Windows Analysis Report
hesaphareketi__20241001.exe

Overview

General Information

Sample name:	hesaphareketi__20241001.exe
Analysis ID:	1524784
MD5:	5eaafeca7053687b46ecffad93c82418
SHA1:	457566502545fecd8ea9f2249b755135cd03b69b
SHA256:	27ff307b514230b2363e2284e1d57df50bc8a59b5cf8c732dc32d5587d472c64
Tags:	AgentTeslaexegeoTURuser-abuse_ch
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Connects to many ports of the same IP (likely port scanning)

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses FTP

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Signatures

AV Detection

Found malware configuration

Source: 0.2.hesaphareketi__20241001.exe.4bd6010.2.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.normagroup.com.tr", "Username": "admin@normagroup.com.tr", "Password": "Qb.X[.j.Yfm["}

Multi AV Scanner detection for domain / URL

Source: ftp.normagroup.com.tr	Virustotal: Detection: 12%			Perma Link
Source: http://ftp.normagroup.com.tr	Virustotal: Detection: 12%			Perma Link

Multi AV Scanner detection for submitted file

Source: hesaphareketi__20241001.exe	ReversingLabs: Detection: 75%
Source: hesaphareketi__20241001.exe	Virustotal: Detection: 27%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: hesaphareketi__20241001.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: hesaphareketi__20241001.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: hesaphareketi__20241001.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Xk.pdbSHA256 source: hesaphareketi__20241001.exe
Source:	Binary string: Xk.pdb source: hesaphareketi__20241001.exe

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 104.247.165.99 ports 49744,61673,59991,61434,62425,59911,54398,53275,1,2,53982,49774,50773,51305,60182,21,57937

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.hesaphareketi__20241001.exe.4b5a1f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi__20241001.exe.4ade3d0.4.raw.unpack, type: UNPACKEDPE

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49747 -> 104.247.165.99:59911

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.247.165.99 104.247.165.99

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS

Uses FTP

Source: unknown

FTP traffic detected: 104.247.165.99:21 -> 192.168.2.5:49746 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 10:13. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 10:13. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 10:13. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 10:13. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: ftp.normagroup.com.tr

Source: hesaphareketi__20241001.exe, 00000005.00000002.4610095898.0000000003014000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi__20241001.exe, 00000005.00000002.4610095898.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi__20241001.exe, 00000005.00000002.4610095898.0000000002E47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ftp.normagroup.com.tr
Source: hesaphareketi__20241001.exe, 00000000.00000002.2149506599.00000000032CD000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi__20241001.exe, 00000005.00000002.4610095898.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: hesaphareketi__20241001.exe, 00000000.00000002.2149976039.00000000048DA000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi__20241001.exe, 00000005.00000002.4608159738.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.hesaphareketi__20241001.exe.4bd6010.2.raw.unpack, SKTzxzsJw.cs

.Net Code: TFawXa

Installs a global keyboard hook

Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\hesaphareketi__20241001.exe

Source: 0.2.hesaphareketi__20241001.exe.4bd6010.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.hesaphareketi__20241001.exe.4bd6010.2.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 5.2.hesaphareketi__20241001.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.hesaphareketi__20241001.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.hesaphareketi__20241001.exe.4b5a1f0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.hesaphareketi__20241001.exe.4b5a1f0.0.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.hesaphareketi__20241001.exe.4bd6010.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.hesaphareketi__20241001.exe.4bd6010.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.hesaphareketi__20241001.exe.4ade3d0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.hesaphareketi__20241001.exe.4ade3d0.4.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_015DD5BC	0_2_015DD5BC
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_055D8514	0_2_055D8514
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_055D8A28	0_2_055D8A28
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_055D0040	0_2_055D0040
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_055D0006	0_2_055D0006
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_055D8A22	0_2_055D8A22
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_055D9868	0_2_055D9868
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_07579180	0_2_07579180
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_0757A0B8	0_2_0757A0B8
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_07575AF0	0_2_07575AF0
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_0757A900	0_2_0757A900
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_07574920	0_2_07574920
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_075769D8	0_2_075769D8
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_07577700	0_2_07577700
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_075776F0	0_2_075776F0
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_075784D0	0_2_075784D0
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_075784C3	0_2_075784C3
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_075793D8	0_2_075793D8
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_075793C8	0_2_075793C8
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_07579170	0_2_07579170
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_07575078	0_2_07575078
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_075770E0	0_2_075770E0
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_07575088	0_2_07575088
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_0757A0A8	0_2_0757A0A8
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_07578F70	0_2_07578F70
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_07578F6A	0_2_07578F6A
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_0757AE40	0_2_0757AE40
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_0757AE30	0_2_0757AE30
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_07578D10	0_2_07578D10
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_07578D03	0_2_07578D03
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_0757EC18	0_2_0757EC18
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_07578B70	0_2_07578B70
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_07578B62	0_2_07578B62
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_07575AE1	0_2_07575AE1
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_07574912	0_2_07574912
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_07573918	0_2_07573918
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_07577900	0_2_07577900
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_07579900	0_2_07579900
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_07576909	0_2_07576909
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_07573908	0_2_07573908
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_07576993	0_2_07576993
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_07576985	0_2_07576985
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_075729A2	0_2_075729A2
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_075799AB	0_2_075799AB
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_075729A8	0_2_075729A8
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_075778F0	0_2_075778F0
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_075798F0	0_2_075798F0
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_0757A8F0	0_2_0757A8F0
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_07A386B0	0_2_07A386B0
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_07A33D60	0_2_07A33D60
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_07A31C88	0_2_07A31C88
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_07A31C78	0_2_07A31C78
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_07A34270	0_2_07A34270
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_07A3425F	0_2_07A3425F
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_07A320B0	0_2_07A320B0
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_07A320C0	0_2_07A320C0
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_07A3180B	0_2_07A3180B
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_07A31850	0_2_07A31850
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 5_2_02C593F8	5_2_02C593F8
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 5_2_02C54A60	5_2_02C54A60
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 5_2_02C59BB0	5_2_02C59BB0
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 5_2_02C53E48	5_2_02C53E48
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 5_2_02C5CF20	5_2_02C5CF20
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 5_2_02C54190	5_2_02C54190
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 5_2_06262EF8	5_2_06262EF8
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 5_2_06265588	5_2_06265588
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 5_2_06263DE8	5_2_06263DE8
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 5_2_06268A68	5_2_06268A68
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 5_2_0626BBE8	5_2_0626BBE8
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 5_2_06260040	5_2_06260040
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 5_2_062699B8	5_2_062699B8
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 5_2_06263650	5_2_06263650
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 5_2_06264EA0	5_2_06264EA0
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 5_2_0626F268	5_2_0626F268
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 5_2_0626F180	5_2_0626F180
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 5_2_06579558	5_2_06579558
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 5_2_06579548	5_2_06579548
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 5_2_06573158	5_2_06573158
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 5_2_02C5D2D8	5_2_02C5D2D8

Source: hesaphareketi__20241001.exe, 00000000.00000002.2149976039.00000000048DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs hesaphareketi__20241001.exe
Source: hesaphareketi__20241001.exe, 00000000.00000002.2149976039.00000000048DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecef57186-8600-43f5-9c05-f8d076dd51f0.exe4 vs hesaphareketi__20241001.exe
Source: hesaphareketi__20241001.exe, 00000000.00000002.2170370887.0000000007650000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerS vs hesaphareketi__20241001.exe
Source: hesaphareketi__20241001.exe, 00000000.00000002.2170370887.0000000007650000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs hesaphareketi__20241001.exe
Source: hesaphareketi__20241001.exe, 00000000.00000002.2171826753.000000000A710000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs hesaphareketi__20241001.exe
Source: hesaphareketi__20241001.exe, 00000000.00000002.2147318995.000000000143E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs hesaphareketi__20241001.exe
Source: hesaphareketi__20241001.exe, 00000000.00000000.2135243423.0000000000D62000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXk.exe2 vs hesaphareketi__20241001.exe
Source: hesaphareketi__20241001.exe, 00000000.00000002.2149506599.00000000032CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecef57186-8600-43f5-9c05-f8d076dd51f0.exe4 vs hesaphareketi__20241001.exe
Source: hesaphareketi__20241001.exe, 00000005.00000002.4608940593.00000000010C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs hesaphareketi__20241001.exe
Source: hesaphareketi__20241001.exe, 00000005.00000002.4608596388.0000000000BD9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs hesaphareketi__20241001.exe
Source: hesaphareketi__20241001.exe, 00000005.00000002.4608159738.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecef57186-8600-43f5-9c05-f8d076dd51f0.exe4 vs hesaphareketi__20241001.exe
Source: hesaphareketi__20241001.exe	Binary or memory string: OriginalFilenameXk.exe2 vs hesaphareketi__20241001.exe

Source: 0.2.hesaphareketi__20241001.exe.4bd6010.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.hesaphareketi__20241001.exe.4bd6010.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 5.2.hesaphareketi__20241001.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.hesaphareketi__20241001.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.hesaphareketi__20241001.exe.4b5a1f0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.hesaphareketi__20241001.exe.4b5a1f0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.hesaphareketi__20241001.exe.4bd6010.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.hesaphareketi__20241001.exe.4bd6010.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.hesaphareketi__20241001.exe.4ade3d0.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.hesaphareketi__20241001.exe.4ade3d0.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: 0.2.hesaphareketi__20241001.exe.4bd6010.2.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.hesaphareketi__20241001.exe.4bd6010.2.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.hesaphareketi__20241001.exe.4bd6010.2.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.hesaphareketi__20241001.exe.4bd6010.2.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.hesaphareketi__20241001.exe.4bd6010.2.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.hesaphareketi__20241001.exe.4bd6010.2.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.hesaphareketi__20241001.exe.4bd6010.2.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.hesaphareketi__20241001.exe.4bd6010.2.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: 0.2.hesaphareketi__20241001.exe.4b5a1f0.0.raw.unpack, GxasrEb6btbl4ZlyPy.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.hesaphareketi__20241001.exe.4ade3d0.4.raw.unpack, GxasrEb6btbl4ZlyPy.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.hesaphareketi__20241001.exe.4ade3d0.4.raw.unpack, pMceRfjydasvB3AEin.cs	Security API names: _0020.SetAccessControl
Source: 0.2.hesaphareketi__20241001.exe.4ade3d0.4.raw.unpack, pMceRfjydasvB3AEin.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.hesaphareketi__20241001.exe.4ade3d0.4.raw.unpack, pMceRfjydasvB3AEin.cs	Security API names: _0020.AddAccessRule
Source: 0.2.hesaphareketi__20241001.exe.a710000.6.raw.unpack, GxasrEb6btbl4ZlyPy.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.hesaphareketi__20241001.exe.a710000.6.raw.unpack, pMceRfjydasvB3AEin.cs	Security API names: _0020.SetAccessControl
Source: 0.2.hesaphareketi__20241001.exe.a710000.6.raw.unpack, pMceRfjydasvB3AEin.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.hesaphareketi__20241001.exe.a710000.6.raw.unpack, pMceRfjydasvB3AEin.cs	Security API names: _0020.AddAccessRule
Source: 0.2.hesaphareketi__20241001.exe.4b5a1f0.0.raw.unpack, pMceRfjydasvB3AEin.cs	Security API names: _0020.SetAccessControl
Source: 0.2.hesaphareketi__20241001.exe.4b5a1f0.0.raw.unpack, pMceRfjydasvB3AEin.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.hesaphareketi__20241001.exe.4b5a1f0.0.raw.unpack, pMceRfjydasvB3AEin.cs	Security API names: _0020.AddAccessRule

Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2924:120:WilError_03

Source: unknown	Process created: C:\Users\user\Desktop\hesaphareketi__20241001.exe "C:\Users\user\Desktop\hesaphareketi__20241001.exe"
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi__20241001.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Process created: C:\Users\user\Desktop\hesaphareketi__20241001.exe "C:\Users\user\Desktop\hesaphareketi__20241001.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi__20241001.exe"	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Process created: C:\Users\user\Desktop\hesaphareketi__20241001.exe "C:\Users\user\Desktop\hesaphareketi__20241001.exe"	Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: hesaphareketi__20241001.exe, frmListContacts.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.hesaphareketi__20241001.exe.4b5a1f0.0.raw.unpack, pMceRfjydasvB3AEin.cs	.Net Code: bS50r79wDG System.Reflection.Assembly.Load(byte[])
Source: 0.2.hesaphareketi__20241001.exe.40aa230.1.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.hesaphareketi__20241001.exe.40c2450.3.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.hesaphareketi__20241001.exe.7890000.5.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.hesaphareketi__20241001.exe.4ade3d0.4.raw.unpack, pMceRfjydasvB3AEin.cs	.Net Code: bS50r79wDG System.Reflection.Assembly.Load(byte[])
Source: 0.2.hesaphareketi__20241001.exe.a710000.6.raw.unpack, pMceRfjydasvB3AEin.cs	.Net Code: bS50r79wDG System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_015DF112 pushad ; iretd	0_2_015DF119
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_055DCE50 push eax; ret	0_2_055DF4E1
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_055DFDC0 push eax; mov dword ptr [esp], ecx	0_2_055DFDD4
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_07577C80 pushad ; ret	0_2_07577C81
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Code function: 0_2_07A3A14D push FFFFFF8Bh; iretd	0_2_07A3A14F

Source: 0.2.hesaphareketi__20241001.exe.4b5a1f0.0.raw.unpack, oM3yqP0pdOqJtt0hwo.cs	High entropy of concatenated method names: 'Gdv6YxasrE', 'bbt6jbl4Zl', 'ahb6VN4WJe', 'GrB6lNbeAf', 'qUV6922YSR', 'wYt6cBwkQC', 'gamWHa5xZQiT4hOarQ', 'okWpYddVd96LG4v2S1', 'iaW9tS6kBOO8bOXSOd', 'IsE66JAq8f'
Source: 0.2.hesaphareketi__20241001.exe.4b5a1f0.0.raw.unpack, jxtK5RFj1Y2g2eJ6Jh.cs	High entropy of concatenated method names: 'IO6N618GSK', 'C0ZNS3cnN5', 'IIMN08VWhk', 'VeJNybVTRi', 'Tb0N8YFRUg', 'BTbNAv1Tbe', 'TsONsK3l3g', 'ywxiGAoq1y', 'pu1iBtwN9s', 'spjiRLZvqZ'
Source: 0.2.hesaphareketi__20241001.exe.4b5a1f0.0.raw.unpack, xxMJ9R6aIbQ1FxVAIOn.cs	High entropy of concatenated method names: 'C27Ne3d7Ve', 'w91NMaPoBf', 'pFmNrjkkN7', 'xL3NUMi86Q', 'oyQNm1Uf3g', 'k7yNIn1ciE', 'mnPNoRCClQ', 'XKJNbTX1pZ', 'BbWNTi85cE', 'EbtNDahjaI'
Source: 0.2.hesaphareketi__20241001.exe.4b5a1f0.0.raw.unpack, yvnqjZuT3Mj4EaRnjM.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'F4HpR82jn4', 'zJcpFsKgvf', 'M59pz0KFTX', 'wWOSaMMrwK', 'jTsS6cIxdH', 'SQ1Sp5fZgu', 'endSSjp6XL', 'tiDy9xyeQbAnAum0njx'
Source: 0.2.hesaphareketi__20241001.exe.4b5a1f0.0.raw.unpack, rQMVFf4JGsgCQU071W.cs	High entropy of concatenated method names: 'v8WEbTYsD3', 'cxOETM3Kke', 'VbMEvOWJPQ', 'vWeEtidKZC', 'vV5E27yd4A', 'FimEQW2XG8', 'F76E1s2xpM', 'A6JEJx1YqO', 'NxAEfHrmE4', 'zRIEdDmtvY'
Source: 0.2.hesaphareketi__20241001.exe.4b5a1f0.0.raw.unpack, j2A3akwxX8ZEUCuPhW.cs	High entropy of concatenated method names: 'AvLhB5oiZ5', 'NbchFoshMe', 'peiiacQI6a', 'domi6oqhlp', 'PmlhdYJwnQ', 'HQLhLvjj3y', 'su1h4c8BAU', 'xEEh3sBWI4', 'j5phOaqt2i', 'LbQh7FMMcl'
Source: 0.2.hesaphareketi__20241001.exe.4b5a1f0.0.raw.unpack, lXcL7hR8MPuGRUdffj.cs	High entropy of concatenated method names: 's9BivdlkwL', 'GgRitCkbmb', 'XZOiHqBnXQ', 'RXyi2Ey2MV', 'LA6i3Yh0uU', 'lqJiQq0qX8', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.hesaphareketi__20241001.exe.4b5a1f0.0.raw.unpack, yrtDJ8zlG303A4dPlO.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ALVNEC8gOQ', 'XRwN9Z43Yw', 'NmUNc9563O', 'y2nNhORViA', 'CH4NiPScgb', 'YeLNNWbrY5', 'Fc1NnonUSd'
Source: 0.2.hesaphareketi__20241001.exe.4b5a1f0.0.raw.unpack, GxasrEb6btbl4ZlyPy.cs	High entropy of concatenated method names: 'EuP83RttDC', 'MKI8OaIgR1', 'f9387Z1ELR', 'GQe8qlEtGP', 'Wew8xtix22', 'CWn8wlsGcM', 'sD28GtnWVw', 'o5l8BXCGhr', 'daJ8R0VtlF', 'dxa8FXgBo6'
Source: 0.2.hesaphareketi__20241001.exe.4b5a1f0.0.raw.unpack, QcccKvBOIqNEDDbfSO.cs	High entropy of concatenated method names: 'CB1iydUHER', 'z1yi8qtpG4', 'PpCiuGPYUX', 'DTriACk9Fs', 'YLFisWLROX', 'EbKiY0F5uY', 'KlSijg1RtP', 'HupiC7LRfb', 'IIQiV8JTIg', 'HWPilGcqGd'
Source: 0.2.hesaphareketi__20241001.exe.4b5a1f0.0.raw.unpack, kMIvxVgMnZ8X3ijAoI.cs	High entropy of concatenated method names: 'UW2YeUJBcb', 'VVAYMCNJqi', 'M6HYrjydNa', 'FWNYU1iLD4', 'yWAYmU0HDU', 'WwmYIFfr3w', 'GNcYocupWU', 'y7QYbpj7J6', 'BUqYT8JqmW', 'CBsYDZVKcB'
Source: 0.2.hesaphareketi__20241001.exe.4b5a1f0.0.raw.unpack, xCkofu1qgWKeqdhGVy.cs	High entropy of concatenated method names: 'FYoYy9Lj8n', 'o5dYuNKuhd', 'j3hYskXoN7', 'cZ3sFSCSWD', 'dWiszAQM0N', 'fVvYaXfKv2', 'vHoY67CsLQ', 'bJUYpsnYeQ', 'myBYSA3ldu', 'C8fY0C9D0Y'
Source: 0.2.hesaphareketi__20241001.exe.4b5a1f0.0.raw.unpack, vZ1DdYpttd7fpYi8k2.cs	High entropy of concatenated method names: 'gWgrPBkwy', 'XPlUwRVLq', 'AtbITuMj9', 'imvot8Ti7', 'KhfTwQMyI', 'EC0DIYwt1', 'q3TdwSbKKiiS2sSNZ9', 'HR3QW94b2cVrXsghQt', 'wfZiEGYkZ', 'WI3nC8aZQ'
Source: 0.2.hesaphareketi__20241001.exe.4b5a1f0.0.raw.unpack, qZS5oaThbN4WJevrBN.cs	High entropy of concatenated method names: 'PsKuUGcJGs', 'Tm7uI8PeTJ', 'Nhiublk2KA', 'kavuT2wbD1', 'neiu9bcYjN', 'JOIuchXU8h', 'KH9uhYyRDK', 'J6IuisQo9a', 'm8cuNJHmfC', 'iBpunZxOEY'
Source: 0.2.hesaphareketi__20241001.exe.4b5a1f0.0.raw.unpack, pMceRfjydasvB3AEin.cs	High entropy of concatenated method names: 'EDvSKvsv6N', 'BSYSypaGai', 'Od4S8VDUgi', 'b9RSujQt9T', 'fOmSAf4kJ1', 'VvPSsiVrfU', 'rjKSY1qNgU', 'IPbSjg1ys3', 'DR8SCoH2v3', 'tQ6SVwo9ep'
Source: 0.2.hesaphareketi__20241001.exe.4b5a1f0.0.raw.unpack, aVOQLr86BIZOs4JD1e.cs	High entropy of concatenated method names: 'Dispose', 'xEo6RcE1hn', 'ofjptkc40Y', 'DicFF3wBv9', 'k4c6FccKvO', 'CqN6zEDDbf', 'ProcessDialogKey', 'cOCpaXcL7h', 'gMPp6uGRUd', 'NfjppYxtK5'
Source: 0.2.hesaphareketi__20241001.exe.4b5a1f0.0.raw.unpack, DeAfCSDBU9yLGhUV22.cs	High entropy of concatenated method names: 'FRDAmdgBCW', 'kdTAojAMPe', 'v7QuHgLoUd', 'C8iu2RpDhy', 'FFyuQTx5tY', 'NgBuZMrGn3', 'Ldku1QceXT', 'CIyuJXm5W6', 'bIqugSbYYW', 'DIiufs1CYU'
Source: 0.2.hesaphareketi__20241001.exe.4b5a1f0.0.raw.unpack, jSRXYtvBwkQC7BKMXG.cs	High entropy of concatenated method names: 'R5RsKuZgC9', 'bR2s8QGSBd', 'SRHsAwEpve', 'mNjsYSbm6s', 'QVWsjNGdRa', 'E2lAxfvA58', 'St7AwCF7fc', 'kiMAGTANPx', 'uejAB378SJ', 'no6AReu0IU'
Source: 0.2.hesaphareketi__20241001.exe.4b5a1f0.0.raw.unpack, M3Tk9D7EuWvvcB5aAS.cs	High entropy of concatenated method names: 'ToString', 'ALrcdGVykS', 'Qt2ctf4S0O', 'KnLcHGU4XW', 'Ph2c2iagvq', 'xX7cQjluuu', 'V6bcZVZ0yt', 'bBuc1pXpqj', 'yQQcJiR1O2', 'P6xcgAsq09'
Source: 0.2.hesaphareketi__20241001.exe.4b5a1f0.0.raw.unpack, NOSfVqqeoph6EVZH5u.cs	High entropy of concatenated method names: 'vOlhVP8XEc', 'NFJhlOywTT', 'ToString', 'ctjhyQNq4q', 'SJyh8NMT3M', 'mkyhuF1B7I', 'HZohAaLoZa', 'zIChsRum2K', 'dZihYAaoPS', 'omuhjwkY6F'
Source: 0.2.hesaphareketi__20241001.exe.4ade3d0.4.raw.unpack, oM3yqP0pdOqJtt0hwo.cs	High entropy of concatenated method names: 'Gdv6YxasrE', 'bbt6jbl4Zl', 'ahb6VN4WJe', 'GrB6lNbeAf', 'qUV6922YSR', 'wYt6cBwkQC', 'gamWHa5xZQiT4hOarQ', 'okWpYddVd96LG4v2S1', 'iaW9tS6kBOO8bOXSOd', 'IsE66JAq8f'
Source: 0.2.hesaphareketi__20241001.exe.4ade3d0.4.raw.unpack, jxtK5RFj1Y2g2eJ6Jh.cs	High entropy of concatenated method names: 'IO6N618GSK', 'C0ZNS3cnN5', 'IIMN08VWhk', 'VeJNybVTRi', 'Tb0N8YFRUg', 'BTbNAv1Tbe', 'TsONsK3l3g', 'ywxiGAoq1y', 'pu1iBtwN9s', 'spjiRLZvqZ'
Source: 0.2.hesaphareketi__20241001.exe.4ade3d0.4.raw.unpack, xxMJ9R6aIbQ1FxVAIOn.cs	High entropy of concatenated method names: 'C27Ne3d7Ve', 'w91NMaPoBf', 'pFmNrjkkN7', 'xL3NUMi86Q', 'oyQNm1Uf3g', 'k7yNIn1ciE', 'mnPNoRCClQ', 'XKJNbTX1pZ', 'BbWNTi85cE', 'EbtNDahjaI'
Source: 0.2.hesaphareketi__20241001.exe.4ade3d0.4.raw.unpack, yvnqjZuT3Mj4EaRnjM.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'F4HpR82jn4', 'zJcpFsKgvf', 'M59pz0KFTX', 'wWOSaMMrwK', 'jTsS6cIxdH', 'SQ1Sp5fZgu', 'endSSjp6XL', 'tiDy9xyeQbAnAum0njx'
Source: 0.2.hesaphareketi__20241001.exe.4ade3d0.4.raw.unpack, rQMVFf4JGsgCQU071W.cs	High entropy of concatenated method names: 'v8WEbTYsD3', 'cxOETM3Kke', 'VbMEvOWJPQ', 'vWeEtidKZC', 'vV5E27yd4A', 'FimEQW2XG8', 'F76E1s2xpM', 'A6JEJx1YqO', 'NxAEfHrmE4', 'zRIEdDmtvY'
Source: 0.2.hesaphareketi__20241001.exe.4ade3d0.4.raw.unpack, j2A3akwxX8ZEUCuPhW.cs	High entropy of concatenated method names: 'AvLhB5oiZ5', 'NbchFoshMe', 'peiiacQI6a', 'domi6oqhlp', 'PmlhdYJwnQ', 'HQLhLvjj3y', 'su1h4c8BAU', 'xEEh3sBWI4', 'j5phOaqt2i', 'LbQh7FMMcl'
Source: 0.2.hesaphareketi__20241001.exe.4ade3d0.4.raw.unpack, lXcL7hR8MPuGRUdffj.cs	High entropy of concatenated method names: 's9BivdlkwL', 'GgRitCkbmb', 'XZOiHqBnXQ', 'RXyi2Ey2MV', 'LA6i3Yh0uU', 'lqJiQq0qX8', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.hesaphareketi__20241001.exe.4ade3d0.4.raw.unpack, yrtDJ8zlG303A4dPlO.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ALVNEC8gOQ', 'XRwN9Z43Yw', 'NmUNc9563O', 'y2nNhORViA', 'CH4NiPScgb', 'YeLNNWbrY5', 'Fc1NnonUSd'
Source: 0.2.hesaphareketi__20241001.exe.4ade3d0.4.raw.unpack, GxasrEb6btbl4ZlyPy.cs	High entropy of concatenated method names: 'EuP83RttDC', 'MKI8OaIgR1', 'f9387Z1ELR', 'GQe8qlEtGP', 'Wew8xtix22', 'CWn8wlsGcM', 'sD28GtnWVw', 'o5l8BXCGhr', 'daJ8R0VtlF', 'dxa8FXgBo6'
Source: 0.2.hesaphareketi__20241001.exe.4ade3d0.4.raw.unpack, QcccKvBOIqNEDDbfSO.cs	High entropy of concatenated method names: 'CB1iydUHER', 'z1yi8qtpG4', 'PpCiuGPYUX', 'DTriACk9Fs', 'YLFisWLROX', 'EbKiY0F5uY', 'KlSijg1RtP', 'HupiC7LRfb', 'IIQiV8JTIg', 'HWPilGcqGd'
Source: 0.2.hesaphareketi__20241001.exe.4ade3d0.4.raw.unpack, kMIvxVgMnZ8X3ijAoI.cs	High entropy of concatenated method names: 'UW2YeUJBcb', 'VVAYMCNJqi', 'M6HYrjydNa', 'FWNYU1iLD4', 'yWAYmU0HDU', 'WwmYIFfr3w', 'GNcYocupWU', 'y7QYbpj7J6', 'BUqYT8JqmW', 'CBsYDZVKcB'
Source: 0.2.hesaphareketi__20241001.exe.4ade3d0.4.raw.unpack, xCkofu1qgWKeqdhGVy.cs	High entropy of concatenated method names: 'FYoYy9Lj8n', 'o5dYuNKuhd', 'j3hYskXoN7', 'cZ3sFSCSWD', 'dWiszAQM0N', 'fVvYaXfKv2', 'vHoY67CsLQ', 'bJUYpsnYeQ', 'myBYSA3ldu', 'C8fY0C9D0Y'
Source: 0.2.hesaphareketi__20241001.exe.4ade3d0.4.raw.unpack, vZ1DdYpttd7fpYi8k2.cs	High entropy of concatenated method names: 'gWgrPBkwy', 'XPlUwRVLq', 'AtbITuMj9', 'imvot8Ti7', 'KhfTwQMyI', 'EC0DIYwt1', 'q3TdwSbKKiiS2sSNZ9', 'HR3QW94b2cVrXsghQt', 'wfZiEGYkZ', 'WI3nC8aZQ'
Source: 0.2.hesaphareketi__20241001.exe.4ade3d0.4.raw.unpack, qZS5oaThbN4WJevrBN.cs	High entropy of concatenated method names: 'PsKuUGcJGs', 'Tm7uI8PeTJ', 'Nhiublk2KA', 'kavuT2wbD1', 'neiu9bcYjN', 'JOIuchXU8h', 'KH9uhYyRDK', 'J6IuisQo9a', 'm8cuNJHmfC', 'iBpunZxOEY'
Source: 0.2.hesaphareketi__20241001.exe.4ade3d0.4.raw.unpack, pMceRfjydasvB3AEin.cs	High entropy of concatenated method names: 'EDvSKvsv6N', 'BSYSypaGai', 'Od4S8VDUgi', 'b9RSujQt9T', 'fOmSAf4kJ1', 'VvPSsiVrfU', 'rjKSY1qNgU', 'IPbSjg1ys3', 'DR8SCoH2v3', 'tQ6SVwo9ep'
Source: 0.2.hesaphareketi__20241001.exe.4ade3d0.4.raw.unpack, aVOQLr86BIZOs4JD1e.cs	High entropy of concatenated method names: 'Dispose', 'xEo6RcE1hn', 'ofjptkc40Y', 'DicFF3wBv9', 'k4c6FccKvO', 'CqN6zEDDbf', 'ProcessDialogKey', 'cOCpaXcL7h', 'gMPp6uGRUd', 'NfjppYxtK5'
Source: 0.2.hesaphareketi__20241001.exe.4ade3d0.4.raw.unpack, DeAfCSDBU9yLGhUV22.cs	High entropy of concatenated method names: 'FRDAmdgBCW', 'kdTAojAMPe', 'v7QuHgLoUd', 'C8iu2RpDhy', 'FFyuQTx5tY', 'NgBuZMrGn3', 'Ldku1QceXT', 'CIyuJXm5W6', 'bIqugSbYYW', 'DIiufs1CYU'
Source: 0.2.hesaphareketi__20241001.exe.4ade3d0.4.raw.unpack, jSRXYtvBwkQC7BKMXG.cs	High entropy of concatenated method names: 'R5RsKuZgC9', 'bR2s8QGSBd', 'SRHsAwEpve', 'mNjsYSbm6s', 'QVWsjNGdRa', 'E2lAxfvA58', 'St7AwCF7fc', 'kiMAGTANPx', 'uejAB378SJ', 'no6AReu0IU'
Source: 0.2.hesaphareketi__20241001.exe.4ade3d0.4.raw.unpack, M3Tk9D7EuWvvcB5aAS.cs	High entropy of concatenated method names: 'ToString', 'ALrcdGVykS', 'Qt2ctf4S0O', 'KnLcHGU4XW', 'Ph2c2iagvq', 'xX7cQjluuu', 'V6bcZVZ0yt', 'bBuc1pXpqj', 'yQQcJiR1O2', 'P6xcgAsq09'
Source: 0.2.hesaphareketi__20241001.exe.4ade3d0.4.raw.unpack, NOSfVqqeoph6EVZH5u.cs	High entropy of concatenated method names: 'vOlhVP8XEc', 'NFJhlOywTT', 'ToString', 'ctjhyQNq4q', 'SJyh8NMT3M', 'mkyhuF1B7I', 'HZohAaLoZa', 'zIChsRum2K', 'dZihYAaoPS', 'omuhjwkY6F'
Source: 0.2.hesaphareketi__20241001.exe.a710000.6.raw.unpack, oM3yqP0pdOqJtt0hwo.cs	High entropy of concatenated method names: 'Gdv6YxasrE', 'bbt6jbl4Zl', 'ahb6VN4WJe', 'GrB6lNbeAf', 'qUV6922YSR', 'wYt6cBwkQC', 'gamWHa5xZQiT4hOarQ', 'okWpYddVd96LG4v2S1', 'iaW9tS6kBOO8bOXSOd', 'IsE66JAq8f'
Source: 0.2.hesaphareketi__20241001.exe.a710000.6.raw.unpack, jxtK5RFj1Y2g2eJ6Jh.cs	High entropy of concatenated method names: 'IO6N618GSK', 'C0ZNS3cnN5', 'IIMN08VWhk', 'VeJNybVTRi', 'Tb0N8YFRUg', 'BTbNAv1Tbe', 'TsONsK3l3g', 'ywxiGAoq1y', 'pu1iBtwN9s', 'spjiRLZvqZ'
Source: 0.2.hesaphareketi__20241001.exe.a710000.6.raw.unpack, xxMJ9R6aIbQ1FxVAIOn.cs	High entropy of concatenated method names: 'C27Ne3d7Ve', 'w91NMaPoBf', 'pFmNrjkkN7', 'xL3NUMi86Q', 'oyQNm1Uf3g', 'k7yNIn1ciE', 'mnPNoRCClQ', 'XKJNbTX1pZ', 'BbWNTi85cE', 'EbtNDahjaI'
Source: 0.2.hesaphareketi__20241001.exe.a710000.6.raw.unpack, yvnqjZuT3Mj4EaRnjM.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'F4HpR82jn4', 'zJcpFsKgvf', 'M59pz0KFTX', 'wWOSaMMrwK', 'jTsS6cIxdH', 'SQ1Sp5fZgu', 'endSSjp6XL', 'tiDy9xyeQbAnAum0njx'
Source: 0.2.hesaphareketi__20241001.exe.a710000.6.raw.unpack, rQMVFf4JGsgCQU071W.cs	High entropy of concatenated method names: 'v8WEbTYsD3', 'cxOETM3Kke', 'VbMEvOWJPQ', 'vWeEtidKZC', 'vV5E27yd4A', 'FimEQW2XG8', 'F76E1s2xpM', 'A6JEJx1YqO', 'NxAEfHrmE4', 'zRIEdDmtvY'
Source: 0.2.hesaphareketi__20241001.exe.a710000.6.raw.unpack, j2A3akwxX8ZEUCuPhW.cs	High entropy of concatenated method names: 'AvLhB5oiZ5', 'NbchFoshMe', 'peiiacQI6a', 'domi6oqhlp', 'PmlhdYJwnQ', 'HQLhLvjj3y', 'su1h4c8BAU', 'xEEh3sBWI4', 'j5phOaqt2i', 'LbQh7FMMcl'
Source: 0.2.hesaphareketi__20241001.exe.a710000.6.raw.unpack, lXcL7hR8MPuGRUdffj.cs	High entropy of concatenated method names: 's9BivdlkwL', 'GgRitCkbmb', 'XZOiHqBnXQ', 'RXyi2Ey2MV', 'LA6i3Yh0uU', 'lqJiQq0qX8', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.hesaphareketi__20241001.exe.a710000.6.raw.unpack, yrtDJ8zlG303A4dPlO.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ALVNEC8gOQ', 'XRwN9Z43Yw', 'NmUNc9563O', 'y2nNhORViA', 'CH4NiPScgb', 'YeLNNWbrY5', 'Fc1NnonUSd'
Source: 0.2.hesaphareketi__20241001.exe.a710000.6.raw.unpack, GxasrEb6btbl4ZlyPy.cs	High entropy of concatenated method names: 'EuP83RttDC', 'MKI8OaIgR1', 'f9387Z1ELR', 'GQe8qlEtGP', 'Wew8xtix22', 'CWn8wlsGcM', 'sD28GtnWVw', 'o5l8BXCGhr', 'daJ8R0VtlF', 'dxa8FXgBo6'
Source: 0.2.hesaphareketi__20241001.exe.a710000.6.raw.unpack, QcccKvBOIqNEDDbfSO.cs	High entropy of concatenated method names: 'CB1iydUHER', 'z1yi8qtpG4', 'PpCiuGPYUX', 'DTriACk9Fs', 'YLFisWLROX', 'EbKiY0F5uY', 'KlSijg1RtP', 'HupiC7LRfb', 'IIQiV8JTIg', 'HWPilGcqGd'
Source: 0.2.hesaphareketi__20241001.exe.a710000.6.raw.unpack, kMIvxVgMnZ8X3ijAoI.cs	High entropy of concatenated method names: 'UW2YeUJBcb', 'VVAYMCNJqi', 'M6HYrjydNa', 'FWNYU1iLD4', 'yWAYmU0HDU', 'WwmYIFfr3w', 'GNcYocupWU', 'y7QYbpj7J6', 'BUqYT8JqmW', 'CBsYDZVKcB'
Source: 0.2.hesaphareketi__20241001.exe.a710000.6.raw.unpack, xCkofu1qgWKeqdhGVy.cs	High entropy of concatenated method names: 'FYoYy9Lj8n', 'o5dYuNKuhd', 'j3hYskXoN7', 'cZ3sFSCSWD', 'dWiszAQM0N', 'fVvYaXfKv2', 'vHoY67CsLQ', 'bJUYpsnYeQ', 'myBYSA3ldu', 'C8fY0C9D0Y'
Source: 0.2.hesaphareketi__20241001.exe.a710000.6.raw.unpack, vZ1DdYpttd7fpYi8k2.cs	High entropy of concatenated method names: 'gWgrPBkwy', 'XPlUwRVLq', 'AtbITuMj9', 'imvot8Ti7', 'KhfTwQMyI', 'EC0DIYwt1', 'q3TdwSbKKiiS2sSNZ9', 'HR3QW94b2cVrXsghQt', 'wfZiEGYkZ', 'WI3nC8aZQ'
Source: 0.2.hesaphareketi__20241001.exe.a710000.6.raw.unpack, qZS5oaThbN4WJevrBN.cs	High entropy of concatenated method names: 'PsKuUGcJGs', 'Tm7uI8PeTJ', 'Nhiublk2KA', 'kavuT2wbD1', 'neiu9bcYjN', 'JOIuchXU8h', 'KH9uhYyRDK', 'J6IuisQo9a', 'm8cuNJHmfC', 'iBpunZxOEY'
Source: 0.2.hesaphareketi__20241001.exe.a710000.6.raw.unpack, pMceRfjydasvB3AEin.cs	High entropy of concatenated method names: 'EDvSKvsv6N', 'BSYSypaGai', 'Od4S8VDUgi', 'b9RSujQt9T', 'fOmSAf4kJ1', 'VvPSsiVrfU', 'rjKSY1qNgU', 'IPbSjg1ys3', 'DR8SCoH2v3', 'tQ6SVwo9ep'
Source: 0.2.hesaphareketi__20241001.exe.a710000.6.raw.unpack, aVOQLr86BIZOs4JD1e.cs	High entropy of concatenated method names: 'Dispose', 'xEo6RcE1hn', 'ofjptkc40Y', 'DicFF3wBv9', 'k4c6FccKvO', 'CqN6zEDDbf', 'ProcessDialogKey', 'cOCpaXcL7h', 'gMPp6uGRUd', 'NfjppYxtK5'
Source: 0.2.hesaphareketi__20241001.exe.a710000.6.raw.unpack, DeAfCSDBU9yLGhUV22.cs	High entropy of concatenated method names: 'FRDAmdgBCW', 'kdTAojAMPe', 'v7QuHgLoUd', 'C8iu2RpDhy', 'FFyuQTx5tY', 'NgBuZMrGn3', 'Ldku1QceXT', 'CIyuJXm5W6', 'bIqugSbYYW', 'DIiufs1CYU'
Source: 0.2.hesaphareketi__20241001.exe.a710000.6.raw.unpack, jSRXYtvBwkQC7BKMXG.cs	High entropy of concatenated method names: 'R5RsKuZgC9', 'bR2s8QGSBd', 'SRHsAwEpve', 'mNjsYSbm6s', 'QVWsjNGdRa', 'E2lAxfvA58', 'St7AwCF7fc', 'kiMAGTANPx', 'uejAB378SJ', 'no6AReu0IU'
Source: 0.2.hesaphareketi__20241001.exe.a710000.6.raw.unpack, M3Tk9D7EuWvvcB5aAS.cs	High entropy of concatenated method names: 'ToString', 'ALrcdGVykS', 'Qt2ctf4S0O', 'KnLcHGU4XW', 'Ph2c2iagvq', 'xX7cQjluuu', 'V6bcZVZ0yt', 'bBuc1pXpqj', 'yQQcJiR1O2', 'P6xcgAsq09'
Source: 0.2.hesaphareketi__20241001.exe.a710000.6.raw.unpack, NOSfVqqeoph6EVZH5u.cs	High entropy of concatenated method names: 'vOlhVP8XEc', 'NFJhlOywTT', 'ToString', 'ctjhyQNq4q', 'SJyh8NMT3M', 'mkyhuF1B7I', 'HZohAaLoZa', 'zIChsRum2K', 'dZihYAaoPS', 'omuhjwkY6F'

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Memory allocated: 15D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Memory allocated: 3080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Memory allocated: 2EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Memory allocated: 7F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Memory allocated: 8F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Memory allocated: 9100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Memory allocated: A100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Memory allocated: A790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Memory allocated: B790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Memory allocated: C790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Memory allocated: 2B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Memory allocated: 2D70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Memory allocated: 2B60000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1199828	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1199718	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1199592	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1199484	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1199375	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1199248	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1199140	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1199031	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1198894	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1198734	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1198504	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1198218	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1198020	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1197875	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1197765	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1197656	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1197546	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1197437	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1197328	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1197218	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1197109	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1197000	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1196890	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1196781	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1196672	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1196559	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1196453	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1196343	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1196234	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1196125	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1196015	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1195906	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1195797	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1195687	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1195578	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1195468	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1195359	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1195250	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1195140	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1195031	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1194922	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1194812	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1194703	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1194593	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1194484	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1194374	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1194265	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1194156	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1194047	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1193937	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1193827	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1193718	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Thread delayed: delay time: 1193609	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6786	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2873	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Window / User API: threadDelayed 2687	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Window / User API: threadDelayed 7152	Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 5420	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3304	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -35048813740048126s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1200000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1199828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1199718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1199592s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1199484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1199375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1199248s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1199140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1199031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1198894s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1198734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1198504s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1198218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1198020s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1197875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1197765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1197656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1197546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1197437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1197328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1197218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1197109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1197000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1196890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1196781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1196672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1196559s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1196453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1196343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1196234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1196125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1196015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1195906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1195797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1195687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1195578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1195468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1195359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1195250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1195140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1195031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1194922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1194812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1194703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1194593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1194484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1194374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1194265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1194156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1194047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1193937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1193827s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1193718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe TID: 2944	Thread sleep time: -1193609s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Queries volume information: C:\Users\user\Desktop\hesaphareketi__20241001.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Queries volume information: C:\Users\user\Desktop\hesaphareketi__20241001.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi__20241001.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Windows Analysis Report hesaphareketi__20241001.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
hesaphareketi__20241001.exe

Malware Threat Intel
Provided by

ID:	1524784
Product:	CloudBasic
Start time:	09:10:13
Start date:	03.10.2024
Sample:	hesaphareketi__20241001.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	5eaafeca7053687b46ecffad93c82418
SHA1:	457566502545fecd8ea9f2249b755135cd03b69b
SHA256:	27ff307b514230b2363e2284e1d57df50bc8a59b5cf8c732dc32d5587d472c64
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hesaphareketi__20241001.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	C961E3496AA47D8AF3F9E184D4F78133	0EFEA67BD361E99BBE642D6EF414EBE7BB6EC134	303E0E36CAC4900807E47B6AF8CDAB4FBFDB6A67D66F84F49E283557EA1774B1
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3hty4xym.goh.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bd1xluqj.ocf.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_krvza5le.p5j.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_svqnh3ct.fgw.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7