6.4.c.c.2.0.b.0.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.2.f.3.4.f.4.6.f.e.9.a.d.e.7.9.4.a.0.3.8.4.f.1.3.6.6.8.9.4.7.0.0.0.0.0.0.0.0.0.!.0.0.0.0.6.f.6.e.a.1.5.d.0.e.4.c.2.4.b.9.c.e.d.c.2.c.9.d.9.2.b.7.1.d.e.3.9.f.d.c.d.8.9.f.!.h.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B2E.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Mon May 27 10:29:50 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	381107
Entropy (8bit):	3.455229667335315
Encrypted:	false
SSDEEP:	3072:WQUkhRK/f4GsXIcSCrFYUP1CCqAtq7m3+vuqtdN9tdN9tdN9tdVBW:WQUkqHrdCl/qAMm3QusB
MD5:	A2BD6B662817A47E3141CB9FF846E740
SHA1:	2994D6EF2F4E481FC59461021D7BDEB7ACAD5ED9
SHA-256:	6B55950C04F25932B6E5F84D2D691BBC9AAD87013BD7CD99298EB04F78D37867
SHA-512:	F26E4A44C47793A3DD3E0538A9CB1D46F1CD0F2911F89974A285E322D09C75E6A869762284670745AA8AA497AD0369F4F70EB784B56E774ACB0B58B1A45E72CE
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........`Tf....................................$...........\............G..&m..........l.......8...........T............"..............85..........$7..............................................................................eJ.......7......Lw......................T.......0....`Tf.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C57.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8644
Entropy (8bit):	3.705997403233806
Encrypted:	false
SSDEEP:	192:R6l7wVeJMYfdZ6Y9cDulgmfZDxydBFprH89bxR0fNobm:R6lXJM6Z6YmalgmfWdBwxCfr
MD5:	5B91C020AB0E7655608DBB52C5BF7833
SHA1:	C7946DE13CEECF3C458FFB2600D1838D15866192
SHA-256:	1C3E043ADA0BCDF27272BEB35E009E2ACA91C293FB25A8DBB8750DE41103E2FB
SHA-512:	64F4F3C6E35A91497A989F35AC1A5F8A0509DC74FF37AE12519C1F5CD8FACDAA6DCDBE96DD137B8FE1265190183A3F12A3B04DC703A1B9886ECF155244781ED0
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.0.7.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C87.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4846
Entropy (8bit):	4.515202814958182
Encrypted:	false
SSDEEP:	48:cvIwWl8zswJg771I9GhWpW8VYwYm8M4JYHE1FqUyq8vaHEORFcd:uIjf2I75w7VcJYkBWakORFcd
MD5:	39726A22A44D7568EDB60040F7628C2E
SHA1:	2C24E5FE1B3C6D1B87A1C041681A4AEDD5039328
SHA-256:	1A0736194F74D95C3E53F5B1E3EDE41F455EA7B6B03CE453C1A2ACB402FA050D
SHA-512:	9D31AF8E142226173C2BE3A7FB16BA9CDBCDA0C092AAB13273213345464F6BA1701B2C988F4FC94E8066534D58E03C6AE068CD5E625CD5BCA2A44BC2B3735477
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="341372" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.466088191263007
Encrypted:	false
SSDEEP:	6144:3IXfpi67eLPU9skLmb0b4GWSPKaJG8nAgejZMMhA2gX4WABl0uNxdwBCswSbd:4XD94GWlLZMM6YFHr+d
MD5:	A5CC1917D84890E30CF36FFF38C0BF49
SHA1:	4CDCD852237D5EDBD5005A6387535AE4B5E8AAD6
SHA-256:	644D4E347BA3610C0679CC8529458B2BA9CEDF4B4E3EF32A077EA2147A1D6E3D
SHA-512:	590AEF60E2ACB6DCC2F616BC0D266A51E6D1326B422A7D69D8BA6B17C1EEE7F23815E9578E314927F6644FC44EDF37D42A1ECD8F17ACCE67DFB5FC528F1B3674
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.931760283986919
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	hesaphareketi_1.exe
File size:	396'026 bytes
MD5:	f95b9a1c5289b35be63e254949d22041
SHA1:	6f6ea15d0e4c24b9cedc2c9d92b71de39fdcd89f
SHA256:	59488d405e3242fe18b8cc30a362da1e3170d2facc85a3d7be83fe0d7b0080ef
SHA512:	a88fb991df9e2f933f06127b5c6cf9138d83fae8e0f62881e1e734029524220c74244c3395bd7d1bb4c1c6fc3390dc5aedbad9901a19da0b6fbcb2ff8d2462b1
SSDEEP:	12288:k9Xl+wonve99dbGPG+gibay1WTIlLuRtjI0y:kLRovq78GniOTTyLurk0y
TLSH:	64842322B7E4543FFE775A3A2C7656804BB2F6973583C71F0D05440E1992F98AA11BF2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...+............."...0.h................ ....@...... ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xD7B7C12B [Thu Sep 7 05:46:19 2084 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0xa2c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0xae4c	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8e68	0x9000	386a7fd3473f1031b3bb1b57a29e28d0	False	0.4472113715277778	data	5.59051913511134	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0xa2c	0xc00	90fada40f10d95ad2130b4bab5089096	False	0.2662760416666667	data	4.419763654252248	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xc0b8	0x3c4	data			0.48443983402489627
RT_VERSION	0xc47c	0x3c4	data	English	United States	0.48651452282157676
RT_MANIFEST	0xc840	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 27, 2024 12:29:52.099004030 CEST	53	50659	1.1.1.1	192.168.2.4
May 27, 2024 12:30:07.586587906 CEST	53	61102	1.1.1.1	192.168.2.4

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: hesaphareketi_1.exePID: 1072, Parent PID: 2580

General

Target ID:	0
Start time:	06:29:47
Start date:	27/05/2024
Path:	C:\Users\user\Desktop\hesaphareketi_1.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\hesaphareketi_1.exe"
Imagebase:	0x1d89a400000
File size:	396'026 bytes
MD5 hash:	F95B9A1C5289B35BE63E254949D22041
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 1704, Parent PID: 1072

General

Target ID:	3
Start time:	06:29:49
Start date:	27/05/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 1072 -s 876
Imagebase:	0x7ff7699e0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: hesaphareketi_1.exePID: 1072, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9B8805D3 Relevance: 6.7, Strings: 5, Instructions: 496COMMON

Download Yara Rule

Strings

5K>, xrefs: 00007FFD9B88066E
O_^I, xrefs: 00007FFD9B8806C9
O_^H, xrefs: 00007FFD9B8806C2
O_^h, xrefs: 00007FFD9B8807A2
O_^_, xrefs: 00007FFD9B88077A

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID: 5K>$O_^H$O_^I$O_^_$O_^h
API String ID: 0-1694782861
Opcode ID: 16e49cf870d462aff42589f7e134d9f24db09342c7752dc1e499e58c92436e1d
Instruction ID: e88f0fdaad34113ae39d26eb4165605414069932f953c3ff725039c0de2f9278
Opcode Fuzzy Hash: 16e49cf870d462aff42589f7e134d9f24db09342c7752dc1e499e58c92436e1d
Instruction Fuzzy Hash: 4CD19D26B0D92A4BE719BBBCB8255F53780EF85325B0501B7C5AECB097EC24788387D1

Function 00007FFD9B881E9A Relevance: 1.9, Strings: 1, Instructions: 691COMMON

Download Yara Rule

Strings

{BO_^, xrefs: 00007FFD9B882109

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID: {BO_^
API String ID: 0-982671803
Opcode ID: bb06f4e8a8c34fb1c82b0aa2301e9dd55c77a9917ed0e6664ec13386d39938d3
Instruction ID: 789487b3e1ad6d452857ae0eef2b8d1ad2a494490aef955b079eb66c9345a8b9
Opcode Fuzzy Hash: bb06f4e8a8c34fb1c82b0aa2301e9dd55c77a9917ed0e6664ec13386d39938d3
Instruction Fuzzy Hash: 2612F321B29D4E4FE799EBAC887176866D2EF8C710F1101BAD02DC72D7CD38AC418792

Function 00007FFD9B8808A5 Relevance: 1.6, Instructions: 1629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 684231a79b8951cee19135dab9370ca366c282e422623964c6b71d738640266b
Instruction ID: 62e3621066ea43ab6a89edfe650695a05168d34729474b3c1f79ef5a72f947db
Opcode Fuzzy Hash: 684231a79b8951cee19135dab9370ca366c282e422623964c6b71d738640266b
Instruction Fuzzy Hash: E4C2653071CB488FD74D9B6CD520A6477A1FF4A744F6441AEE046DB2E3CE25AD41CB26

Function 00007FFD9B8845E8 Relevance: .9, Instructions: 853COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc70586b687b28463f6919aeb14419719bb237dec76f692fadc83b76dac1babf
Instruction ID: fd3ae4b9b38757004a87daae8b82810b59d6afdb08211bf4845ed74475294f1b
Opcode Fuzzy Hash: bc70586b687b28463f6919aeb14419719bb237dec76f692fadc83b76dac1babf
Instruction Fuzzy Hash: B8322A31B1DA494BE76CE76CA8626B577C2EF9C314F45417EE04EC72E3DD28A9028391

Function 00007FFD9B888A40 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6129a947dcdb2467661ab20c5d50c13ce311b4c7764df3e98ee99085f6eac0db
Instruction ID: 7ef2ec14d8802ba0c0c30591de27084cecd211750b1ccc7dbd012942788a8a55
Opcode Fuzzy Hash: 6129a947dcdb2467661ab20c5d50c13ce311b4c7764df3e98ee99085f6eac0db
Instruction Fuzzy Hash: D6A13A62B1EE890FD76DDB684864665B7E2EFA534070841FFC09AC71EBED34A9078341

Function 00007FFD9B8806FA Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

=O_^, xrefs: 00007FFD9B880701
O_^h, xrefs: 00007FFD9B8807A2
O_^R, xrefs: 00007FFD9B880712
O_^_, xrefs: 00007FFD9B88077A
O_^O, xrefs: 00007FFD9B8806FA

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID: =O_^$O_^O$O_^R$O_^_$O_^h
API String ID: 0-1473851404
Opcode ID: 9eef6ccb07d01210800d09d1255c3ec7e7f778a383512df9c9c0eb31c44965cd
Instruction ID: 1a9f19be25ff5e8d6acef7dd5f3cba469418ab695118971eda6fbe3719853764
Opcode Fuzzy Hash: 9eef6ccb07d01210800d09d1255c3ec7e7f778a383512df9c9c0eb31c44965cd
Instruction Fuzzy Hash: 0741F993B1F57686E21B33FD7C768E92B00CF4177DB0941B3D1AD8A0D7AC19218751A5

Function 00007FFD9B8806D3 Relevance: 2.7, Strings: 2, Instructions: 196COMMON

Download Yara Rule

Strings

O_^h, xrefs: 00007FFD9B8807A2
O_^_, xrefs: 00007FFD9B88077A

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID: O_^_$O_^h
API String ID: 0-311500872
Opcode ID: 5ae98c66a41c804fe0500d9eb66ee19f85fecef38d03cbc9465ddd7bf7446737
Instruction ID: 0401e8e7f6b88d93423c80ef435ea35b8e5d2a7eb2df59707beec4719304e2bd
Opcode Fuzzy Hash: 5ae98c66a41c804fe0500d9eb66ee19f85fecef38d03cbc9465ddd7bf7446737
Instruction Fuzzy Hash: 7451F687B0F57686E22A33ED7C7A8E92B00CF4177DB0942F3E1AD8A0D76C59248751E5

Function 00007FFD9B8A1F10 Relevance: 1.9, Strings: 1, Instructions: 667COMMON

Download Yara Rule

Strings

%M_^, xrefs: 00007FFD9B8A1F01

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID: %M_^
API String ID: 0-2132452331
Opcode ID: 01ac8be2c65ec094531fe8e4fcd18e488d404417d8f9b4e775fc3d5e477bd5ee
Instruction ID: a702da0b818595ccccf802fbcd8f132e074c675540cf33b4a578a9f57bce7bdd
Opcode Fuzzy Hash: 01ac8be2c65ec094531fe8e4fcd18e488d404417d8f9b4e775fc3d5e477bd5ee
Instruction Fuzzy Hash: 8C124E72B1DE890BE76DAB6C587A1B437D2EF99350B0541BEE09DC31E7ED14A8038345

Function 00007FFD9B88B818 Relevance: 1.7, Strings: 1, Instructions: 479COMMON

Download Yara Rule

Strings

>M_H, xrefs: 00007FFD9B89E760

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID: >M_H
API String ID: 0-215402020
Opcode ID: 6fb1489fd2f2a2929e231fe5fdb9b98e690e1306025a3cc009f4cf81f30c3c95
Instruction ID: 4ee1a0fcdfd2922b6a84af5f1bde19a66c31cd0034b68baeec82f296d26f1405
Opcode Fuzzy Hash: 6fb1489fd2f2a2929e231fe5fdb9b98e690e1306025a3cc009f4cf81f30c3c95
Instruction Fuzzy Hash: BDD10331B09D0D4FDFA8EB2C94A4A757BD2EFA831171541F6D00EC72AADD25EC468780

Function 00007FFD9B8951E0 Relevance: 1.7, Strings: 1, Instructions: 463COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9B895549

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 1e52b5a5694dd9c2f570413989522ec64f8ddecb8197af73bf56f9f7b95ba04b
Instruction ID: 50141493eeeac76aa1d6cf1ac194b7c077f3c1e856affe3f641eb8f0168edb26
Opcode Fuzzy Hash: 1e52b5a5694dd9c2f570413989522ec64f8ddecb8197af73bf56f9f7b95ba04b
Instruction Fuzzy Hash: 8FE1A030618B098FDB68DF18D495AB5B7E2FB99310F14457ED08EC3696DA35F842CB81

Function 00007FFD9B88C052 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

cN_H, xrefs: 00007FFD9B88C16E

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID: cN_H
API String ID: 0-938979074
Opcode ID: bff616979765b8da3a6ba77570f4e0496675e239dff8ac7509e843c731083af1
Instruction ID: 92cca90ac9c0b4555373351838b6070cd92dbed98ba3b11ef3a27390102d7504
Opcode Fuzzy Hash: bff616979765b8da3a6ba77570f4e0496675e239dff8ac7509e843c731083af1
Instruction Fuzzy Hash: AB31E272B19E098FE76CEB2C986967477D2EF9D34071541BFE01EC72A6DD20AC028781

Function 00007FFD9B883A90 Relevance: .8, Instructions: 831COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8598ce3018f2e67b9cbd8093068d44723bd74e17f7617ed32a0c837d2ced41b9
Instruction ID: e73ff7c10b8c28f119243842a80f8d3721a2bd388f5cebbbf2f516faaa07a953
Opcode Fuzzy Hash: 8598ce3018f2e67b9cbd8093068d44723bd74e17f7617ed32a0c837d2ced41b9
Instruction Fuzzy Hash: 87428E30719A0D8FEBA4EB6CC464B657BE1FF59300F1501BAD45ECB2A6DE24ED418B41

Function 00007FFD9B881D78 Relevance: .8, Instructions: 823COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f74378487cd869399207ac2a78d0b7296ea9269b0ae8a94ff7c6ffd9eca50df2
Instruction ID: fdb4d3aeb03312f2c1c5e5f8e41b629ada0c70ebc20c1214bcd5e927129b0df8
Opcode Fuzzy Hash: f74378487cd869399207ac2a78d0b7296ea9269b0ae8a94ff7c6ffd9eca50df2
Instruction Fuzzy Hash: 73425335B1EE8E5BEFAE975848315347A92EF99340B1940BED41AC71E7ED35ED028301

Function 00007FFD9B881D88 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb3fc7d520a6c83d4919d462c7a5c888fb7c0812fb7b9ae135e0d6991d2f0465
Instruction ID: a538769ef08d98ca7648fcbb0f15ef7c7a41f0f9105b2442535045a6657287f0
Opcode Fuzzy Hash: cb3fc7d520a6c83d4919d462c7a5c888fb7c0812fb7b9ae135e0d6991d2f0465
Instruction Fuzzy Hash: 48220532B0EA4E4FEBA9DB6C58692307BD2EF8D350B0541BAD45EC71E7DD16AD018780

Function 00007FFD9B889E48 Relevance: .7, Instructions: 682COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f88c06eb6c26fcd9c18201644de1c7f441b35fb7b08b3b5b05f26ff55a644010
Instruction ID: 5107bd6ef617e7c2cbb311f3e8eda09b0216c2591aaa5ceb3242c1acc83405fa
Opcode Fuzzy Hash: f88c06eb6c26fcd9c18201644de1c7f441b35fb7b08b3b5b05f26ff55a644010
Instruction Fuzzy Hash: 03226831A0DB4A4FEB29DB68D8A15B5BBE0FF55310B0545BED09EC71A3ED24B8428781

Function 00007FFD9B881DC8 Relevance: .7, Instructions: 664COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31cb46b483a2e1d995c8ecbafeaf69799b02788d610329df962525f4bdb58fd4
Instruction ID: 446ba1f30422e2851b54f1796d73b25a89a3abc0990ff13035b3d38950b6049c
Opcode Fuzzy Hash: 31cb46b483a2e1d995c8ecbafeaf69799b02788d610329df962525f4bdb58fd4
Instruction Fuzzy Hash: 1822E430A19A4D8FDBA8EF28C495AA577E1FF59300F1541AED40EC72A6DE35EC42CB41

Function 00007FFD9B881DF8 Relevance: .6, Instructions: 609COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c2dd883b13229d6cfc1314abe123662b2b76baf7ef2a4fcae6ad07bcf30ed1f
Instruction ID: 30a4b72ec766d226cef5d58f254cddaee49c4df4b49a56d50e72fbbbaf415b2f
Opcode Fuzzy Hash: 9c2dd883b13229d6cfc1314abe123662b2b76baf7ef2a4fcae6ad07bcf30ed1f
Instruction Fuzzy Hash: E602A131B19E0A4FDBA8EF68C4A5A7573E2FF68310B1541B9D45EC32A6DE24FD428740

Function 00007FFD9B8B4538 Relevance: .5, Instructions: 538COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 868520983e1a742a4f34ec3266f2eafe8f3065ac17a5da3cc61424f530f40f4f
Instruction ID: 8c43515707e705e37da771cb589ed5d006cfef1b42e28471c59c61f427ec04be
Opcode Fuzzy Hash: 868520983e1a742a4f34ec3266f2eafe8f3065ac17a5da3cc61424f530f40f4f
Instruction Fuzzy Hash: E2021761A0EBC64FE75A977888715647FE1EF5B300B0A41EBD089CB1E3DD18AC46C792

Function 00007FFD9B889E70 Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b019508ffe6b1808a306300684fbc560bfdcbc187d771f0fc8c3c0ad9a5ac2f3
Instruction ID: b7de24dcdb26db125a6a06030f283333193ad53cbba9b2fd16baaf02acdfaa01
Opcode Fuzzy Hash: b019508ffe6b1808a306300684fbc560bfdcbc187d771f0fc8c3c0ad9a5ac2f3
Instruction Fuzzy Hash: 32C16530A1DF4D8FE76CDB6884615B1BBE0FF59314B1406BED49EC31A2EA25B942C781

Function 00007FFD9B880790 Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edf9affc20bc843cd90bd70f9462d00dbce982fbd38ddf49ed5d808b6019f0e1
Instruction ID: 0e0c18a8f304682398dfe933c3c54907070d9f62ded74d2f6187b95946565a09
Opcode Fuzzy Hash: edf9affc20bc843cd90bd70f9462d00dbce982fbd38ddf49ed5d808b6019f0e1
Instruction Fuzzy Hash: 26B1233170DA488FEB5CEF6C9865A3037D1EF6A354B1501BED05ACB2E3DA35AC428781

Function 00007FFD9B888E08 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb91927bb869407bc1312bdff41a7f6029465184f5faafb966f052191c6b8a5c
Instruction ID: 51f6691aa7e3454814e98a667ce5f3b06e62700b0dc80e3dca0c346eecd17162
Opcode Fuzzy Hash: cb91927bb869407bc1312bdff41a7f6029465184f5faafb966f052191c6b8a5c
Instruction Fuzzy Hash: 6C91583161EB494FDB28DB5CD8968B57BD0EF99320B1542BED48AC32B2DD25B847C381

Function 00007FFD9B89C5B0 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3e7798c820b0e3a2d839087dfc63be7e9e4783103ef013dae92f2fdc6d9073b
Instruction ID: 8f7b6ba1753830fe622e4a3298e99992435393aec1c52235260e0de265f91f34
Opcode Fuzzy Hash: b3e7798c820b0e3a2d839087dfc63be7e9e4783103ef013dae92f2fdc6d9073b
Instruction Fuzzy Hash: 7DA1C331B1994D8FEFA5DB5CC8A86A53BD1FF9C344B0601B9E41DD72B2DE26AD018B40

Function 00007FFD9B89D394 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c61db9cdfea379516d251f462c7edabda1e6898890df207be24442c4d3e9c13
Instruction ID: 7274e189c71748bcd0fdc6e23e1701c8bc33ad6bab021ae6b014088f0764fadf
Opcode Fuzzy Hash: 1c61db9cdfea379516d251f462c7edabda1e6898890df207be24442c4d3e9c13
Instruction Fuzzy Hash: 21A10A2070D9898FDB7CDB1CE865BA937D1EF58304F1540AEE45EC72A7CE24AD428749

Function 00007FFD9B8850FA Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e7c040e5c920f1d888494824f183e2c7dcd1874867b662171a6b30acc456ebe
Instruction ID: dda439b0f62105b73cc61fe75bfd1531fa1f36bde742a05d7bbb594eee7d2dbe
Opcode Fuzzy Hash: 3e7c040e5c920f1d888494824f183e2c7dcd1874867b662171a6b30acc456ebe
Instruction Fuzzy Hash: 07814523B0ED260BD729B6ACBC259E96790EF9537570802B7D25DCB1E7ED14A80783D0

Function 00007FFD9B88C4A1 Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 851d7c52bd9d0e6c1840fda41032023b8a87022b64d28b4fc0041b59d9f1fc57
Instruction ID: 2bd7e11ceb6ad59fadb1c63e50df517d121a1e4bbe94f5757c754319b1dc437c
Opcode Fuzzy Hash: 851d7c52bd9d0e6c1840fda41032023b8a87022b64d28b4fc0041b59d9f1fc57
Instruction Fuzzy Hash: D7917631B0DA494FD359EB2CD869AF537D0EF89324B0542BED09EC71A7DD28A8438781

Function 00007FFD9B8A1BD8 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cfed1256686c2d4051ee789578610f12ab3b8b2e49910c902b104f91cc1a71d
Instruction ID: c75543bb4da59b8fb774190eb7785a3b00afe901d1421584c62b97943dc1bace
Opcode Fuzzy Hash: 3cfed1256686c2d4051ee789578610f12ab3b8b2e49910c902b104f91cc1a71d
Instruction Fuzzy Hash: 30918130B1DE0E8BEBB8EB588469676B3D2EF98300F15457DD44EC31A6DE34F9428691

Function 00007FFD9B8856CD Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 023cef85f4a8663fb4a607b2a9ca25ac893ab518fdcb6b3c8c53e46ae2aabb9f
Instruction ID: f73ec1b2e0e1f8a45803ab83d6320a81cbab860a0d59fc8e5509fd0bf18ef947
Opcode Fuzzy Hash: 023cef85f4a8663fb4a607b2a9ca25ac893ab518fdcb6b3c8c53e46ae2aabb9f
Instruction Fuzzy Hash: 0E913330B1DE4E8FE7A9EBAC9860AA877E1EF89350F1540BAD019C71E7D9346D02C751

Function 00007FFD9B88A2FA Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ca825ab334be0b02e6c5e4756b9998462d5639d3d4ffc979de01942df286153
Instruction ID: 8169ccb126d916bdb941659bd419f9481bdc049f8e60aa798bd64489e7f63b3b
Opcode Fuzzy Hash: 9ca825ab334be0b02e6c5e4756b9998462d5639d3d4ffc979de01942df286153
Instruction Fuzzy Hash: 14813821B29E8E5FE76CEB2884616A2B7A2EF9934470545BEC05EC71E7DD35BC028340

Function 00007FFD9B889E58 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1534d8d24553f957bcbbc9cd185b1e1153213b0d3db450f966bcf39bb3394929
Instruction ID: 4821228714bd8b196344125b0e03d93f5f0a69969b2e15d2797614f26d3e82a2
Opcode Fuzzy Hash: 1534d8d24553f957bcbbc9cd185b1e1153213b0d3db450f966bcf39bb3394929
Instruction Fuzzy Hash: B481CE30A19B0D4FEB68DF58C495975B7E1FB98300F11497DD49EC36A2EA35F8828B81

Function 00007FFD9B8A9490 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60e9f57d16585ff886d14c4976b522505acf7ba026f148c595d1b0d56df36ec4
Instruction ID: c1e5d080400595f4a0903825ca883e60f1ecb4cfb14330dabfd0ce158bdf353b
Opcode Fuzzy Hash: 60e9f57d16585ff886d14c4976b522505acf7ba026f148c595d1b0d56df36ec4
Instruction Fuzzy Hash: 31717E30B1DA0D8FEFA8EB5C945A66973E1FF9D314F11057AD44AC3262EA21FC428791

Function 00007FFD9B894DB0 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31cf38599b5b28e1bba466774fc2c1b3be3ff4604cbc3aa35940699b1b8f691f
Instruction ID: ef5b3639ad2f2c4f2d431a2dbdff180d1e622bd6de606e5ed39554fb150f1d63
Opcode Fuzzy Hash: 31cf38599b5b28e1bba466774fc2c1b3be3ff4604cbc3aa35940699b1b8f691f
Instruction Fuzzy Hash: 1F713731619B094FDB68DB5CC89997577E0EF98310B19067ED449C72B2DA25BC42C7C1

Function 00007FFD9B882906 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e315978838b6894ad99e3fdb29b1012e57b8049fde5bba6424c65974b96b4e1
Instruction ID: 22a3a386e87b2f0c558cb0edcfad203993548b621e8b4d8f8f555f902b18bee8
Opcode Fuzzy Hash: 6e315978838b6894ad99e3fdb29b1012e57b8049fde5bba6424c65974b96b4e1
Instruction Fuzzy Hash: 6671B031B0CA484FEB9CEB6C9469A6073D2EBAD354B1541BED01AC72E2DD36AC428741

Function 00007FFD9B8839E8 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3125d273bf9cd1b5e2fc506c0e33fde3b82fbd128697ab160709daf2671252
Instruction ID: 8bf3161dd211c85bd932ba5e268b5a46f915f7e11190ce676e284ea7fafdf7fa
Opcode Fuzzy Hash: 6b3125d273bf9cd1b5e2fc506c0e33fde3b82fbd128697ab160709daf2671252
Instruction Fuzzy Hash: 5F71E672B09D4D8FDF98DF5CD498AA9BBE1FF68350B0542BAD41DC3295DE21A842CB40

Function 00007FFD9B8AC410 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36e44524514c5f34176c9b509f6bc466e31eeb8304425bd53d4f23d875858c7b
Instruction ID: be487cfe1e4ca28e610f9b166c9139a8e79125f9ee16ef1660abf1e8ce60a12d
Opcode Fuzzy Hash: 36e44524514c5f34176c9b509f6bc466e31eeb8304425bd53d4f23d875858c7b
Instruction Fuzzy Hash: E4711971A18F494FD79CDB289855AB2B3D1EBA8350F0085BFD05FC31A6EE35B4068742

Function 00007FFD9B883E90 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d8b43518e1d2f3b57efc7a8a7c49b563f8a68343e0a561ead76583b31e7e69b
Instruction ID: 2a5232cf29fd83b5f8910d185ee20afcc97180321b0675383d8dbfd48fe58483
Opcode Fuzzy Hash: 2d8b43518e1d2f3b57efc7a8a7c49b563f8a68343e0a561ead76583b31e7e69b
Instruction Fuzzy Hash: 72710430B0DB594FD72AEB68C4619B57BE1EF49310B1501E9E049C72B7CA29BD42CB91

Function 00007FFD9B883798 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a968c4ceb8f71e43d70155b4b9ce2ae286ae2b75991b1eb023b41b73df5a16ce
Instruction ID: 1ccea6d4e309b760b410aeb4023f20714c55ee1917e207f1235369744af3b777
Opcode Fuzzy Hash: a968c4ceb8f71e43d70155b4b9ce2ae286ae2b75991b1eb023b41b73df5a16ce
Instruction Fuzzy Hash: 3B614821B1EE4E0FEBB9D76C5861BB67BD1EF99310F0942BAD40DC32D6DD28A9054341

Function 00007FFD9B882592 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f7584fc011e89d6d66ac663ac6639ba51aed9afa70810f4f4c2edd92922a6e5
Instruction ID: 7ecf9f2b0c6df8d2e366da0fa7a04faf11fc0f06276d2092aa308b648e86c0a6
Opcode Fuzzy Hash: 9f7584fc011e89d6d66ac663ac6639ba51aed9afa70810f4f4c2edd92922a6e5
Instruction Fuzzy Hash: 7E51702060EB8A4FD75BABE488555B13BD1DF57310B1601F9C8EBC70A7D919AC4387D1

Function 00007FFD9B884745 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4fc695d6a51c6e52914967161196e32e6492492246497c47e39d0525eec798d
Instruction ID: 3233314e0ed1c040bbc30d9461cee8ba142e77fcab20d7785ff545db19d1343c
Opcode Fuzzy Hash: f4fc695d6a51c6e52914967161196e32e6492492246497c47e39d0525eec798d
Instruction Fuzzy Hash: 9E610B30A1DB8A4BE7789F5884693BAB3D5FF99701F05027EC49EC31A1DF34A8428652

Function 00007FFD9B88536D Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5fff03c030d3d7e275234dc5169d95fc1dd6ee65c1970d15252f67a2bf45658
Instruction ID: be34f54e17c683b2cb2ec008f195e3ff9b99e5da4e91f695c1e24ff722194abb
Opcode Fuzzy Hash: c5fff03c030d3d7e275234dc5169d95fc1dd6ee65c1970d15252f67a2bf45658
Instruction Fuzzy Hash: 7E710F31728E098FDB9CEB18D491DA5B3E2FFA830071545A9E01AC76A6DE34FC46CB41

Function 00007FFD9B883B08 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18af5b66e76584187ad92374d7f085a0ae420d65fe434a6e82373991b7201ebc
Instruction ID: 45a8cd0b18d4126acf063817db74403ee2813fffa7fd56af24be780b74fca088
Opcode Fuzzy Hash: 18af5b66e76584187ad92374d7f085a0ae420d65fe434a6e82373991b7201ebc
Instruction Fuzzy Hash: CD515A20B1E94E0FEBA9DB6C88646753FD1FF99311B2A01B9D44DC75ABED18EC468340

Function 00007FFD9B8A89F0 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 793cf53eb3f56daea9c9504a17bf17255e1e2dc796cf624bd036dd1cff6508b1
Instruction ID: 65f9764fa7b54e6f79b1d5bc6510960efadf0b6c74955b55e67f78aba5e45c98
Opcode Fuzzy Hash: 793cf53eb3f56daea9c9504a17bf17255e1e2dc796cf624bd036dd1cff6508b1
Instruction Fuzzy Hash: 0651E061B1EA1E0BEBB8DB98946467477C2EF9C300B4542BED00EC72E6DD35AD438361

Function 00007FFD9B883818 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17a229df4ba6d60dc641a6d20fb87521dea3b5a8c6e676d01ba844a125c0a612
Instruction ID: bb97a3f76384807429ffab12b27c3dadc68de8c0ad5130215d1c718de88bdef3
Opcode Fuzzy Hash: 17a229df4ba6d60dc641a6d20fb87521dea3b5a8c6e676d01ba844a125c0a612
Instruction Fuzzy Hash: 31416D30719E098FEB69EB2C9465A7577D2EFAD314B1501BDE00EC32A6DE34E942C781

Function 00007FFD9B88AF51 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86194895b9afa021ba75038444a870d90c4489da7488dbd3e25ca1ed90d8f536
Instruction ID: bd7cb767b3225119cd601e3a1587676a055270a054c0d1009192cc4d95684e0e
Opcode Fuzzy Hash: 86194895b9afa021ba75038444a870d90c4489da7488dbd3e25ca1ed90d8f536
Instruction Fuzzy Hash: F4418821B0EE8A0FE729972C98605B577E2EFC9300B0941FAD06DC71E7DD39AD428341

Function 00007FFD9B8A36E0 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dea74488e6f0ce52df1154170a5a1e4f468d832dc5b95538c11f06a9d1a5c216
Instruction ID: 53f09504895e947495e7669feec995f85b315726d460685d003c9e980a684333
Opcode Fuzzy Hash: dea74488e6f0ce52df1154170a5a1e4f468d832dc5b95538c11f06a9d1a5c216
Instruction Fuzzy Hash: 84415921B0E7868FE7B5876894646B137F1EF05310F0A41F6C449CB2E2DA1CBD86C391

Function 00007FFD9B881BCC Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19f72eb111c8d56750352d466a90374d9505ad465f9f34517b4b91e6306d6179
Instruction ID: 4a3560dfa1b1fb5881dd2847f69153e5189accd545f6b1aa85ac7fa291e18452
Opcode Fuzzy Hash: 19f72eb111c8d56750352d466a90374d9505ad465f9f34517b4b91e6306d6179
Instruction Fuzzy Hash: 3A413A52B0EA9607F77976AC78652F53BC0DF89364F0802FFE09C460E7EC1869458285

Function 00007FFD9B8AC560 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b9e80665b17aab7c2520aa9551b5b1ec785aa504988b17211b7621f28beb481
Instruction ID: eac06b0912220e2b75d89829d6f10f72e98a0bdec6561ab105d865a0639d6fec
Opcode Fuzzy Hash: 7b9e80665b17aab7c2520aa9551b5b1ec785aa504988b17211b7621f28beb481
Instruction Fuzzy Hash: D4410231B19B495FE7B0C7A8C0A9B72B7D2FF58305F194E78D08A839E1D668B981C750

Function 00007FFD9B883A30 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e23a051ac0b5441aac3dbf40fd2bd1fa1808f2a4dfe3aeb57aa15a730d85d9e
Instruction ID: f76bbcd49e831ba1aa921f7955887a58c6e01b13825f918505d7a497db34ff3e
Opcode Fuzzy Hash: 9e23a051ac0b5441aac3dbf40fd2bd1fa1808f2a4dfe3aeb57aa15a730d85d9e
Instruction Fuzzy Hash: 2D31173171DA0D4FEBA8A76CA8656F977C1EF89364B0501BAE44EC31A7DD25BC428340

Function 00007FFD9B8833C5 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7cf377b79b34b8ab68df77b00e73b931d8057d2660e88277a6bd8c7c70c942a
Instruction ID: 84441d5b3dbdd77678f3ae2fb457d5976566de941a73a67a44f894fbadbbb1cd
Opcode Fuzzy Hash: b7cf377b79b34b8ab68df77b00e73b931d8057d2660e88277a6bd8c7c70c942a
Instruction Fuzzy Hash: 7E410672F0DE4D4FDB56CB6C98756A87BE1EF99300B0501BAE45CD32A2CA346D018391

Function 00007FFD9B883AF8 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa1d8b01fb5ed808324f4296892035872c9aa4883890ad2bad99879daed19055
Instruction ID: bb0663ac78b1af041850369482b571dada19de7c3032abbf6d406a2d50cca9d3
Opcode Fuzzy Hash: fa1d8b01fb5ed808324f4296892035872c9aa4883890ad2bad99879daed19055
Instruction Fuzzy Hash: 3E312821B0D90D0FEBA8EB5C98616757BD2EF9D3617260179D44EC32ABED25BC428380

Function 00007FFD9B883EA8 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b74e01c554611735dbef26812a98dfd99068c4bb504289a560c731daf8db9a5a
Instruction ID: 148c26bbba05da07177f0048b4c147ff443beae4d711664e378a9665ab225a8f
Opcode Fuzzy Hash: b74e01c554611735dbef26812a98dfd99068c4bb504289a560c731daf8db9a5a
Instruction Fuzzy Hash: 9341A530719B188FDB68EB58C4629B973E1EF9C310B1101ADE45A876A3CE34FD42CB95

Function 00007FFD9B881B00 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc7075c2ffd41b9849813de54b9a018fdcb1e4293a4c11e468b268c30a8b9e5c
Instruction ID: 26072f06fb0e8d76a33da0154d8614cc1d253f0c67a2b97ec58b9e3289bcb05d
Opcode Fuzzy Hash: cc7075c2ffd41b9849813de54b9a018fdcb1e4293a4c11e468b268c30a8b9e5c
Instruction Fuzzy Hash: 9C311852A0D66647F32976AC787A5FA3BC0CF4527DF0801FBE09D860E3FC4864865295

Function 00007FFD9B8A31D0 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d0ccb1ad374b9420678d758b23d5c6fa80b11d462506a19428c66028c5f2c1e
Instruction ID: 07c1c8254584694558d0f06616b2d0e0f2d61ea23167df6a8de6a43049c2d6e7
Opcode Fuzzy Hash: 7d0ccb1ad374b9420678d758b23d5c6fa80b11d462506a19428c66028c5f2c1e
Instruction Fuzzy Hash: 9541B231B19F0A9BEBB8EB589464672B3D1FF6C350B05053DD04AC36A1EE25F8408750

Function 00007FFD9B88C290 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 899d008f101ed7de3f0e1d3b27fe69a1bc341e97cba19801b0cdb6321a2650cb
Instruction ID: e9f41989cc4d009c873dc5c9a5a987849579a973191971a0c6d6f714a78c2201
Opcode Fuzzy Hash: 899d008f101ed7de3f0e1d3b27fe69a1bc341e97cba19801b0cdb6321a2650cb
Instruction Fuzzy Hash: F9313721B1DD590FD75CE618A8599B6B3E0EFA8361B0441BBD01EC31EADE38E9438781

Function 00007FFD9B883B10 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cbc3cebfe9f85adf0c878cb19c7a74a75c6f8ed6d12b19909cef7657e6e85c9
Instruction ID: ac7f2d2733142b31258784adf008eea271f13da1cfaabf00c9ea1f34ae6fcbaa
Opcode Fuzzy Hash: 8cbc3cebfe9f85adf0c878cb19c7a74a75c6f8ed6d12b19909cef7657e6e85c9
Instruction Fuzzy Hash: EC31A131719C1D4FEBE8EB9C9498A7967D1EFAC35571500B6E40DC72BADD24EC828780

Function 00007FFD9B881D00 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0051f3d93d552dd7abc2ea8df67d243713043444c539c14b6c16726f94d4362c
Instruction ID: 63e5d6fea127ae2c39f0d9f939e06f5403316fae6a94a220707b8f914771362a
Opcode Fuzzy Hash: 0051f3d93d552dd7abc2ea8df67d243713043444c539c14b6c16726f94d4362c
Instruction Fuzzy Hash: EF310332F0DD0D4FDB99CB5C98616A877E1EF9C340F1501BAE41DE32A1CA356D018781

Function 00007FFD9B883541 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdb3c6889c2f4e693c403246b5560a1ac5ec2cd39b97c5f4d2fa4c532282da22
Instruction ID: 7226f880d4e058a9f47d969ef704fa5ffe4b9a9b0e138cd8c4a387127de899e0
Opcode Fuzzy Hash: cdb3c6889c2f4e693c403246b5560a1ac5ec2cd39b97c5f4d2fa4c532282da22
Instruction Fuzzy Hash: A3312D31A1DF9D4FD799EB7848216E47BE0EF0A350F0605F6E019CB1E3DA385A418751

Function 00007FFD9B884700 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aed3e2f01db9d2ec7b35758a1e5be4409a3cadfcba5b8b68151f427d85c9e20
Instruction ID: 746fac6da7350baaf9d56b39d3bfcac71ae670ffa22ee64a5fb823ca46a2bcf9
Opcode Fuzzy Hash: 4aed3e2f01db9d2ec7b35758a1e5be4409a3cadfcba5b8b68151f427d85c9e20
Instruction Fuzzy Hash: 32312662B1CE450ED75DA65C68569FAB7D0EB98364F0000BFF09F835DBEC65A8434386

Function 00007FFD9B8AC7C8 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b00899d51ab092826b8211fe7f193c3b0a1dff7f428493fae33622aeaa2e29f1
Instruction ID: 99205364e2414ab6ad23c309e549b6dfe422431e0be3065b1c236b343ab03c92
Opcode Fuzzy Hash: b00899d51ab092826b8211fe7f193c3b0a1dff7f428493fae33622aeaa2e29f1
Instruction Fuzzy Hash: 0831F33160DB5C4FDB19AB1CD859DE67BE0EF5A320F0502ABE049C72A3CE61B841C781

Function 00007FFD9B8945E0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9d28c63134f34d8909895373f1ab07ee1ce7c8ca50247f2766ad5495850c082
Instruction ID: 338280726f78ccf5de3a1875291862ad8241a7db75f118878a7cda3a8fedb75c
Opcode Fuzzy Hash: f9d28c63134f34d8909895373f1ab07ee1ce7c8ca50247f2766ad5495850c082
Instruction Fuzzy Hash: 2731E23170DF084FDBA5EB5CD0949A6B7E1EB99754F04067AE44AC3264CE31E9818B82

Function 00007FFD9B881C98 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecde062f996dac7bbf74ca9299e3f2a791ab19358839cb624a3d98827aa6f3e3
Instruction ID: 8615b4f21a1993a32614e19a30457f0a272582aa91c410ac9f91e8e3453aa3f8
Opcode Fuzzy Hash: ecde062f996dac7bbf74ca9299e3f2a791ab19358839cb624a3d98827aa6f3e3
Instruction Fuzzy Hash: 0E313C71B0DA8E4FDF98DF6C88655A93BE2EF6D380F050279D40DD72A5DA34A8028741

Function 00007FFD9B8B13F0 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97ca5786042f22613bd7c5c79bbda11f524385acb565dcb31a4c6a218072d95f
Instruction ID: ad08c2e5fcaa7ea97e2641f085a8a7bea595b3a4269f3aa1a2f66e322ed57a83
Opcode Fuzzy Hash: 97ca5786042f22613bd7c5c79bbda11f524385acb565dcb31a4c6a218072d95f
Instruction Fuzzy Hash: A5316D70719E1E5FEBA4EBADC495E62B3D1FF68300B510579D44EC3662DA25F8418B80

Function 00007FFD9B883EF0 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af6423ac0a7a111fa1525ec559e279ef7d6abdd71e7b3c0adfee8cb2ac7831d6
Instruction ID: 5277e9c43bee5ceeefc3d5c4f7f9f0595b600551b68737676fa20d71d55911dd
Opcode Fuzzy Hash: af6423ac0a7a111fa1525ec559e279ef7d6abdd71e7b3c0adfee8cb2ac7831d6
Instruction Fuzzy Hash: B2313761B19B9E4FE7A9AB7888256A477E0FF19300F0501FAD01DD71E3DD2869418B82

Function 00007FFD9B899EA0 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 758af6dcd043e290c2a6537a3982be80c8556cc03b8018aceec493ec73c421ea
Instruction ID: fe2d0e2017934f2349ccdc9050d583badba5274d4231be7ccac8873c079e1441
Opcode Fuzzy Hash: 758af6dcd043e290c2a6537a3982be80c8556cc03b8018aceec493ec73c421ea
Instruction Fuzzy Hash: B6210A21B2EE0D0FEEB8D79D945977967C1EBAC360B01457AD04EC32A5DC19BD038340

Function 00007FFD9B881D6F Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0397a0f269d00fb779f8f24a5090d882cf9d33b5a21e1de50e39f29c3fe1bb33
Instruction ID: 7e7c6192ef2d7a4b1f8186476f52ff701c4958ae774b69b44e3459206c7e4e40
Opcode Fuzzy Hash: 0397a0f269d00fb779f8f24a5090d882cf9d33b5a21e1de50e39f29c3fe1bb33
Instruction Fuzzy Hash: 4421A130719D084FD79CE62CE859E6573D1FBAD310B0502AEE04EC36A6DE25FC418780

Function 00007FFD9B883768 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed3a92f394e09e22545f9ef02fe895a671c19bb9043651657c6d04efd6d1ee7
Instruction ID: 2dd9788338e58876774ad12d607a76a9285a0804f40ad9e73737dc1da226eda6
Opcode Fuzzy Hash: 2ed3a92f394e09e22545f9ef02fe895a671c19bb9043651657c6d04efd6d1ee7
Instruction Fuzzy Hash: 3A21D13170DD0E4FD798EA18D858A76B391FB98314B10467AD45EC3299DE39E9428781

Function 00007FFD9B8838D3 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a39d7633099dd5ecfaafa6d8ecd2219bea6318924410a7a474200a854c9926e
Instruction ID: 1b0c93ad0c9746dfb78f1f678a6c3961ef0c8584435c24a62a504d454e163038
Opcode Fuzzy Hash: 9a39d7633099dd5ecfaafa6d8ecd2219bea6318924410a7a474200a854c9926e
Instruction Fuzzy Hash: C911066B304524A6830DBAADF9D59EA7398EFC4777344013BD306CF046EA50648B8AE0

Function 00007FFD9B8882FD Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ec881f2917256292642ddd4356d0b84def712b5996b2530d81a50ccfa760ae
Instruction ID: ecd1ad42df118c6c86c8c39a2edaf7614ba7d8d90ebbdc717556372583c60211
Opcode Fuzzy Hash: 06ec881f2917256292642ddd4356d0b84def712b5996b2530d81a50ccfa760ae
Instruction Fuzzy Hash: AA213672A1EE860FD36D9B69A8628A177A0EF5531030542FFD0AAC35E7DD24B84B8301

Function 00007FFD9B8A1B90 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af5f195af302600fe52d30b397cdaf3bc80b4fc208d2a89391623042f6d4147a
Instruction ID: c4d6c25be36ceba9e2df03e03f89b6ab0fb721c64f796e9c75a0aaeddc16de20
Opcode Fuzzy Hash: af5f195af302600fe52d30b397cdaf3bc80b4fc208d2a89391623042f6d4147a
Instruction Fuzzy Hash: FE210821B1EA4D0EEB70A7AC685C3B6B3C0EB9D236F550A3BD84DC21A1ED5D69C18341

Function 00007FFD9B881AD4 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 104ae71ba555195b72eb9c8b2b3a65369e03734b3e6e0c10d033f311546b0e06
Instruction ID: 47197da17c2ec2f3db2deef3ee65bdfc2643c772f8b89d2825f23a56f290af71
Opcode Fuzzy Hash: 104ae71ba555195b72eb9c8b2b3a65369e03734b3e6e0c10d033f311546b0e06
Instruction Fuzzy Hash: DF216D52A0E2E28FE31B737879764D53F60CE4322970D41F7D1D98E0E3E808148A83A6

Function 00007FFD9B8A7EE8 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fc2a4c7cc0d4ec694194e11bb7b7e55dc60437ad245d6fc16358ac89fefabc3
Instruction ID: c5acea03a3a6ecdf5871bfd55c9c19168d0f1ff94d02a5f088e14a7d5c0cdef8
Opcode Fuzzy Hash: 6fc2a4c7cc0d4ec694194e11bb7b7e55dc60437ad245d6fc16358ac89fefabc3
Instruction Fuzzy Hash: 4921A725B0F64D0BD6B5979854752782691EF8D300F1A81B7C04DC72FBCD19AF459362

Function 00007FFD9B882B55 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26159f8cc908a86f2110ea56eae3a242efb001d619f83d8a402beb470c82a1dc
Instruction ID: 9cccd662792e03277426e96dd61aca77a904407503f9042dacc8bb05babae090
Opcode Fuzzy Hash: 26159f8cc908a86f2110ea56eae3a242efb001d619f83d8a402beb470c82a1dc
Instruction Fuzzy Hash: CD112B1170EB5A0BF32556AC78653B67BD0DF89261F0901BFE888C21E3ED199D4693A1

Function 00007FFD9B8848C8 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8152c2467fb904cb675c44275f58911cd270e0da78e091dc30d843932150ff7b
Instruction ID: c87aac6d446c2e544a284af32067e1699d615d48e6060127add28b292576fde0
Opcode Fuzzy Hash: 8152c2467fb904cb675c44275f58911cd270e0da78e091dc30d843932150ff7b
Instruction Fuzzy Hash: E1218131608A0C8FDB18EB1DD849DB6B7E1FBA9720F05026EE04AD3261DE71F841C785

Function 00007FFD9B888346 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6fdc8a07f5aebdfb0e0ca3d9b60d40c011f59e4c3bf52b1512104317b1493b2
Instruction ID: eca8a787e05531875042bf5cf3f8586abbe8e22021c12143ac009d66084dbea5
Opcode Fuzzy Hash: c6fdc8a07f5aebdfb0e0ca3d9b60d40c011f59e4c3bf52b1512104317b1493b2
Instruction Fuzzy Hash: 8A219861B28E4A0BD76CEB5894518A5B3E1FB6831074045BED06FC36DBED34B94B8741

Function 00007FFD9B888D40 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8233ef0cbc2ced243c09e115e7c4622680aaae3e235ea36172147c5b6fd82e39
Instruction ID: 3bddb8ddde843d091196a8e75ed258e80812a644ee9dfed0578cc113d5bdf250
Opcode Fuzzy Hash: 8233ef0cbc2ced243c09e115e7c4622680aaae3e235ea36172147c5b6fd82e39
Instruction Fuzzy Hash: 32212621B1ED4E0FE7A9E76C4469AB427D1EF9A300B0A44F9D01CC72A7DD38E9028341

Function 00007FFD9B88AEA0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dfb7806270a6a92e96d53cfb95e397f3adb1abfc739cd71a90368fef2450bb8
Instruction ID: 7f03bd5fc4c9df4636d96b345b9a828d5d6313ba15f566bad437cb5f571fb4a1
Opcode Fuzzy Hash: 5dfb7806270a6a92e96d53cfb95e397f3adb1abfc739cd71a90368fef2450bb8
Instruction Fuzzy Hash: 8421363060AD4E5FD735DB68C4A48A677E0DF59310B1986BDD06EC71F7D938A986C340

Function 00007FFD9B8A30C0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2633a04bf566b5a59172b8b89772fe64e2304fa28b7e0a0b857ce7161b97a761
Instruction ID: 1395890e3e7bccca833be654ff66d5a52b6494925ed494b99fb726ce8250c0ea
Opcode Fuzzy Hash: 2633a04bf566b5a59172b8b89772fe64e2304fa28b7e0a0b857ce7161b97a761
Instruction Fuzzy Hash: 3C11E721A2CE850FD75CE61898569B6B7D1EBA8350F0044BEF09F835D7EC74A8064342

Function 00007FFD9B882862 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c90b75a3b52a2c628f8884c0933faafd12d8ce582ad175831bea03d1222c6897
Instruction ID: 052ae77f2043eb784b20d5db5cff3508af98a7231710f6c9921c9055e3debf1a
Opcode Fuzzy Hash: c90b75a3b52a2c628f8884c0933faafd12d8ce582ad175831bea03d1222c6897
Instruction Fuzzy Hash: F2118271B18A094BDB5CEF6C6469675B3D2EB5C301B1181BF901EC37E2DE75A8028744

Function 00007FFD9B88C28A Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 871c3a7723cd96452a5bea35fffea9c788450248eb32f3e279d1c20c8f174378
Instruction ID: d3b8197d5f44b5796ddcb38689912233a4f5c12ce7fa6e4453b112c0c003ea64
Opcode Fuzzy Hash: 871c3a7723cd96452a5bea35fffea9c788450248eb32f3e279d1c20c8f174378
Instruction Fuzzy Hash: 9F018832B1DD190BE76CF65CA8188B1B3D0DBA8350B04017FE81DC32EBDC25A9038340

Function 00007FFD9B8855E0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cc48705e1aefa7c1e7a99b9b4b21bc1ef12618a7a0beb69eb300dd67b8eeb04
Instruction ID: b8bd51f01cea2333cdbefac1dfdbbf869bb1867fd0cfe0db0a8266bedf0f7167
Opcode Fuzzy Hash: 7cc48705e1aefa7c1e7a99b9b4b21bc1ef12618a7a0beb69eb300dd67b8eeb04
Instruction Fuzzy Hash: D8016172B1CB484BD71CAB4CB4521BAB7E1EBD8361F10067FF44EC3696EE35A4424686

Function 00007FFD9B894B30 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e074a6b9cf8a948e0acf5c6e58c3eae54acbcbd968a1b27249b9851fc56ea556
Instruction ID: 50bf5b32069829fab20ac586463f5a1b03d0b11b93ad783607de482de6744412
Opcode Fuzzy Hash: e074a6b9cf8a948e0acf5c6e58c3eae54acbcbd968a1b27249b9851fc56ea556
Instruction Fuzzy Hash: 7411BF30B19E0A8BEFB897B89465775B2E1EB98300B18457D801EC21A4EE25A9428780

Function 00007FFD9B8827E8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5c315162a119c5378db6bf45451bf4f3aaff0be05789a7d88c6af587c88aa45
Instruction ID: 80380e771e945eefe242084b6b364887e9d4574ce61b9b751af56e71847bbff4
Opcode Fuzzy Hash: d5c315162a119c5378db6bf45451bf4f3aaff0be05789a7d88c6af587c88aa45
Instruction Fuzzy Hash: 33012893B0EE9D0FFBA8A6AC1C7967116C5EF6D2A0B05017AE41DC31E3EC6529024351

Function 00007FFD9B887D80 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 176e782ed4a01c817d85eddfc72cd61d76116e2a5cace128008d0e3bb77507bc
Instruction ID: 3dc59d692b924a7fd471583bc0bc318cea51f5c80e28b7ad5fee200bc922d79e
Opcode Fuzzy Hash: 176e782ed4a01c817d85eddfc72cd61d76116e2a5cace128008d0e3bb77507bc
Instruction Fuzzy Hash: EB012021B1DE190BA77CB66C78594B677D0DBA836170101BFE41FC35D7EC24A94742C0

Function 00007FFD9B88AE25 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a30d8550a7cf374e2977710da494b075824232b5ce21c36df0a7556950f51d8
Instruction ID: b9abcd6106581cec539fe96a643a1ee67bf1d52cd31c8a11bdc4cdf33cef50ed
Opcode Fuzzy Hash: 3a30d8550a7cf374e2977710da494b075824232b5ce21c36df0a7556950f51d8
Instruction Fuzzy Hash: E101E552E0FECE1FE72587785C258916F919F5621070A4BFAD0A9CB0E7ED3EA5068341

Function 00007FFD9B88BD5D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc09329c3928c1e86a74bb20f0317cd56cf9e467dc3b7c0779e1aa0a10f5fa35
Instruction ID: a58311febd0f7843bebab0d2ed949bee8f51dfe1263b11e941df3103d77ee239
Opcode Fuzzy Hash: dc09329c3928c1e86a74bb20f0317cd56cf9e467dc3b7c0779e1aa0a10f5fa35
Instruction Fuzzy Hash: EF01A222B1DD1A4BD67CA74CB4610B973D1EF9C32071141BEE46EC32DBEE29BA0642C5

Function 00007FFD9B8B13E0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e700d7a13454fda339faa43ca1c1ade6e972a18bfcb267f3a092c539a8411322
Instruction ID: 3214c10f4739f2c43be7897d224513eb27a631b6b642fac2229bf01eb2160042
Opcode Fuzzy Hash: e700d7a13454fda339faa43ca1c1ade6e972a18bfcb267f3a092c539a8411322
Instruction Fuzzy Hash: 5401B121B0EB8A4FD76697BD84A41742AE2EF5E20071A00FFD068CB2B2D8189C068751

Function 00007FFD9B88BB45 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 338033e1c6ebf9f5ec2df0cc725641ae6687477fcc383c60b5a15cff28f6980a
Instruction ID: 932058e2907596dec9d11ef12160dde8aca790feb8c2bf3b2f7d4bf571c3919e
Opcode Fuzzy Hash: 338033e1c6ebf9f5ec2df0cc725641ae6687477fcc383c60b5a15cff28f6980a
Instruction Fuzzy Hash: 7E01924260FBC95FEB6397784C751593FB0AF5A64070A45FAC0D4CB1F3E824590A8301

Function 00007FFD9B8B5E60 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6285306842760c10a35659b2796e3b9aa7a2f77e28a4f4ca70a0724f0d9571ef
Instruction ID: 358aa83913faf13626bf566e507c1f1e70533e58c5cbb444377ea60c795fe37c
Opcode Fuzzy Hash: 6285306842760c10a35659b2796e3b9aa7a2f77e28a4f4ca70a0724f0d9571ef
Instruction Fuzzy Hash: EFF0F621B4E92E0FEBB8D6ADB4B46F436C1EF4C221B4601BAE41DCB1A5E8558DC587C0

Function 00007FFD9B88B186 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7474e40f73a462f913de083f71e420904ada24653c79f8628025d1224caf697
Instruction ID: d7cb9fe1f477be83b86cd3e4f3ee4cb6f24471f23c1abd9307a3f9f60fed1454
Opcode Fuzzy Hash: d7474e40f73a462f913de083f71e420904ada24653c79f8628025d1224caf697
Instruction Fuzzy Hash: 5601A216F1AE4E0BE7EAA76C143063461C2DFD8211B9900B7D42DC72E7EC2AD8424201

Function 00007FFD9B8A1290 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 158192ef9d73482efa83ba7e8f1ad9f05878c629428e556e9995e7a0bb0aa0f5
Instruction ID: 2c834648136a9f0f798386a9b6dea3d86347ed9bfd3cfaa37ad524a7fdb679c4
Opcode Fuzzy Hash: 158192ef9d73482efa83ba7e8f1ad9f05878c629428e556e9995e7a0bb0aa0f5
Instruction Fuzzy Hash: 3CF03A30704C0E8FCAA4F71CD468A2573E6EF9D31130A02A2E40DC7275DE60DC41C780

Function 00007FFD9B885020 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ce11011471489597c5ff623234642913e999a70589192c8ad9dc11386890313
Instruction ID: 6c64ca888c55e4071783357ee9db326103378115cc142174a73eea98d28267dc
Opcode Fuzzy Hash: 8ce11011471489597c5ff623234642913e999a70589192c8ad9dc11386890313
Instruction Fuzzy Hash: 33F08130B19E1A8BDFB997B49064776B2E1FF58304F15447CD06EC3194DE34E9468740

Function 00007FFD9B883E6D Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96b680a3cff2dfb6022bbafd5ef89530671b96cf391343c44952560c57aa1aee
Instruction ID: fc2168cd896ba4df28b5f215bce332e409e83ddf78ea63ddbde6589de90a3770
Opcode Fuzzy Hash: 96b680a3cff2dfb6022bbafd5ef89530671b96cf391343c44952560c57aa1aee
Instruction Fuzzy Hash: 8EF0E501B1A82A07A26522EE28E91FE4286DFDC1257540173E06CC2192DC585C4A4294

Function 00007FFD9B889529 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ec09c33fbad901fc00a6c56d74d682ef028a7e17bbe2c584da63c355472a347
Instruction ID: 5188da54cb38ac7096cf0473f690ea302e0167968e01cbd6d83c76495449afc0
Opcode Fuzzy Hash: 0ec09c33fbad901fc00a6c56d74d682ef028a7e17bbe2c584da63c355472a347
Instruction Fuzzy Hash: 9E01D1309197CD4FCB4ADF248C281E97FB0FF55200B0504EBD468C71A2DA794914C741

Function 00007FFD9B880858 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c587fd246528d99bcbc0844d2f209dfc6a491864ee8a194aaf4f75aa32df9961
Instruction ID: 56455db6a07c794215d2f99688ac28a70ddc657c26eae92b7cda4b0afd6e819d
Opcode Fuzzy Hash: c587fd246528d99bcbc0844d2f209dfc6a491864ee8a194aaf4f75aa32df9961
Instruction Fuzzy Hash: 8BE02B42A0F7C64BE661237D2C7A4D02F50DF07A10F4A01B7C0A88B093980915878391

Function 00007FFD9B883180 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73f8a5bd260fe4952292e853adfd52fde3758e7a815d293e8b64971c11bef6e5
Instruction ID: fc4978aa2fb96c18b5a499e74829f31a3ac0ad320374d1dc8016c2ddb9b8b57a
Opcode Fuzzy Hash: 73f8a5bd260fe4952292e853adfd52fde3758e7a815d293e8b64971c11bef6e5
Instruction Fuzzy Hash: D9F0B40194DE6A05F7F562ED20683B925C19F18211F4A18B9D89DC4DD1D90CFAC543A1

Function 00007FFD9B8A2C70 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac822bf7e7d4278c55fe58438b5db88519156c94ff00c3e84d954ee149246a7e
Instruction ID: 52ed2f32ec02d1a80d62c7d8433068544af94040e647a8e1a8d7cd8f1c449f32
Opcode Fuzzy Hash: ac822bf7e7d4278c55fe58438b5db88519156c94ff00c3e84d954ee149246a7e
Instruction Fuzzy Hash: 66F05C21F1F46D49D77993B824611F41791CF4D320F5541BBD08DC21FBDC1C6A429391

Function 00007FFD9B88A675 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a509fb0893ca6937d24bb8c1fe9b359d8424ab2abd7e6dc363ef1079bd7f640
Instruction ID: 4cba5b22df86df3492422792af57a7c16866f301aadeb64a9d3abb59180bf2d2
Opcode Fuzzy Hash: 2a509fb0893ca6937d24bb8c1fe9b359d8424ab2abd7e6dc363ef1079bd7f640
Instruction Fuzzy Hash: 10E0D83290DBCC4FE725976488250D47FA0EF4A304B5A05EAD4588B0A7F93999198342

Function 00007FFD9B895780 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bb31763b3ec969936a9a103abbee1d7e60ba1621d919624c2374e1cd8d8bba5
Instruction ID: 1a9bc74aeb91ff723a143ba897efbc298b5fc035ba49ee053993caa4818ff7e1
Opcode Fuzzy Hash: 4bb31763b3ec969936a9a103abbee1d7e60ba1621d919624c2374e1cd8d8bba5
Instruction Fuzzy Hash: 21D01D21A18E1D4BDBB8BB7450556B6A1E0FB18310F4109A5D01AC3589DF78A9454781

Function 00007FFD9B88BB80 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d88576015fc2ce022eaee9ff781e17824e3da9e6606d1b714fb55b957c56e48
Instruction ID: 69c528cf2f5fcbee92238024905d4977860da0d65d7284405eda7ca84f7c91c3
Opcode Fuzzy Hash: 5d88576015fc2ce022eaee9ff781e17824e3da9e6606d1b714fb55b957c56e48
Instruction Fuzzy Hash: 22D0C242B1AE4E0BEF14B67D486D0A53BD29B9954070680E59414CB1B2FC20180D8201

Function 00007FFD9B884BF8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55e1c37265e4e6c06c8d1eb008912a46b751eee4ab1748e23eb2781acc5a4f73
Instruction ID: ace2d3deb27eef6ebd293ce4a4c5c5e98e94e93dfb625713056367b36b703385
Opcode Fuzzy Hash: 55e1c37265e4e6c06c8d1eb008912a46b751eee4ab1748e23eb2781acc5a4f73
Instruction Fuzzy Hash: 2AD0A77296BD0812DA5453244CB20102591AA58614BA90294E438C12E1E82E94428201

Function 00007FFD9B883AC2 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b020f400cfb8ce7e67c138fe7bfed703e0e716c0d79707a85353283a51d47cd
Instruction ID: f813647d98e894cbe1131a73e5c5ced192afdf35f4f0e044da6b7cfc3592ec0f
Opcode Fuzzy Hash: 7b020f400cfb8ce7e67c138fe7bfed703e0e716c0d79707a85353283a51d47cd
Instruction Fuzzy Hash: 38C04C311045119BC385C9A4DC9799B3B64EB863703499471D98547515EB5558139560

Function 00007FFD9B8839FA Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e19dbefb2908c0cce185ca4681431c1c2f491f75ee8ba882438a4259117ca3c8
Instruction ID: 4f851ac9b44de26e23c1156790c8633ac95fd9c888d0213581c4ce701a469e32
Opcode Fuzzy Hash: e19dbefb2908c0cce185ca4681431c1c2f491f75ee8ba882438a4259117ca3c8
Instruction Fuzzy Hash: 30A0110200E2E2E0CA2283A000B00F22F200E0A00C22C00AAC0C008022820020008280

Function 00007FFD9B88320D Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82ecaa0b4a3321324835a43a85e0a359be7c532cfb3e07ae71b04ce52994a3d6
Instruction ID: 49594303c7cba8ca31afcc6ce102cddb5c962f3546497795fbd05b9f1bea566c
Opcode Fuzzy Hash: 82ecaa0b4a3321324835a43a85e0a359be7c532cfb3e07ae71b04ce52994a3d6
Instruction Fuzzy Hash:

Non-executed Functions

Function 00007FFD9B884698 Relevance: .9, Instructions: 910COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796228713.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_hesaphareketi_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0703b79188bc83e63e7505cf3c032edac554da9f402a006be9df883bdecd9d23
Instruction ID: 807bad50293dc9a4f86638a3e04dffd34e9d2876a0a626137e8ef4112dcc8e25
Opcode Fuzzy Hash: 0703b79188bc83e63e7505cf3c032edac554da9f402a006be9df883bdecd9d23
Instruction Fuzzy Hash: 8D420731B1DA494BEB6CEB5C986567473D2EF98340F45457EE44EC32E3EE28A9028681

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hesaphareketi_1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_hesaphareketi_1._249f7061c93968d61f11176880c786d0825038ed_7ae9667d_914613ef-3e3c-4d5a-921c-68d5898b3235\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B2E.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C57.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C87.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Possible Origin

Network Behavior

UDP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: hesaphareketi_1.exePID: 1072, Parent PID: 2580

General

Windows Analysis Report
hesaphareketi_1.exe