Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Gun Ici Cek Statu Listesi.exe

Overview

General Information

Sample name:Gun Ici Cek Statu Listesi.exe
Analysis ID:1545932
MD5:3dc6111263e1e236519080dbea81c1f1
SHA1:1600ba53fdd878a0d93e7eaabec5b82558c8d6f2
SHA256:29ce0132efcb5e1aad146065672d83b6b4ced076f1c91a851c8b34a30e7e08eb
Tags:exeuser-lowmal3
Infos:

Detection

MassLogger RAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected MassLogger RAT
Yara detected Telegram RAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Gun Ici Cek Statu Listesi.exe (PID: 7756 cmdline: "C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe" MD5: 3DC6111263E1E236519080DBEA81C1F1)
    • powershell.exe (PID: 7948 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "kingnovasend@zqamcx.com", "Password": "Anambraeast", "Server": "zqamcx.com", "To": "kingnovaresult@zqamcx.com", "Port": 587}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.1300730080.0000000004009000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000004.00000002.1300730080.0000000004009000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000004.00000002.1300730080.0000000004009000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000004.00000002.1300730080.0000000004009000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x2c477:$a1: get_encryptedPassword
        • 0x43297:$a1: get_encryptedPassword
        • 0x2c79f:$a2: get_encryptedUsername
        • 0x435bf:$a2: get_encryptedUsername
        • 0x2c212:$a3: get_timePasswordChanged
        • 0x43032:$a3: get_timePasswordChanged
        • 0x2c333:$a4: get_passwordField
        • 0x43153:$a4: get_passwordField
        • 0x2c48d:$a5: set_encryptedPassword
        • 0x432ad:$a5: set_encryptedPassword
        • 0x2dde9:$a7: get_logins
        • 0x44c09:$a7: get_logins
        • 0x2da9a:$a8: GetOutlookPasswords
        • 0x448ba:$a8: GetOutlookPasswords
        • 0x2d88c:$a9: StartKeylogger
        • 0x446ac:$a9: StartKeylogger
        • 0x2dd39:$a10: KeyLoggerEventArgs
        • 0x44b59:$a10: KeyLoggerEventArgs
        • 0x2d8e9:$a11: KeyLoggerEventArgsEventHandler
        • 0x44709:$a11: KeyLoggerEventArgsEventHandler
        00000009.00000002.2538399423.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
          Click to see the 17 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          4.2.Gun Ici Cek Statu Listesi.exe.403d0f0.2.raw.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            4.2.Gun Ici Cek Statu Listesi.exe.403d0f0.2.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              4.2.Gun Ici Cek Statu Listesi.exe.403d0f0.2.raw.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                4.2.Gun Ici Cek Statu Listesi.exe.403d0f0.2.raw.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                • 0xf1a7:$a1: get_encryptedPassword
                • 0xf4cf:$a2: get_encryptedUsername
                • 0xef42:$a3: get_timePasswordChanged
                • 0xf063:$a4: get_passwordField
                • 0xf1bd:$a5: set_encryptedPassword
                • 0x10b19:$a7: get_logins
                • 0x107ca:$a8: GetOutlookPasswords
                • 0x105bc:$a9: StartKeylogger
                • 0x10a69:$a10: KeyLoggerEventArgs
                • 0x10619:$a11: KeyLoggerEventArgsEventHandler
                4.2.Gun Ici Cek Statu Listesi.exe.403d0f0.2.raw.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x1414b:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x13649:$a3: \Google\Chrome\User Data\Default\Login Data
                • 0x13957:$a4: \Orbitum\User Data\Default\Login Data
                • 0x1474f:$a5: \Kometa\User Data\Default\Login Data
                Click to see the 30 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe", ParentImage: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe, ParentProcessId: 7756, ParentProcessName: Gun Ici Cek Statu Listesi.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe", ProcessId: 7948, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe", ParentImage: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe, ParentProcessId: 7756, ParentProcessName: Gun Ici Cek Statu Listesi.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe", ProcessId: 7948, ProcessName: powershell.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe", ParentImage: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe, ParentProcessId: 7756, ParentProcessName: Gun Ici Cek Statu Listesi.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe", ProcessId: 7948, ProcessName: powershell.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-31T10:34:08.653662+010028032742Potentially Bad Traffic192.168.2.1049708158.101.44.24280TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 9.2.Gun Ici Cek Statu Listesi.exe.400000.0.unpackMalware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "kingnovasend@zqamcx.com", "Password": "Anambraeast", "Server": "zqamcx.com", "To": "kingnovaresult@zqamcx.com", "Port": 587}
                Multi AV Scanner detection for submitted file
                Source: Gun Ici Cek Statu Listesi.exeReversingLabs: Detection: 34%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: Gun Ici Cek Statu Listesi.exeJoe Sandbox ML: detected

                Location Tracking

                barindex
                Tries to detect the country of the analysis system (by using the IP)
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Gun Ici Cek Statu Listesi.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49710 version: TLS 1.0
                Source: Gun Ici Cek Statu Listesi.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: ZvRY.pdb source: Gun Ici Cek Statu Listesi.exe
                Source: Binary string: ZvRY.pdbSHA256 source: Gun Ici Cek Statu Listesi.exe
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4x nop then jmp 053C5782h9_2_053C5366
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4x nop then jmp 053C51B9h9_2_053C4F08
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4x nop then jmp 053C5782h9_2_053C56AF
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4x nop then jmp 06751935h9_2_067515F8
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4x nop then jmp 0675F8D8h9_2_0675F630
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4x nop then jmp 0675A0C0h9_2_06759E18
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4x nop then jmp 0675A970h9_2_0675A6C8
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4x nop then jmp 0675D93Ah9_2_0675D690
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4x nop then jmp 0675B220h9_2_0675AF78
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4x nop then jmp 067531F0h9_2_06752F48
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4x nop then jmp 06753AA0h9_2_067537F8
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4x nop then jmp 06753EF8h9_2_06753C50
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4x nop then jmp 0675DEC8h9_2_0675DC20
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4x nop then jmp 0675E778h9_2_0675E4D0
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4x nop then jmp 06750741h9_2_06750498
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4x nop then jmp 0675BF28h9_2_0675BC80
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4x nop then jmp 06750FF1h9_2_06750D48
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4x nop then jmp 0675C7D8h9_2_0675C530
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4x nop then jmp 0675D088h9_2_0675CDE0
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4x nop then jmp 0675F028h9_2_0675ED80
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4x nop then jmp 0675A518h9_2_0675A270
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4x nop then jmp 0675D4E0h9_2_0675D238
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4x nop then jmp 06752D98h9_2_06752AF0
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4x nop then jmp 0675FD30h9_2_0675FA88
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4x nop then jmp 0675ADC8h9_2_0675AB20
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4x nop then jmp 0675B678h9_2_0675B3D0
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4x nop then jmp 06753648h9_2_067533A0
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4x nop then jmp 0675E320h9_2_0675E078
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4x nop then jmp 067502E9h9_2_06750040
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4x nop then jmp 0675BAD0h9_2_0675B828
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4x nop then jmp 06750B99h9_2_067508F0
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4x nop then jmp 0675C380h9_2_0675C0D8
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4x nop then jmp 06754350h9_2_067540A8
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4x nop then jmp 0675EBD0h9_2_0675E928
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4x nop then jmp 0675F480h9_2_0675F1D8
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4x nop then jmp 06751449h9_2_067511A0
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4x nop then jmp 0675CC30h9_2_0675C988
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                Source: Joe Sandbox ViewIP Address: 158.101.44.242 158.101.44.242
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49708 -> 158.101.44.242:80
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49710 version: TLS 1.0
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                Source: Gun Ici Cek Statu Listesi.exe, 00000009.00000002.2540599838.0000000002F3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                Source: Gun Ici Cek Statu Listesi.exe, 00000009.00000002.2540599838.0000000002F3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                Source: Gun Ici Cek Statu Listesi.exe, 00000009.00000002.2540599838.0000000002F29000.00000004.00000800.00020000.00000000.sdmp, Gun Ici Cek Statu Listesi.exe, 00000009.00000002.2540599838.0000000002F3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: Gun Ici Cek Statu Listesi.exe, 00000009.00000002.2540599838.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: Gun Ici Cek Statu Listesi.exe, 00000009.00000002.2540599838.0000000002F3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                Source: Gun Ici Cek Statu Listesi.exe, 00000004.00000002.1300730080.0000000004009000.00000004.00000800.00020000.00000000.sdmp, Gun Ici Cek Statu Listesi.exe, 00000004.00000002.1300730080.000000000485A000.00000004.00000800.00020000.00000000.sdmp, Gun Ici Cek Statu Listesi.exe, 00000009.00000002.2538399423.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: Gun Ici Cek Statu Listesi.exe, 00000009.00000002.2540599838.0000000002F3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                Source: Gun Ici Cek Statu Listesi.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                Source: Gun Ici Cek Statu Listesi.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                Source: Gun Ici Cek Statu Listesi.exeString found in binary or memory: http://ocsp.comodoca.com0
                Source: Gun Ici Cek Statu Listesi.exe, 00000009.00000002.2540599838.0000000002F5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                Source: Gun Ici Cek Statu Listesi.exe, 00000009.00000002.2540599838.0000000002F5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                Source: Gun Ici Cek Statu Listesi.exe, 00000004.00000002.1298701357.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, Gun Ici Cek Statu Listesi.exe, 00000009.00000002.2540599838.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: Gun Ici Cek Statu Listesi.exeString found in binary or memory: http://tempuri.org/DataSet1.xsd
                Source: Gun Ici Cek Statu Listesi.exe, 00000004.00000002.1300730080.0000000004009000.00000004.00000800.00020000.00000000.sdmp, Gun Ici Cek Statu Listesi.exe, 00000004.00000002.1300730080.000000000485A000.00000004.00000800.00020000.00000000.sdmp, Gun Ici Cek Statu Listesi.exe, 00000009.00000002.2538399423.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                Source: Gun Ici Cek Statu Listesi.exe, 00000009.00000002.2540599838.0000000002F3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                Source: Gun Ici Cek Statu Listesi.exe, 00000004.00000002.1300730080.0000000004009000.00000004.00000800.00020000.00000000.sdmp, Gun Ici Cek Statu Listesi.exe, 00000004.00000002.1300730080.000000000485A000.00000004.00000800.00020000.00000000.sdmp, Gun Ici Cek Statu Listesi.exe, 00000009.00000002.2540599838.0000000002F3E000.00000004.00000800.00020000.00000000.sdmp, Gun Ici Cek Statu Listesi.exe, 00000009.00000002.2538399423.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: Gun Ici Cek Statu Listesi.exe, 00000009.00000002.2540599838.0000000002F3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.77d
                Source: Gun Ici Cek Statu Listesi.exe, 00000009.00000002.2540599838.0000000002F3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.77l
                Source: Gun Ici Cek Statu Listesi.exeString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to log keystrokes (.Net Source)
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.403d0f0.2.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.40262d0.1.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.403d0f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.403d0f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 9.2.Gun Ici Cek Statu Listesi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 9.2.Gun Ici Cek Statu Listesi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.40262d0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.40262d0.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.403d0f0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.403d0f0.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.4a27740.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.4a27740.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.40262d0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.49ceb20.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.40262d0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.49ceb20.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 00000004.00000002.1300730080.0000000004009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000009.00000002.2538399423.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000004.00000002.1300730080.000000000485A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: Gun Ici Cek Statu Listesi.exe PID: 7756, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: Gun Ici Cek Statu Listesi.exe PID: 7964, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4_2_012042044_2_01204204
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4_2_0120E1344_2_0120E134
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4_2_012070184_2_01207018
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4_2_07770E284_2_07770E28
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4_2_0777A5C84_2_0777A5C8
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4_2_0777B2704_2_0777B270
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4_2_077730D04_2_077730D0
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4_2_07773F774_2_07773F77
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4_2_07773F884_2_07773F88
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4_2_0777AE384_2_0777AE38
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4_2_07770E274_2_07770E27
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4_2_07773CF04_2_07773CF0
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4_2_07773CEB4_2_07773CEB
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4_2_0777AA004_2_0777AA00
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 4_2_0777C9784_2_0777C978
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_053C27B99_2_053C27B9
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_053CC1689_2_053CC168
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_053C4F089_2_053C4F08
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_053C7E689_2_053C7E68
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_053CCA589_2_053CCA58
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_053C2DD19_2_053C2DD1
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_053C7E599_2_053C7E59
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_053C4EF89_2_053C4EF8
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_053CB9E09_2_053CB9E0
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_067577709_2_06757770
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_06751C589_2_06751C58
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_067545009_2_06754500
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_067515F89_2_067515F8
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_067569989_2_06756998
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675F6309_2_0675F630
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675F6209_2_0675F620
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_06759E189_2_06759E18
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675A6C89_2_0675A6C8
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675A6B99_2_0675A6B9
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675D6909_2_0675D690
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675D6839_2_0675D683
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675AF789_2_0675AF78
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675AF689_2_0675AF68
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_06752F489_2_06752F48
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_06752F389_2_06752F38
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_067537F89_2_067537F8
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_067537E89_2_067537E8
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675BC719_2_0675BC71
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_06753C509_2_06753C50
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_06753C439_2_06753C43
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675DC209_2_0675DC20
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675DC139_2_0675DC13
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675E4D09_2_0675E4D0
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675E4C09_2_0675E4C0
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_06759C909_2_06759C90
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_067504989_2_06750498
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675BC809_2_0675BC80
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_067504899_2_06750489
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675ED709_2_0675ED70
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_06750D489_2_06750D48
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675C5309_2_0675C530
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_06750D399_2_06750D39
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675C5209_2_0675C520
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675CDE09_2_0675CDE0
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_067515E99_2_067515E9
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675CDD09_2_0675CDD0
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675ED809_2_0675ED80
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675A2709_2_0675A270
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675FA789_2_0675FA78
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675A2619_2_0675A261
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675D2359_2_0675D235
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675D2389_2_0675D238
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_06752AF09_2_06752AF0
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_06752AE09_2_06752AE0
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675FA889_2_0675FA88
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675AB209_2_0675AB20
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675AB109_2_0675AB10
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675B3D09_2_0675B3D0
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675B3C19_2_0675B3C1
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_067533A09_2_067533A0
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_067533939_2_06753393
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675E0789_2_0675E078
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675E0689_2_0675E068
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_067500409_2_06750040
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675B8289_2_0675B828
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675001F9_2_0675001F
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675B8189_2_0675B818
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_067500079_2_06750007
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_067508F09_2_067508F0
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_067508DF9_2_067508DF
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675C0D89_2_0675C0D8
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675C0CB9_2_0675C0CB
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_067540A89_2_067540A8
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_067540989_2_06754098
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675C97B9_2_0675C97B
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675E9239_2_0675E923
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675E9289_2_0675E928
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675F1D89_2_0675F1D8
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675F1C89_2_0675F1C8
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_067511A09_2_067511A0
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675118F9_2_0675118F
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_0675C9889_2_0675C988
                Source: Gun Ici Cek Statu Listesi.exeStatic PE information: invalid certificate
                Source: Gun Ici Cek Statu Listesi.exe, 00000004.00000000.1277508725.0000000000B7E000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenameZvRY.exe: vs Gun Ici Cek Statu Listesi.exe
                Source: Gun Ici Cek Statu Listesi.exe, 00000004.00000002.1300730080.0000000004009000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs Gun Ici Cek Statu Listesi.exe
                Source: Gun Ici Cek Statu Listesi.exe, 00000004.00000002.1298701357.00000000031E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs Gun Ici Cek Statu Listesi.exe
                Source: Gun Ici Cek Statu Listesi.exe, 00000004.00000002.1297342715.000000000125E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Gun Ici Cek Statu Listesi.exe
                Source: Gun Ici Cek Statu Listesi.exe, 00000004.00000002.1307079322.000000000B860000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Gun Ici Cek Statu Listesi.exe
                Source: Gun Ici Cek Statu Listesi.exe, 00000004.00000002.1300730080.000000000485A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Gun Ici Cek Statu Listesi.exe
                Source: Gun Ici Cek Statu Listesi.exe, 00000009.00000002.2538708730.0000000000DD7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Gun Ici Cek Statu Listesi.exe
                Source: Gun Ici Cek Statu Listesi.exe, 00000009.00000002.2538399423.000000000041A000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs Gun Ici Cek Statu Listesi.exe
                Source: Gun Ici Cek Statu Listesi.exeBinary or memory string: OriginalFilenameZvRY.exe: vs Gun Ici Cek Statu Listesi.exe
                Source: Gun Ici Cek Statu Listesi.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.403d0f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.403d0f0.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 9.2.Gun Ici Cek Statu Listesi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 9.2.Gun Ici Cek Statu Listesi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.40262d0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.40262d0.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.403d0f0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.403d0f0.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.4a27740.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.4a27740.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.40262d0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.49ceb20.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.40262d0.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.49ceb20.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 00000004.00000002.1300730080.0000000004009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000009.00000002.2538399423.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000004.00000002.1300730080.000000000485A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: Gun Ici Cek Statu Listesi.exe PID: 7756, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: Gun Ici Cek Statu Listesi.exe PID: 7964, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Gun Ici Cek Statu Listesi.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.403d0f0.2.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.403d0f0.2.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.40262d0.1.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.40262d0.1.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.49ceb20.0.raw.unpack, BHbhGjLmSJtKoaQuHX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.4a27740.3.raw.unpack, oxKxmVMjJtO0UCCOse.csSecurity API names: _0020.SetAccessControl
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.4a27740.3.raw.unpack, oxKxmVMjJtO0UCCOse.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.4a27740.3.raw.unpack, oxKxmVMjJtO0UCCOse.csSecurity API names: _0020.AddAccessRule
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.b860000.5.raw.unpack, BHbhGjLmSJtKoaQuHX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.4a27740.3.raw.unpack, BHbhGjLmSJtKoaQuHX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.49ceb20.0.raw.unpack, oxKxmVMjJtO0UCCOse.csSecurity API names: _0020.SetAccessControl
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.49ceb20.0.raw.unpack, oxKxmVMjJtO0UCCOse.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.49ceb20.0.raw.unpack, oxKxmVMjJtO0UCCOse.csSecurity API names: _0020.AddAccessRule
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.b860000.5.raw.unpack, oxKxmVMjJtO0UCCOse.csSecurity API names: _0020.SetAccessControl
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.b860000.5.raw.unpack, oxKxmVMjJtO0UCCOse.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.b860000.5.raw.unpack, oxKxmVMjJtO0UCCOse.csSecurity API names: _0020.AddAccessRule
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/6@2/2
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Gun Ici Cek Statu Listesi.exe.logJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7956:120:WilError_03
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeMutant created: NULL
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_44kxd1iw.rn2.ps1Jump to behavior
                Source: Gun Ici Cek Statu Listesi.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: Gun Ici Cek Statu Listesi.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: Gun Ici Cek Statu Listesi.exe, 00000009.00000002.2541549233.0000000003EED000.00000004.00000800.00020000.00000000.sdmp, Gun Ici Cek Statu Listesi.exe, 00000009.00000002.2540599838.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp, Gun Ici Cek Statu Listesi.exe, 00000009.00000002.2540599838.0000000002FAE000.00000004.00000800.00020000.00000000.sdmp, Gun Ici Cek Statu Listesi.exe, 00000009.00000002.2540599838.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, Gun Ici Cek Statu Listesi.exe, 00000009.00000002.2540599838.0000000002FBC000.00000004.00000800.00020000.00000000.sdmp, Gun Ici Cek Statu Listesi.exe, 00000009.00000002.2540599838.0000000002FDD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: Gun Ici Cek Statu Listesi.exeReversingLabs: Detection: 34%
                Source: unknownProcess created: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe "C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe"
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess created: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe "C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe"
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess created: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe "C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Gun Ici Cek Statu Listesi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Gun Ici Cek Statu Listesi.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Gun Ici Cek Statu Listesi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: ZvRY.pdb source: Gun Ici Cek Statu Listesi.exe
                Source: Binary string: ZvRY.pdbSHA256 source: Gun Ici Cek Statu Listesi.exe

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.59d0000.4.raw.unpack, XlF5VlCIHRSQX8M5eh.cs.Net Code: _200C_200C_202D_206C_200B_206A_206D_200B_200D_200C_202D_206A_206D_202A_206A_206B_202B_206C_202D_200B_202E_202B_202A_206C_206A_206D_202D_206B_206D_206B_200D_202B_202D_206C_206F_206C_200B_202B_206A_206D_202E System.Reflection.Assembly.Load(byte[])
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.4a27740.3.raw.unpack, oxKxmVMjJtO0UCCOse.cs.Net Code: CP5JbSSsFD System.Reflection.Assembly.Load(byte[])
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.49ceb20.0.raw.unpack, oxKxmVMjJtO0UCCOse.cs.Net Code: CP5JbSSsFD System.Reflection.Assembly.Load(byte[])
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.b860000.5.raw.unpack, oxKxmVMjJtO0UCCOse.cs.Net Code: CP5JbSSsFD System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_053CF273 push ebp; retf 9_2_053CF281
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_053CF28A push ebp; retf 9_2_053CF281
                Source: Gun Ici Cek Statu Listesi.exeStatic PE information: section name: .text entropy: 7.541144126728436
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.4a27740.3.raw.unpack, BHbhGjLmSJtKoaQuHX.csHigh entropy of concatenated method names: 'r8fGUT9kn5', 'lOrGHWaPFv', 'RpTGR2FCBQ', 'P76GKHpmcB', 'BebGcyK81R', 'RrSG406FFa', 'r5ZGAx97Aj', 'THjG56PAKp', 'wLTGId7y4Z', 'h9UGyP859j'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.4a27740.3.raw.unpack, YNK0gSXHitc3DiiOQT.csHigh entropy of concatenated method names: 'osabY8hpV', 'CCE8JOJ9s', 'Y2vOKEcFS', 'OO69kDiR0', 'yXRiUxS7L', 'S0bwILHuL', 'WA4r6FbCOyTRoUxMxt', 'hRwBEUjpyfK5gFrBsp', 'eFTHBd9X1CMgTKofV0', 'Bu4jengNX'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.4a27740.3.raw.unpack, rLXZpdDEdib8vQIyKsy.csHigh entropy of concatenated method names: 'qQk0rCXEDx', 'zwh0QLMhtX', 'zWJ0bAuEBe', 'pW6082J9nO', 'iqH0FxmAZ0', 'h0m0O5YJZL', 'udC09jav1C', 'E8x0LMOhMy', 'SYM0iZkGIv', 'PLd0wQAOvC'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.4a27740.3.raw.unpack, oxKxmVMjJtO0UCCOse.csHigh entropy of concatenated method names: 'lPZphrlvSI', 'MXSpfmj4oh', 'YV0pGeVa2Q', 'HOAp1Joegd', 'dE7p3IayEr', 'Ja6pknmQWf', 'U4JpuVafH2', 'TEEpM83Ge4', 'C8UpnQTYiK', 'o51pg62ZhK'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.4a27740.3.raw.unpack, RmGyf8vYshlwKxAfwM.csHigh entropy of concatenated method names: 'n3wkhRKWDO', 'bSFkGi3TWf', 'IZZk3sGX02', 'xBWkutN85h', 'yVPkMmMGIW', 'pb03cMAE1G', 'A8t34SJPcy', 'Cy93AsuXDl', 'qdF35ZffFP', 'gOP3IssAQk'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.4a27740.3.raw.unpack, SIY3pWDpBTJGhHlx7n6.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EQTlUBoA0c', 'WGPlH1WDcG', 'vaslRNSVZG', 'rhklKuKT53', 'yHSlcRbDI7', 'b5Rl4AJ1hR', 'FxBlARR0wb'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.4a27740.3.raw.unpack, CfUkf8ZWLbwau4ucyj.csHigh entropy of concatenated method names: 'Xg9CL0k6IK', 'd47Ci3WIcS', 'lw1CvlmoEO', 'w1BC2XAGty', 'kWdCofk7FN', 'OWhCTsj2jx', 'lKgCdVakZN', 'NkWCSZ4ssA', 'OPpCYgbiyA', 'UVbCN2G3rE'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.4a27740.3.raw.unpack, VbkOTMJXvhlvWVGDll.csHigh entropy of concatenated method names: 'JbFDuHbhGj', 'PSJDMtKoaQ', 'fFsDgrMVn1', 'WpGDxJVewn', 'Jm5DB7PHmG', 'Yf8DeYshlw', 'DmIxYsejKh1DVFJlPm', 'zqc1jSo2sjFOyhmqL2', 'x5NDD9y48x', 'wf5DpA4YlN'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.4a27740.3.raw.unpack, htSaWt5ptmfiRHxRLr.csHigh entropy of concatenated method names: 'aoXjfEw3fi', 'sMTjGRjhcH', 'IQhj1CDOpi', 'KoRj3S4vhb', 'oWWjk6to0H', 'U8lju14scb', 'rcVjMA2e1K', 'rF0jnwmHQU', 'vnrjgxicu9', 'DfjjxkEaDO'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.4a27740.3.raw.unpack, XrUYSpUOTux5TTa8y5.csHigh entropy of concatenated method names: 'q0TBYPZ3YS', 'Ta4BmSYQbU', 'qG1BUqr9Q0', 'EKxBHFAyVM', 'TTRB2IpwOn', 'tY7BtCHtei', 'tj2Bom16dN', 'jXGBT3s0nE', 'YhZBVn7dQk', 'PLsBd3uARj'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.4a27740.3.raw.unpack, bqXXAPKlXsJjRpfmsw.csHigh entropy of concatenated method names: 'HfOsg0KEK7', 'PGesxp2BG7', 'ToString', 'BNqsfSkQ5F', 'TEOsGeFEDR', 'YxSs1BMjNO', 'MYMs3jnQD8', 'SjKskt71VC', 'KJHsusxMln', 'NRIsMP9ULC'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.4a27740.3.raw.unpack, Kewnb3wCYwrqnTm57P.csHigh entropy of concatenated method names: 'CKl3F79odf', 'Mfe39ykJok', 'hfp1tp6oDm', 'ysA1o4COVe', 'ghI1TwIY4P', 'uA91V2o7St', 'h1X1dxJtIZ', 'rca1SkVta0', 'fes1ai48mW', 'bK01Y51lLB'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.4a27740.3.raw.unpack, fJ8Y4p2jQGqHOitbj1.csHigh entropy of concatenated method names: 'FG3vL5gEM8TUQKYdmuq', 'b4h95ngsVomH8V80cOJ', 'JV0kjdeuep', 'OGDk0iFcAR', 'TSBklQxHL6', 'nuvri5g2pFLR97PBZV0', 'sQ3RZTgMTLCkpUWUT8O'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.4a27740.3.raw.unpack, mmZBJFz6nWeF9HnCdW.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'A9h0CEAncx', 'd0r0BjNoT6', 'eZB0e3rXwm', 'QxF0snkB1e', 'tsG0jdCcX6', 'gN100OWDwB', 'Aw10lCWGHe'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.4a27740.3.raw.unpack, H2lqbed8SFN1g9tDVl.csHigh entropy of concatenated method names: 'R9qufRxaUZ', 'OqGu12Rj4M', 'pVIukFL3wT', 'b8WkyqqgaM', 'fbukzf29vx', 'S2UuEdfiEA', 'T0SuD1nHlM', 'cTAuXMsesd', 'E5wupKGAkl', 'UqduJ5yaBj'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.4a27740.3.raw.unpack, TNU3G7GxC1YUXl7GSf.csHigh entropy of concatenated method names: 'Dispose', 'drDDIv8fYx', 'WY4X2cgdg4', 'WKM66tdAGT', 'w3tDySaWtp', 'ImfDziRHxR', 'ProcessDialogKey', 'DrCXEW5fqv', 'TxXXDMb9hP', 'AGXXXKEqQd'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.4a27740.3.raw.unpack, TEqQdGyBlCnR99T6Fe.csHigh entropy of concatenated method names: 'O0j0DKIwui', 'OEn0p5iGym', 'z3N0JhuB8a', 'kBS0fYIX1x', 'fXw0GNOiHF', 'tbx03rpVFY', 'h2X0kc9hDK', 'mw6jAZDQU3', 'IAWj5ZHtwC', 'TdOjI22hSX'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.4a27740.3.raw.unpack, XudE7JaZHelNtQqltN.csHigh entropy of concatenated method names: 'kV1urAlWsG', 'T26uQJslqH', 'InUub7Alre', 'S4Ju8m9lwC', 'GSUuFVgS2D', 'HdluOBFhuJ', 'iX2u9Iw9Ol', 'h9MuLJLBMh', 'BkwuijSNN2', 'aghuw40Wgx'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.4a27740.3.raw.unpack, iSuJs84oOaOfRl5axG.csHigh entropy of concatenated method names: 'SXis5V7rhe', 'mOfsysBW6y', 'm76jEPwXT6', 'IRXjDr3X0C', 'cWwsNXiW8U', 'oRKsm5uF30', 'joqsZCni7O', 'JEOsUwLsi0', 'QDmsHhEwmC', 'eWXsRPQHyU'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.4a27740.3.raw.unpack, vAMMDfiFsrMVn1ApGJ.csHigh entropy of concatenated method names: 'bYe18dLKaZ', 'G1K1OdPK1h', 'Dtw1LsScdh', 'Bv61iVqlPQ', 'B071BAZMU5', 'bQt1etNfsn', 'GWt1srIdBF', 'EDD1jvgQ4n', 'uCQ106e6un', 'FaH1lUHrha'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.49ceb20.0.raw.unpack, BHbhGjLmSJtKoaQuHX.csHigh entropy of concatenated method names: 'r8fGUT9kn5', 'lOrGHWaPFv', 'RpTGR2FCBQ', 'P76GKHpmcB', 'BebGcyK81R', 'RrSG406FFa', 'r5ZGAx97Aj', 'THjG56PAKp', 'wLTGId7y4Z', 'h9UGyP859j'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.49ceb20.0.raw.unpack, YNK0gSXHitc3DiiOQT.csHigh entropy of concatenated method names: 'osabY8hpV', 'CCE8JOJ9s', 'Y2vOKEcFS', 'OO69kDiR0', 'yXRiUxS7L', 'S0bwILHuL', 'WA4r6FbCOyTRoUxMxt', 'hRwBEUjpyfK5gFrBsp', 'eFTHBd9X1CMgTKofV0', 'Bu4jengNX'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.49ceb20.0.raw.unpack, rLXZpdDEdib8vQIyKsy.csHigh entropy of concatenated method names: 'qQk0rCXEDx', 'zwh0QLMhtX', 'zWJ0bAuEBe', 'pW6082J9nO', 'iqH0FxmAZ0', 'h0m0O5YJZL', 'udC09jav1C', 'E8x0LMOhMy', 'SYM0iZkGIv', 'PLd0wQAOvC'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.49ceb20.0.raw.unpack, oxKxmVMjJtO0UCCOse.csHigh entropy of concatenated method names: 'lPZphrlvSI', 'MXSpfmj4oh', 'YV0pGeVa2Q', 'HOAp1Joegd', 'dE7p3IayEr', 'Ja6pknmQWf', 'U4JpuVafH2', 'TEEpM83Ge4', 'C8UpnQTYiK', 'o51pg62ZhK'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.49ceb20.0.raw.unpack, RmGyf8vYshlwKxAfwM.csHigh entropy of concatenated method names: 'n3wkhRKWDO', 'bSFkGi3TWf', 'IZZk3sGX02', 'xBWkutN85h', 'yVPkMmMGIW', 'pb03cMAE1G', 'A8t34SJPcy', 'Cy93AsuXDl', 'qdF35ZffFP', 'gOP3IssAQk'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.49ceb20.0.raw.unpack, SIY3pWDpBTJGhHlx7n6.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EQTlUBoA0c', 'WGPlH1WDcG', 'vaslRNSVZG', 'rhklKuKT53', 'yHSlcRbDI7', 'b5Rl4AJ1hR', 'FxBlARR0wb'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.49ceb20.0.raw.unpack, CfUkf8ZWLbwau4ucyj.csHigh entropy of concatenated method names: 'Xg9CL0k6IK', 'd47Ci3WIcS', 'lw1CvlmoEO', 'w1BC2XAGty', 'kWdCofk7FN', 'OWhCTsj2jx', 'lKgCdVakZN', 'NkWCSZ4ssA', 'OPpCYgbiyA', 'UVbCN2G3rE'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.49ceb20.0.raw.unpack, VbkOTMJXvhlvWVGDll.csHigh entropy of concatenated method names: 'JbFDuHbhGj', 'PSJDMtKoaQ', 'fFsDgrMVn1', 'WpGDxJVewn', 'Jm5DB7PHmG', 'Yf8DeYshlw', 'DmIxYsejKh1DVFJlPm', 'zqc1jSo2sjFOyhmqL2', 'x5NDD9y48x', 'wf5DpA4YlN'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.49ceb20.0.raw.unpack, htSaWt5ptmfiRHxRLr.csHigh entropy of concatenated method names: 'aoXjfEw3fi', 'sMTjGRjhcH', 'IQhj1CDOpi', 'KoRj3S4vhb', 'oWWjk6to0H', 'U8lju14scb', 'rcVjMA2e1K', 'rF0jnwmHQU', 'vnrjgxicu9', 'DfjjxkEaDO'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.49ceb20.0.raw.unpack, XrUYSpUOTux5TTa8y5.csHigh entropy of concatenated method names: 'q0TBYPZ3YS', 'Ta4BmSYQbU', 'qG1BUqr9Q0', 'EKxBHFAyVM', 'TTRB2IpwOn', 'tY7BtCHtei', 'tj2Bom16dN', 'jXGBT3s0nE', 'YhZBVn7dQk', 'PLsBd3uARj'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.49ceb20.0.raw.unpack, bqXXAPKlXsJjRpfmsw.csHigh entropy of concatenated method names: 'HfOsg0KEK7', 'PGesxp2BG7', 'ToString', 'BNqsfSkQ5F', 'TEOsGeFEDR', 'YxSs1BMjNO', 'MYMs3jnQD8', 'SjKskt71VC', 'KJHsusxMln', 'NRIsMP9ULC'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.49ceb20.0.raw.unpack, Kewnb3wCYwrqnTm57P.csHigh entropy of concatenated method names: 'CKl3F79odf', 'Mfe39ykJok', 'hfp1tp6oDm', 'ysA1o4COVe', 'ghI1TwIY4P', 'uA91V2o7St', 'h1X1dxJtIZ', 'rca1SkVta0', 'fes1ai48mW', 'bK01Y51lLB'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.49ceb20.0.raw.unpack, fJ8Y4p2jQGqHOitbj1.csHigh entropy of concatenated method names: 'FG3vL5gEM8TUQKYdmuq', 'b4h95ngsVomH8V80cOJ', 'JV0kjdeuep', 'OGDk0iFcAR', 'TSBklQxHL6', 'nuvri5g2pFLR97PBZV0', 'sQ3RZTgMTLCkpUWUT8O'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.49ceb20.0.raw.unpack, mmZBJFz6nWeF9HnCdW.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'A9h0CEAncx', 'd0r0BjNoT6', 'eZB0e3rXwm', 'QxF0snkB1e', 'tsG0jdCcX6', 'gN100OWDwB', 'Aw10lCWGHe'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.49ceb20.0.raw.unpack, H2lqbed8SFN1g9tDVl.csHigh entropy of concatenated method names: 'R9qufRxaUZ', 'OqGu12Rj4M', 'pVIukFL3wT', 'b8WkyqqgaM', 'fbukzf29vx', 'S2UuEdfiEA', 'T0SuD1nHlM', 'cTAuXMsesd', 'E5wupKGAkl', 'UqduJ5yaBj'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.49ceb20.0.raw.unpack, TNU3G7GxC1YUXl7GSf.csHigh entropy of concatenated method names: 'Dispose', 'drDDIv8fYx', 'WY4X2cgdg4', 'WKM66tdAGT', 'w3tDySaWtp', 'ImfDziRHxR', 'ProcessDialogKey', 'DrCXEW5fqv', 'TxXXDMb9hP', 'AGXXXKEqQd'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.49ceb20.0.raw.unpack, TEqQdGyBlCnR99T6Fe.csHigh entropy of concatenated method names: 'O0j0DKIwui', 'OEn0p5iGym', 'z3N0JhuB8a', 'kBS0fYIX1x', 'fXw0GNOiHF', 'tbx03rpVFY', 'h2X0kc9hDK', 'mw6jAZDQU3', 'IAWj5ZHtwC', 'TdOjI22hSX'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.49ceb20.0.raw.unpack, XudE7JaZHelNtQqltN.csHigh entropy of concatenated method names: 'kV1urAlWsG', 'T26uQJslqH', 'InUub7Alre', 'S4Ju8m9lwC', 'GSUuFVgS2D', 'HdluOBFhuJ', 'iX2u9Iw9Ol', 'h9MuLJLBMh', 'BkwuijSNN2', 'aghuw40Wgx'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.49ceb20.0.raw.unpack, iSuJs84oOaOfRl5axG.csHigh entropy of concatenated method names: 'SXis5V7rhe', 'mOfsysBW6y', 'm76jEPwXT6', 'IRXjDr3X0C', 'cWwsNXiW8U', 'oRKsm5uF30', 'joqsZCni7O', 'JEOsUwLsi0', 'QDmsHhEwmC', 'eWXsRPQHyU'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.49ceb20.0.raw.unpack, vAMMDfiFsrMVn1ApGJ.csHigh entropy of concatenated method names: 'bYe18dLKaZ', 'G1K1OdPK1h', 'Dtw1LsScdh', 'Bv61iVqlPQ', 'B071BAZMU5', 'bQt1etNfsn', 'GWt1srIdBF', 'EDD1jvgQ4n', 'uCQ106e6un', 'FaH1lUHrha'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.b860000.5.raw.unpack, BHbhGjLmSJtKoaQuHX.csHigh entropy of concatenated method names: 'r8fGUT9kn5', 'lOrGHWaPFv', 'RpTGR2FCBQ', 'P76GKHpmcB', 'BebGcyK81R', 'RrSG406FFa', 'r5ZGAx97Aj', 'THjG56PAKp', 'wLTGId7y4Z', 'h9UGyP859j'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.b860000.5.raw.unpack, YNK0gSXHitc3DiiOQT.csHigh entropy of concatenated method names: 'osabY8hpV', 'CCE8JOJ9s', 'Y2vOKEcFS', 'OO69kDiR0', 'yXRiUxS7L', 'S0bwILHuL', 'WA4r6FbCOyTRoUxMxt', 'hRwBEUjpyfK5gFrBsp', 'eFTHBd9X1CMgTKofV0', 'Bu4jengNX'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.b860000.5.raw.unpack, rLXZpdDEdib8vQIyKsy.csHigh entropy of concatenated method names: 'qQk0rCXEDx', 'zwh0QLMhtX', 'zWJ0bAuEBe', 'pW6082J9nO', 'iqH0FxmAZ0', 'h0m0O5YJZL', 'udC09jav1C', 'E8x0LMOhMy', 'SYM0iZkGIv', 'PLd0wQAOvC'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.b860000.5.raw.unpack, oxKxmVMjJtO0UCCOse.csHigh entropy of concatenated method names: 'lPZphrlvSI', 'MXSpfmj4oh', 'YV0pGeVa2Q', 'HOAp1Joegd', 'dE7p3IayEr', 'Ja6pknmQWf', 'U4JpuVafH2', 'TEEpM83Ge4', 'C8UpnQTYiK', 'o51pg62ZhK'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.b860000.5.raw.unpack, RmGyf8vYshlwKxAfwM.csHigh entropy of concatenated method names: 'n3wkhRKWDO', 'bSFkGi3TWf', 'IZZk3sGX02', 'xBWkutN85h', 'yVPkMmMGIW', 'pb03cMAE1G', 'A8t34SJPcy', 'Cy93AsuXDl', 'qdF35ZffFP', 'gOP3IssAQk'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.b860000.5.raw.unpack, SIY3pWDpBTJGhHlx7n6.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EQTlUBoA0c', 'WGPlH1WDcG', 'vaslRNSVZG', 'rhklKuKT53', 'yHSlcRbDI7', 'b5Rl4AJ1hR', 'FxBlARR0wb'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.b860000.5.raw.unpack, CfUkf8ZWLbwau4ucyj.csHigh entropy of concatenated method names: 'Xg9CL0k6IK', 'd47Ci3WIcS', 'lw1CvlmoEO', 'w1BC2XAGty', 'kWdCofk7FN', 'OWhCTsj2jx', 'lKgCdVakZN', 'NkWCSZ4ssA', 'OPpCYgbiyA', 'UVbCN2G3rE'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.b860000.5.raw.unpack, VbkOTMJXvhlvWVGDll.csHigh entropy of concatenated method names: 'JbFDuHbhGj', 'PSJDMtKoaQ', 'fFsDgrMVn1', 'WpGDxJVewn', 'Jm5DB7PHmG', 'Yf8DeYshlw', 'DmIxYsejKh1DVFJlPm', 'zqc1jSo2sjFOyhmqL2', 'x5NDD9y48x', 'wf5DpA4YlN'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.b860000.5.raw.unpack, htSaWt5ptmfiRHxRLr.csHigh entropy of concatenated method names: 'aoXjfEw3fi', 'sMTjGRjhcH', 'IQhj1CDOpi', 'KoRj3S4vhb', 'oWWjk6to0H', 'U8lju14scb', 'rcVjMA2e1K', 'rF0jnwmHQU', 'vnrjgxicu9', 'DfjjxkEaDO'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.b860000.5.raw.unpack, XrUYSpUOTux5TTa8y5.csHigh entropy of concatenated method names: 'q0TBYPZ3YS', 'Ta4BmSYQbU', 'qG1BUqr9Q0', 'EKxBHFAyVM', 'TTRB2IpwOn', 'tY7BtCHtei', 'tj2Bom16dN', 'jXGBT3s0nE', 'YhZBVn7dQk', 'PLsBd3uARj'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.b860000.5.raw.unpack, bqXXAPKlXsJjRpfmsw.csHigh entropy of concatenated method names: 'HfOsg0KEK7', 'PGesxp2BG7', 'ToString', 'BNqsfSkQ5F', 'TEOsGeFEDR', 'YxSs1BMjNO', 'MYMs3jnQD8', 'SjKskt71VC', 'KJHsusxMln', 'NRIsMP9ULC'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.b860000.5.raw.unpack, Kewnb3wCYwrqnTm57P.csHigh entropy of concatenated method names: 'CKl3F79odf', 'Mfe39ykJok', 'hfp1tp6oDm', 'ysA1o4COVe', 'ghI1TwIY4P', 'uA91V2o7St', 'h1X1dxJtIZ', 'rca1SkVta0', 'fes1ai48mW', 'bK01Y51lLB'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.b860000.5.raw.unpack, fJ8Y4p2jQGqHOitbj1.csHigh entropy of concatenated method names: 'FG3vL5gEM8TUQKYdmuq', 'b4h95ngsVomH8V80cOJ', 'JV0kjdeuep', 'OGDk0iFcAR', 'TSBklQxHL6', 'nuvri5g2pFLR97PBZV0', 'sQ3RZTgMTLCkpUWUT8O'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.b860000.5.raw.unpack, mmZBJFz6nWeF9HnCdW.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'A9h0CEAncx', 'd0r0BjNoT6', 'eZB0e3rXwm', 'QxF0snkB1e', 'tsG0jdCcX6', 'gN100OWDwB', 'Aw10lCWGHe'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.b860000.5.raw.unpack, H2lqbed8SFN1g9tDVl.csHigh entropy of concatenated method names: 'R9qufRxaUZ', 'OqGu12Rj4M', 'pVIukFL3wT', 'b8WkyqqgaM', 'fbukzf29vx', 'S2UuEdfiEA', 'T0SuD1nHlM', 'cTAuXMsesd', 'E5wupKGAkl', 'UqduJ5yaBj'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.b860000.5.raw.unpack, TNU3G7GxC1YUXl7GSf.csHigh entropy of concatenated method names: 'Dispose', 'drDDIv8fYx', 'WY4X2cgdg4', 'WKM66tdAGT', 'w3tDySaWtp', 'ImfDziRHxR', 'ProcessDialogKey', 'DrCXEW5fqv', 'TxXXDMb9hP', 'AGXXXKEqQd'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.b860000.5.raw.unpack, TEqQdGyBlCnR99T6Fe.csHigh entropy of concatenated method names: 'O0j0DKIwui', 'OEn0p5iGym', 'z3N0JhuB8a', 'kBS0fYIX1x', 'fXw0GNOiHF', 'tbx03rpVFY', 'h2X0kc9hDK', 'mw6jAZDQU3', 'IAWj5ZHtwC', 'TdOjI22hSX'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.b860000.5.raw.unpack, XudE7JaZHelNtQqltN.csHigh entropy of concatenated method names: 'kV1urAlWsG', 'T26uQJslqH', 'InUub7Alre', 'S4Ju8m9lwC', 'GSUuFVgS2D', 'HdluOBFhuJ', 'iX2u9Iw9Ol', 'h9MuLJLBMh', 'BkwuijSNN2', 'aghuw40Wgx'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.b860000.5.raw.unpack, iSuJs84oOaOfRl5axG.csHigh entropy of concatenated method names: 'SXis5V7rhe', 'mOfsysBW6y', 'm76jEPwXT6', 'IRXjDr3X0C', 'cWwsNXiW8U', 'oRKsm5uF30', 'joqsZCni7O', 'JEOsUwLsi0', 'QDmsHhEwmC', 'eWXsRPQHyU'
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.b860000.5.raw.unpack, vAMMDfiFsrMVn1ApGJ.csHigh entropy of concatenated method names: 'bYe18dLKaZ', 'G1K1OdPK1h', 'Dtw1LsScdh', 'Bv61iVqlPQ', 'B071BAZMU5', 'bQt1etNfsn', 'GWt1srIdBF', 'EDD1jvgQ4n', 'uCQ106e6un', 'FaH1lUHrha'

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: Gun Ici Cek Statu Listesi.exe PID: 7756, type: MEMORYSTR
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeMemory allocated: 11E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeMemory allocated: 3000000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeMemory allocated: 2D50000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeMemory allocated: 91E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeMemory allocated: A1E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeMemory allocated: A3F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeMemory allocated: B3F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeMemory allocated: B8C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeMemory allocated: C8C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeMemory allocated: D8C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeMemory allocated: 2E70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeMemory allocated: 2EC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeMemory allocated: 4EC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6439Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3315Jump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe TID: 7776Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8136Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: Gun Ici Cek Statu Listesi.exe, 00000004.00000002.1297342715.0000000001293000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\(
                Source: Gun Ici Cek Statu Listesi.exe, 00000004.00000002.1297342715.0000000001293000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*W
                Source: Gun Ici Cek Statu Listesi.exe, 00000009.00000002.2539045169.0000000001222000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeCode function: 9_2_053CC168 LdrInitializeThunk,LdrInitializeThunk,9_2_053CC168
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                .NET source code references suspicious native API functions
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.403d0f0.2.raw.unpack, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.403d0f0.2.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
                Source: 4.2.Gun Ici Cek Statu Listesi.exe.403d0f0.2.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe"
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe"Jump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeMemory written: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeProcess created: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe "C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeQueries volume information: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeQueries volume information: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected MassLogger RAT
                Source: Yara matchFile source: 4.2.Gun Ici Cek Statu Listesi.exe.403d0f0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.Gun Ici Cek Statu Listesi.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Gun Ici Cek Statu Listesi.exe.40262d0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Gun Ici Cek Statu Listesi.exe.403d0f0.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Gun Ici Cek Statu Listesi.exe.4a27740.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Gun Ici Cek Statu Listesi.exe.40262d0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Gun Ici Cek Statu Listesi.exe.49ceb20.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.1300730080.0000000004009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2538399423.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1300730080.000000000485A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Gun Ici Cek Statu Listesi.exe PID: 7756, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Gun Ici Cek Statu Listesi.exe PID: 7964, type: MEMORYSTR
                Yara detected Telegram RAT
                Source: Yara matchFile source: 4.2.Gun Ici Cek Statu Listesi.exe.403d0f0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.Gun Ici Cek Statu Listesi.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Gun Ici Cek Statu Listesi.exe.40262d0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Gun Ici Cek Statu Listesi.exe.403d0f0.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Gun Ici Cek Statu Listesi.exe.4a27740.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Gun Ici Cek Statu Listesi.exe.40262d0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Gun Ici Cek Statu Listesi.exe.49ceb20.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.1300730080.0000000004009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2538399423.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1300730080.000000000485A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Gun Ici Cek Statu Listesi.exe PID: 7756, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Gun Ici Cek Statu Listesi.exe PID: 7964, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Yara matchFile source: 4.2.Gun Ici Cek Statu Listesi.exe.403d0f0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.Gun Ici Cek Statu Listesi.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Gun Ici Cek Statu Listesi.exe.40262d0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Gun Ici Cek Statu Listesi.exe.403d0f0.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Gun Ici Cek Statu Listesi.exe.4a27740.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Gun Ici Cek Statu Listesi.exe.40262d0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Gun Ici Cek Statu Listesi.exe.49ceb20.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.1300730080.0000000004009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2538399423.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2540599838.0000000003014000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1300730080.000000000485A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Gun Ici Cek Statu Listesi.exe PID: 7756, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Gun Ici Cek Statu Listesi.exe PID: 7964, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected MassLogger RAT
                Source: Yara matchFile source: 4.2.Gun Ici Cek Statu Listesi.exe.403d0f0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.Gun Ici Cek Statu Listesi.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Gun Ici Cek Statu Listesi.exe.40262d0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Gun Ici Cek Statu Listesi.exe.403d0f0.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Gun Ici Cek Statu Listesi.exe.4a27740.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Gun Ici Cek Statu Listesi.exe.40262d0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Gun Ici Cek Statu Listesi.exe.49ceb20.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.1300730080.0000000004009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2538399423.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1300730080.000000000485A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Gun Ici Cek Statu Listesi.exe PID: 7756, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Gun Ici Cek Statu Listesi.exe PID: 7964, type: MEMORYSTR
                Yara detected Telegram RAT
                Source: Yara matchFile source: 4.2.Gun Ici Cek Statu Listesi.exe.403d0f0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.Gun Ici Cek Statu Listesi.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Gun Ici Cek Statu Listesi.exe.40262d0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Gun Ici Cek Statu Listesi.exe.403d0f0.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Gun Ici Cek Statu Listesi.exe.4a27740.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Gun Ici Cek Statu Listesi.exe.40262d0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.Gun Ici Cek Statu Listesi.exe.49ceb20.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.1300730080.0000000004009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2538399423.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1300730080.000000000485A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Gun Ici Cek Statu Listesi.exe PID: 7756, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Gun Ici Cek Statu Listesi.exe PID: 7964, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Native API                		1
                DLL Side-Loading                		111
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		1
                Security Software Discovery                		Remote Services1
                Email Collection                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		11
                Disable or Modify Tools                		1
                Input Capture                		1
                Process Discovery                		Remote Desktop Protocol1
                Input Capture                		1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                Virtualization/Sandbox Evasion                		Security Account Manager31
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares11
                Archive Collected Data                		2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object Model1
                Data from Local System                		13
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                System Network Configuration Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                File and Directory Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync13
                System Information Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Gun Ici Cek Statu Listesi.exe34%ReversingLabsByteCode-MSIL.Trojan.Generic
                Gun Ici Cek Statu Listesi.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://checkip.dyndns.org/0%URL Reputationsafe
                http://checkip.dyndns.org/q0%URL Reputationsafe
                http://reallyfreegeoip.org0%URL Reputationsafe
                https://reallyfreegeoip.org0%URL Reputationsafe
                http://checkip.dyndns.org0%URL Reputationsafe
                http://checkip.dyndns.com0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe
                https://reallyfreegeoip.org/xml/0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                reallyfreegeoip.org
                		188.114.97.3
                		truetrue
                  		unknown
                  checkip.dyndns.com
                  		158.101.44.242
                  		truefalse
                    		unknown
                    checkip.dyndns.org
                    		unknown
                    		unknowntrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://checkip.dyndns.org/false
                      • URL Reputation: safe
                      		unknown
                      https://reallyfreegeoip.org/xml/173.254.250.77false
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://reallyfreegeoip.org/xml/173.254.250.77dGun Ici Cek Statu Listesi.exe, 00000009.00000002.2540599838.0000000002F3E000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          http://checkip.dyndns.comdGun Ici Cek Statu Listesi.exe, 00000009.00000002.2540599838.0000000002F3E000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            https://reallyfreegeoip.org/xml/173.254.250.77lGun Ici Cek Statu Listesi.exe, 00000009.00000002.2540599838.0000000002F3E000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              http://checkip.dyndns.org/qGun Ici Cek Statu Listesi.exe, 00000004.00000002.1300730080.0000000004009000.00000004.00000800.00020000.00000000.sdmp, Gun Ici Cek Statu Listesi.exe, 00000004.00000002.1300730080.000000000485A000.00000004.00000800.00020000.00000000.sdmp, Gun Ici Cek Statu Listesi.exe, 00000009.00000002.2538399423.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://reallyfreegeoip.orgdGun Ici Cek Statu Listesi.exe, 00000009.00000002.2540599838.0000000002F5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                http://tempuri.org/DataSet1.xsdGun Ici Cek Statu Listesi.exefalse
                                  		unknown
                                  http://reallyfreegeoip.orgGun Ici Cek Statu Listesi.exe, 00000009.00000002.2540599838.0000000002F5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://checkip.dyndns.orgdGun Ici Cek Statu Listesi.exe, 00000009.00000002.2540599838.0000000002F3E000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://reallyfreegeoip.orgGun Ici Cek Statu Listesi.exe, 00000009.00000002.2540599838.0000000002F3E000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://checkip.dyndns.orgGun Ici Cek Statu Listesi.exe, 00000009.00000002.2540599838.0000000002F29000.00000004.00000800.00020000.00000000.sdmp, Gun Ici Cek Statu Listesi.exe, 00000009.00000002.2540599838.0000000002F3E000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://checkip.dyndns.comGun Ici Cek Statu Listesi.exe, 00000009.00000002.2540599838.0000000002F3E000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://checkip.dyndns.org/dGun Ici Cek Statu Listesi.exe, 00000009.00000002.2540599838.0000000002F3E000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameGun Ici Cek Statu Listesi.exe, 00000004.00000002.1298701357.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, Gun Ici Cek Statu Listesi.exe, 00000009.00000002.2540599838.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://www.chiark.greenend.org.uk/~sgtatham/putty/0Gun Ici Cek Statu Listesi.exefalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://api.telegram.org/bot-/sendDocument?chat_id=Gun Ici Cek Statu Listesi.exe, 00000004.00000002.1300730080.0000000004009000.00000004.00000800.00020000.00000000.sdmp, Gun Ici Cek Statu Listesi.exe, 00000004.00000002.1300730080.000000000485A000.00000004.00000800.00020000.00000000.sdmp, Gun Ici Cek Statu Listesi.exe, 00000009.00000002.2538399423.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://reallyfreegeoip.org/xml/Gun Ici Cek Statu Listesi.exe, 00000004.00000002.1300730080.0000000004009000.00000004.00000800.00020000.00000000.sdmp, Gun Ici Cek Statu Listesi.exe, 00000004.00000002.1300730080.000000000485A000.00000004.00000800.00020000.00000000.sdmp, Gun Ici Cek Statu Listesi.exe, 00000009.00000002.2540599838.0000000002F3E000.00000004.00000800.00020000.00000000.sdmp, Gun Ici Cek Statu Listesi.exe, 00000009.00000002.2538399423.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        188.114.97.3
                                        		reallyfreegeoip.orgEuropean Union
                                        		13335CLOUDFLARENETUStrue
                                        158.101.44.242
                                        		checkip.dyndns.comUnited States
                                        		31898ORACLE-BMC-31898USfalse

                                        General Information

                                        Joe Sandbox version:41.0.0 Charoite
                                        Analysis ID:1545932
                                        Start date and time:2024-10-31 10:33:09 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 5m 49s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:14
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:Gun Ici Cek Statu Listesi.exe
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.evad.winEXE@6/6@2/2
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 70
                                        • Number of non-executed functions: 44
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size getting too big, too many NtCreateKey calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                        • VT rate limit hit for: Gun Ici Cek Statu Listesi.exe

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        05:34:04API Interceptor3x Sleep call for process: Gun Ici Cek Statu Listesi.exe modified
                                        05:34:06API Interceptor15x Sleep call for process: powershell.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        188.114.97.318in SPA-198-2024.exeGet hashmaliciousFormBookBrowse
                                        • www.timizoasisey.shop/3p0l/
                                        lf1SPbZI3V.exeGet hashmaliciousLokibotBrowse
                                        • touxzw.ir/alpha2/five/fre.php
                                        Comprobante de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                        • paste.ee/d/vdlzo
                                        Purchase_Order_pdf.exeGet hashmaliciousFormBookBrowse
                                        • www.bayarcepat19.click/g48c/
                                        zxalphamn.docGet hashmaliciousLokibotBrowse
                                        • touxzw.ir/alpha2/five/fre.php
                                        rPO-000172483.exeGet hashmaliciousFormBookBrowse
                                        • www.launchdreamidea.xyz/2b9b/
                                        rPO_28102400.exeGet hashmaliciousLokibotBrowse
                                        • ghcopz.shop/ClarkB/PWS/fre.php
                                        PbfYaIvR5B.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        • windowsxp.top/ExternaltoPhppollcpuupdateTrafficpublic.php
                                        SR3JZpolPo.exeGet hashmaliciousJohnWalkerTexasLoaderBrowse
                                        • xilloolli.com/api.php?status=1&wallets=0&av=1
                                        5Z1WFRMTOXRH6X21Z8NU8.exeGet hashmaliciousUnknownBrowse
                                        • artvisions-autoinsider.com/8bkjdSdfjCe/index.php
                                        158.101.44.242PO Number- 4900003753.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • checkip.dyndns.org/
                                        PO 4500580954.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • checkip.dyndns.org/
                                        PG567777878-H677889978-6G89O9I4567778.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • checkip.dyndns.org/
                                        INVOICE.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                        • checkip.dyndns.org/
                                        na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • checkip.dyndns.org/
                                        na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • checkip.dyndns.org/
                                        na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • checkip.dyndns.org/
                                        na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • checkip.dyndns.org/
                                        Request For Quotation-RFQ097524_Pdf.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                        • checkip.dyndns.org/
                                        z6INVOICE.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • checkip.dyndns.org/

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        reallyfreegeoip.orgPO Number- 4900003753.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • 188.114.97.3
                                        Purchase Order 17025.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • 188.114.96.3
                                        PO 4500580954.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • 188.114.96.3
                                        rCommercialoffer_Technicaloffer_pdf.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                        • 188.114.96.3
                                        Factura Honorarios 2024-10.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                        • 188.114.97.3
                                        Fernissagerne.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 188.114.97.3
                                        JUSTIFICANTE PAGO FRAS OCTUBRE 2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                        • 188.114.96.3
                                        PG567777878-H677889978-6G89O9I4567778.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 188.114.97.3
                                        INVOICE.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                        • 188.114.96.3
                                        na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 188.114.97.3
                                        checkip.dyndns.comPO Number- 4900003753.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • 158.101.44.242
                                        Purchase Order 17025.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • 132.226.247.73
                                        PO 4500580954.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • 158.101.44.242
                                        rCommercialoffer_Technicaloffer_pdf.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                        • 132.226.8.169
                                        Factura Honorarios 2024-10.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                        • 132.226.8.169
                                        Fernissagerne.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 132.226.8.169
                                        JUSTIFICANTE PAGO FRAS OCTUBRE 2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                        • 193.122.130.0
                                        PG567777878-H677889978-6G89O9I4567778.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 158.101.44.242
                                        INVOICE.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                        • 158.101.44.242
                                        na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 132.226.8.169

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        CLOUDFLARENETUS18in SPA-198-2024.exeGet hashmaliciousFormBookBrowse
                                        • 188.114.97.3
                                        http://www.thearchiterra.gr/Get hashmaliciousUnknownBrowse
                                        • 104.17.25.14
                                        file.exeGet hashmaliciousLummaCBrowse
                                        • 188.114.97.3
                                        PO Number- 4900003753.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • 188.114.97.3
                                        .gov.ua.htmlGet hashmaliciousUnknownBrowse
                                        • 104.17.24.14
                                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XWormBrowse
                                        • 188.114.97.3
                                        Purchase Order 17025.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • 188.114.96.3
                                        http://archzine.netGet hashmaliciousUnknownBrowse
                                        • 188.114.96.3
                                        UCLouvain.onepkgGet hashmaliciousUnknownBrowse
                                        • 1.1.1.1
                                        https://www.kwconnect.com/redirect?url=https%3A%2F%2Fwww.ingenieriawj.com/trx/#XdGFtYXJhLnBlcmVpcmFkZWplc3VzQGRhaWljaGktc2Fua3lvLmV1Get hashmaliciousHTMLPhisherBrowse
                                        • 104.17.25.14
                                        ORACLE-BMC-31898USPO Number- 4900003753.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • 158.101.44.242
                                        PO 4500580954.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • 158.101.44.242
                                        JUSTIFICANTE PAGO FRAS OCTUBRE 2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                        • 193.122.130.0
                                        PG567777878-H677889978-6G89O9I4567778.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 158.101.44.242
                                        INVOICE.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                        • 158.101.44.242
                                        na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 158.101.44.242
                                        na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 158.101.44.242
                                        na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 158.101.44.242
                                        na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 158.101.44.242
                                        File07098.PDF.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 193.122.130.0

                                        JA3 Fingerprints

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        54328bd36c14bd82ddaa0c04b25ed9adPO Number- 4900003753.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • 188.114.97.3
                                        Purchase Order 17025.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • 188.114.97.3
                                        PO 4500580954.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • 188.114.97.3
                                        rCommercialoffer_Technicaloffer_pdf.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                        • 188.114.97.3
                                        Factura Honorarios 2024-10.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                        • 188.114.97.3
                                        Fernissagerne.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 188.114.97.3
                                        JUSTIFICANTE PAGO FRAS OCTUBRE 2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                        • 188.114.97.3
                                        PG567777878-H677889978-6G89O9I4567778.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 188.114.97.3
                                        INVOICE.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                        • 188.114.97.3
                                        ADJUNTA.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                        • 188.114.97.3

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Gun Ici Cek Statu Listesi.exe.log

                                        Download File
                                        Process:C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1216
                                        Entropy (8bit):5.34331486778365
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                        Malicious:true
                                        Reputation:high, very likely benign file
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):1172
                                        Entropy (8bit):5.357042452875322
                                        Encrypted:false
                                        SSDEEP:24:3CytZWSKco4KmZjKbm51s4RPT6moUebIKo+mZ9t7J0gt/NKIl9r+q:yyjWSU4xymI4RfoUeW+mZ9tK8ND3
                                        MD5:827C68C8F65D2B0800E6791B34AB6D2E
                                        SHA1:151BC96F9C26C53E02D2E0DA64995A462D0C3B4E
                                        SHA-256:6B22A727792EC2ACE1BC27BF00BECBBD842902F2FD0FC813CF45A21A986377D5
                                        SHA-512:67E9E89C531B2CDF47FCBBA3F036EA66427631A8EBF287A26DD35AFB114AF6E2D945304CBF72B94358245FEED658F9BA6E19B29879AE6488D8DC7A143DCC146D
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview:@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_44kxd1iw.rn2.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Reputation:high, very likely benign file
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_acbkbc55.nb4.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Reputation:high, very likely benign file
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ca34s3px.ilr.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kweam4ek.lla.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):7.012551265178085
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                        • Win32 Executable (generic) a (10002005/4) 49.97%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        • DOS Executable Generic (2002/1) 0.01%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:Gun Ici Cek Statu Listesi.exe
                                        File size:932'872 bytes
                                        MD5:3dc6111263e1e236519080dbea81c1f1
                                        SHA1:1600ba53fdd878a0d93e7eaabec5b82558c8d6f2
                                        SHA256:29ce0132efcb5e1aad146065672d83b6b4ced076f1c91a851c8b34a30e7e08eb
                                        SHA512:051c1588a01320d03845f4cfe4bd03dbd2a5281ef80313929397fe11da6a7e43848102b6f527d19c924d2f757b6feefb2dc1253cc34c11cd2d9d16b024827de8
                                        SSDEEP:12288:AZRrXQ9TZweOjcQjabDu0zUmoKzHwIpwxyI1E4y0L4idflnXirA7PZxkR:QwOjdeut7Kslxy8fMrEa
                                        TLSH:441529D0B1609B5AED6B0AF1AD2AEC3011E26E9C74A4E14D1ADD7B5736F3301245EF0E
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...'##g..............0..v..........:.... ........@.. .......................`............@................................

                                        File Icon

                                        Icon Hash:aea4accc16a3d9be

                                        Static PE Info

                                        General

                                        Entrypoint:0x49953a
                                        Entrypoint Section:.text
                                        Digitally signed:true
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x67232327 [Thu Oct 31 06:26:47 2024 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Authenticode Signature

                                        Signature Valid:false
                                        Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                        Signature Validation Error:The digital signature of the object did not verify
                                        Error Number:-2146869232
                                        Not Before, Not After
                                        • 13/11/2018 01:00:00 09/11/2021 00:59:59
                                        Subject Chain
                                        • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                        Version:3
                                        Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                        Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                        Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                        Serial:7C1118CBBADC95DA3752C46E47A27438

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        push ebx
                                        add byte ptr [ecx+00h], bh
                                        jnc 00007F606CF9BB02h
                                        je 00007F606CF9BB02h
                                        add byte ptr [ebp+00h], ch
                                        add byte ptr [ecx+00h], al
                                        arpl word ptr [eax], ax
                                        je 00007F606CF9BB02h
                                        imul eax, dword ptr [eax], 00610076h
                                        je 00007F606CF9BB02h
                                        outsd
                                        add byte ptr [edx+00h], dh
                                        add dword ptr [eax], eax
                                        add byte ptr [eax], al
                                        add al, byte ptr [eax]
                                        add byte ptr [eax], al
                                        add eax, dword ptr [eax]
                                        add byte ptr [eax], al
                                        add al, 00h
                                        add byte ptr [eax], al
                                        add eax, 00000000h
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x994e70x4f.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x9a0000x48a8c.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0xe06000x3608
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xe40000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x961680x54.text
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000x975780x9760044367a950a52aecbef7dc142c17fcdd6False0.8063003199834847data7.541144126728436IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rsrc0x9a0000x48a8c0x48c006c84f526680151201a1d0aa354077f31False0.06319131228522337data4.771672744323836IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0xe40000xc0x200c61bb5ed5b2c5a0a6337a52c858e091aFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_ICON0x9a2e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 00.1798780487804878
                                        RT_ICON0x9a9480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 00.2513440860215054
                                        RT_ICON0x9ac300x128Device independent bitmap graphic, 16 x 32 x 4, image size 00.3918918918918919
                                        RT_ICON0x9ad580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.3200959488272921
                                        RT_ICON0x9bc000x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.33664259927797835
                                        RT_ICON0x9c4a80x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.2622832369942196
                                        RT_ICON0x9ca100x42028Device independent bitmap graphic, 256 x 512 x 32, image size 00.04393141403083114
                                        RT_ICON0xdea380x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.18786307053941909
                                        RT_ICON0xe0fe00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.2453095684803002
                                        RT_ICON0xe20880x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.3484042553191489
                                        RT_GROUP_ICON0xe24f00x92data0.5753424657534246
                                        RT_VERSION0xe25840x31cdata0.43467336683417085
                                        RT_MANIFEST0xe28a00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Network Behavior

                                        Suricata IDS Alerts

                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                        2024-10-31T10:34:08.653662+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049708158.101.44.24280TCP

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Oct 31, 2024 10:34:06.695415020 CET4970880192.168.2.10158.101.44.242
                                        Oct 31, 2024 10:34:06.700273991 CET8049708158.101.44.242192.168.2.10
                                        Oct 31, 2024 10:34:06.700341940 CET4970880192.168.2.10158.101.44.242
                                        Oct 31, 2024 10:34:06.700608969 CET4970880192.168.2.10158.101.44.242
                                        Oct 31, 2024 10:34:06.705367088 CET8049708158.101.44.242192.168.2.10
                                        Oct 31, 2024 10:34:08.408632994 CET8049708158.101.44.242192.168.2.10
                                        Oct 31, 2024 10:34:08.450146914 CET4970880192.168.2.10158.101.44.242
                                        Oct 31, 2024 10:34:08.455550909 CET8049708158.101.44.242192.168.2.10
                                        Oct 31, 2024 10:34:08.602997065 CET8049708158.101.44.242192.168.2.10
                                        Oct 31, 2024 10:34:08.615108967 CET49710443192.168.2.10188.114.97.3
                                        Oct 31, 2024 10:34:08.615154028 CET44349710188.114.97.3192.168.2.10
                                        Oct 31, 2024 10:34:08.615345001 CET49710443192.168.2.10188.114.97.3
                                        Oct 31, 2024 10:34:08.646832943 CET49710443192.168.2.10188.114.97.3
                                        Oct 31, 2024 10:34:08.646857977 CET44349710188.114.97.3192.168.2.10
                                        Oct 31, 2024 10:34:08.653661966 CET4970880192.168.2.10158.101.44.242
                                        Oct 31, 2024 10:34:09.285514116 CET44349710188.114.97.3192.168.2.10
                                        Oct 31, 2024 10:34:09.285594940 CET49710443192.168.2.10188.114.97.3
                                        Oct 31, 2024 10:34:09.305843115 CET49710443192.168.2.10188.114.97.3
                                        Oct 31, 2024 10:34:09.305866003 CET44349710188.114.97.3192.168.2.10
                                        Oct 31, 2024 10:34:09.306262016 CET44349710188.114.97.3192.168.2.10
                                        Oct 31, 2024 10:34:09.356762886 CET49710443192.168.2.10188.114.97.3
                                        Oct 31, 2024 10:34:09.393524885 CET49710443192.168.2.10188.114.97.3
                                        Oct 31, 2024 10:34:09.439343929 CET44349710188.114.97.3192.168.2.10
                                        Oct 31, 2024 10:34:09.537260056 CET44349710188.114.97.3192.168.2.10
                                        Oct 31, 2024 10:34:09.537364960 CET44349710188.114.97.3192.168.2.10
                                        Oct 31, 2024 10:34:09.537425041 CET49710443192.168.2.10188.114.97.3
                                        Oct 31, 2024 10:34:09.570698977 CET49710443192.168.2.10188.114.97.3
                                        Oct 31, 2024 10:35:13.829498053 CET8049708158.101.44.242192.168.2.10
                                        Oct 31, 2024 10:35:13.829636097 CET4970880192.168.2.10158.101.44.242
                                        Oct 31, 2024 10:35:48.607204914 CET4970880192.168.2.10158.101.44.242
                                        Oct 31, 2024 10:35:48.612271070 CET8049708158.101.44.242192.168.2.10

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Oct 31, 2024 10:34:06.681960106 CET5017353192.168.2.101.1.1.1
                                        Oct 31, 2024 10:34:06.689011097 CET53501731.1.1.1192.168.2.10
                                        Oct 31, 2024 10:34:08.604856968 CET5174553192.168.2.101.1.1.1
                                        Oct 31, 2024 10:34:08.614218950 CET53517451.1.1.1192.168.2.10

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Oct 31, 2024 10:34:06.681960106 CET192.168.2.101.1.1.10x9beStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                        Oct 31, 2024 10:34:08.604856968 CET192.168.2.101.1.1.10x38bcStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Oct 31, 2024 10:34:06.689011097 CET1.1.1.1192.168.2.100x9beNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                        Oct 31, 2024 10:34:06.689011097 CET1.1.1.1192.168.2.100x9beNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                        Oct 31, 2024 10:34:06.689011097 CET1.1.1.1192.168.2.100x9beNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                        Oct 31, 2024 10:34:06.689011097 CET1.1.1.1192.168.2.100x9beNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                        Oct 31, 2024 10:34:06.689011097 CET1.1.1.1192.168.2.100x9beNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                        Oct 31, 2024 10:34:06.689011097 CET1.1.1.1192.168.2.100x9beNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                        Oct 31, 2024 10:34:08.614218950 CET1.1.1.1192.168.2.100x38bcNo error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                        Oct 31, 2024 10:34:08.614218950 CET1.1.1.1192.168.2.100x38bcNo error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • reallyfreegeoip.org
                                        • checkip.dyndns.org

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.1049708158.101.44.242807964C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 31, 2024 10:34:06.700608969 CET151OUTGET / HTTP/1.1
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                        Host: checkip.dyndns.org
                                        Connection: Keep-Alive
                                        Oct 31, 2024 10:34:08.408632994 CET323INHTTP/1.1 200 OK
                                        Date: Thu, 31 Oct 2024 09:34:08 GMT
                                        Content-Type: text/html
                                        Content-Length: 106
                                        Connection: keep-alive
                                        Cache-Control: no-cache
                                        Pragma: no-cache
                                        X-Request-ID: bfcaea6b22d71fcac992590d823e1d98
                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.77</body></html>
                                        Oct 31, 2024 10:34:08.450146914 CET127OUTGET / HTTP/1.1
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                        Host: checkip.dyndns.org
                                        Oct 31, 2024 10:34:08.602997065 CET323INHTTP/1.1 200 OK
                                        Date: Thu, 31 Oct 2024 09:34:08 GMT
                                        Content-Type: text/html
                                        Content-Length: 106
                                        Connection: keep-alive
                                        Cache-Control: no-cache
                                        Pragma: no-cache
                                        X-Request-ID: 79632f183eaee41d9fffd2f7a9070ef8
                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.77</body></html>


                                        HTTPS Proxied Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.1049710188.114.97.34437964C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe
                                        TimestampBytes transferredDirectionData
                                        2024-10-31 09:34:09 UTC87OUTGET /xml/173.254.250.77 HTTP/1.1
                                        Host: reallyfreegeoip.org
                                        Connection: Keep-Alive
                                        2024-10-31 09:34:09 UTC1210INHTTP/1.1 200 OK
                                        Date: Thu, 31 Oct 2024 09:34:09 GMT
                                        Content-Type: text/xml
                                        Content-Length: 359
                                        Connection: close
                                        x-amzn-requestid: c513f531-357c-4a16-aa65-2a7ce9db2710
                                        x-amzn-trace-id: Root=1-67233ef5-6f781100758ed25925d14b1f;Parent=79f937a2f15fcb5d;Sampled=0;Lineage=1:fc9e8231:0
                                        x-cache: Miss from cloudfront
                                        via: 1.1 6731676908e2f9fd15d695e4cfc5dc0c.cloudfront.net (CloudFront)
                                        x-amz-cf-pop: DFW57-P5
                                        x-amz-cf-id: vn-E2QddJo8J5bH3iv-sVGfh-RHrFUSg7-ibKlijEvDnaoVwc3aSew==
                                        Cache-Control: max-age=31536000
                                        CF-Cache-Status: HIT
                                        Age: 4124
                                        Last-Modified: Thu, 31 Oct 2024 08:25:25 GMT
                                        Accept-Ranges: bytes
                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=k3KyXSVPATNpxNVkXZu8HdmzbEU1yafwN0TmP1hAicMEKA6rblVLGl0wqwDe6GTlZWJZIeB3Gq0WjwRufGZ96z4LPo3hmU9q2Z7kKxXSiP6GXySjVA2w7mFDmbsJQ7EQ36FUkJa5"}],"group":"cf-nel","max_age":604800}
                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                        Server: cloudflare
                                        CF-RAY: 8db2a5cd2cbf3160-DFW
                                        alt-svc: h3=":443"; ma=86400
                                        server-timing: cfL4;desc="?proto=TCP&rtt=1597&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=1796526&cwnd=240&unsent_bytes=0&cid=c70c56f378836edf&ts=264&x=0"
                                        2024-10-31 09:34:09 UTC159INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52
                                        Data Ascii: <Response><IP>173.254.250.77</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</R
                                        2024-10-31 09:34:09 UTC200INData Raw: 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a
                                        Data Ascii: egionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:4
                                        Start time:05:34:03
                                        Start date:31/10/2024
                                        Path:C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe"
                                        Imagebase:0xae0000
                                        File size:932'872 bytes
                                        MD5 hash:3DC6111263E1E236519080DBEA81C1F1
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000004.00000002.1300730080.0000000004009000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1300730080.0000000004009000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.1300730080.0000000004009000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.1300730080.0000000004009000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                        • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000004.00000002.1300730080.000000000485A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1300730080.000000000485A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.1300730080.000000000485A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.1300730080.000000000485A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:7
                                        Start time:05:34:05
                                        Start date:31/10/2024
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe"
                                        Imagebase:0x90000
                                        File size:433'152 bytes
                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:8
                                        Start time:05:34:05
                                        Start date:31/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff620390000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:9
                                        Start time:05:34:05
                                        Start date:31/10/2024
                                        Path:C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\Gun Ici Cek Statu Listesi.exe"
                                        Imagebase:0xb60000
                                        File size:932'872 bytes
                                        MD5 hash:3DC6111263E1E236519080DBEA81C1F1
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000009.00000002.2538399423.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2538399423.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000009.00000002.2538399423.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000009.00000002.2538399423.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2540599838.0000000003014000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:false

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:9.3%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:4.4%
                                          Total number of Nodes:91
                                          Total number of Limit Nodes:6
                                          execution_graph 24347 120d5e0 24348 120d626 GetCurrentProcess 24347->24348 24350 120d671 24348->24350 24351 120d678 GetCurrentThread 24348->24351 24350->24351 24352 120d6b5 GetCurrentProcess 24351->24352 24353 120d6ae 24351->24353 24354 120d6eb 24352->24354 24353->24352 24355 120d713 GetCurrentThreadId 24354->24355 24356 120d744 24355->24356 24357 777d670 24358 777d6f9 CreateProcessA 24357->24358 24360 777d8bb 24358->24360 24446 777d1a0 24447 777d1e0 ResumeThread 24446->24447 24449 777d211 24447->24449 24458 777d250 24459 777d295 Wow64SetThreadContext 24458->24459 24461 777d2dd 24459->24461 24361 120d828 DuplicateHandle 24362 120d8be 24361->24362 24363 1204668 24364 120467a 24363->24364 24365 1204686 24364->24365 24369 1204778 24364->24369 24374 1204204 24365->24374 24367 12046a5 24370 120479d 24369->24370 24380 1204878 24370->24380 24384 1204888 24370->24384 24375 120420f 24374->24375 24392 12059fc 24375->24392 24377 1207084 24396 1205a0c 24377->24396 24379 120708e 24379->24367 24382 1204888 24380->24382 24381 120498c 24382->24381 24388 1204560 24382->24388 24385 120488a 24384->24385 24386 1204560 CreateActCtxA 24385->24386 24387 120498c 24385->24387 24386->24387 24389 1205d18 CreateActCtxA 24388->24389 24391 1205ddb 24389->24391 24393 12059f1 24392->24393 24393->24392 24400 1205a1c 24393->24400 24395 1207425 24395->24377 24397 1205a17 24396->24397 24398 1205a1c GetModuleHandleW 24397->24398 24399 1207425 24398->24399 24399->24379 24401 1205a27 24400->24401 24404 1205a4c 24401->24404 24403 1207502 24403->24395 24405 1205a57 24404->24405 24408 1205a7c 24405->24408 24407 1207605 24407->24403 24409 1205a87 24408->24409 24411 1208b6b 24409->24411 24414 120ae10 24409->24414 24410 1208ba9 24410->24407 24411->24410 24417 120cf00 24411->24417 24422 120b250 24414->24422 24418 120cf10 24417->24418 24419 120cf55 24418->24419 24430 120d4c8 24418->24430 24434 120d4b9 24418->24434 24419->24410 24425 120b33b 24422->24425 24423 120ae26 24423->24411 24426 120b37c 24425->24426 24427 120b359 24425->24427 24426->24423 24427->24426 24428 120b580 GetModuleHandleW 24427->24428 24429 120b5ad 24428->24429 24429->24423 24431 120d4ca 24430->24431 24432 120d50f 24431->24432 24438 120d2f0 24431->24438 24432->24419 24435 120d4c8 24434->24435 24436 120d2f0 GetModuleHandleW 24435->24436 24437 120d50f 24435->24437 24436->24437 24437->24419 24439 120d2f5 24438->24439 24441 120de20 24439->24441 24442 120d40c 24439->24442 24441->24441 24443 120d417 24442->24443 24444 1205a7c GetModuleHandleW 24443->24444 24445 120de8f 24444->24445 24445->24441 24450 777d328 24451 777d368 VirtualAllocEx 24450->24451 24453 777d3a5 24451->24453 24454 777d3e8 24455 777d430 WriteProcessMemory 24454->24455 24457 777d487 24455->24457 24462 777d4d8 24463 777d523 ReadProcessMemory 24462->24463 24465 777d567 24463->24465

                                          Executed Functions

                                          Function 07770E28 Relevance: .5, Instructions: 506COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1306011573.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7770000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 782086f999761e4143a2eed7b8e2d2199014ff027df492b0d2eb8b4bfe8d068d
                                          • Instruction ID: 30a6bbb7b69caa8d39dd6f644df0e143a6b0584940d01e957cce35694590a0b9
                                          • Opcode Fuzzy Hash: 782086f999761e4143a2eed7b8e2d2199014ff027df492b0d2eb8b4bfe8d068d
                                          • Instruction Fuzzy Hash: E04290B4E01219CFDB54CFA9C984B9DBBF2BF88340F5485A9E809A7355D734AA81CF50
                                          Function 01207018 Relevance: .2, Instructions: 230COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1296827063.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_1200000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9d56f1a4f1f3e54341b0fc0d5c36ab908502843a6fa31638b28cc466a6312826
                                          • Instruction ID: 92151ac110235e75f21602ef00528fed0ab268e0c2f499d5df7f9cad047159cf
                                          • Opcode Fuzzy Hash: 9d56f1a4f1f3e54341b0fc0d5c36ab908502843a6fa31638b28cc466a6312826
                                          • Instruction Fuzzy Hash: EDA1A174E002089FDB05DFA5D854BADBBB2FF88300F148169E859A7355DA35AD86CF41
                                          Function 01204204 Relevance: .2, Instructions: 228COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1296827063.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_1200000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 578d45ad673896d748e148abdcedb5b020a0f1f8a4896f639a64d823dfa3df90
                                          • Instruction ID: 0e794c4beb535e284494df619b8ec7ae66c7cb841081e67743f2ddfca45e2a44
                                          • Opcode Fuzzy Hash: 578d45ad673896d748e148abdcedb5b020a0f1f8a4896f639a64d823dfa3df90
                                          • Instruction Fuzzy Hash: 40A1A174E00208DFDB05DFA5D894BADBBB2FF88300F148169E819A7354DA75AD86CF41
                                          Function 07770E27 Relevance: .1, Instructions: 146COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1306011573.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7770000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0ba87e7270176dff5f6fb8a5cd1a38d1e22e74b098c0574e060a0df174a4fcc8
                                          • Instruction ID: 39d5241b7d59ccc01d09f7aed2d7b59cb59341199510ee78cedb18bc586a450c
                                          • Opcode Fuzzy Hash: 0ba87e7270176dff5f6fb8a5cd1a38d1e22e74b098c0574e060a0df174a4fcc8
                                          • Instruction Fuzzy Hash: 6F6190B4E01218CFEB18CFAAD984B9DBBB2BF88300F54C1A9D809A7354D7359981CF50
                                          Function 0120D5D0 Relevance: 6.1, APIs: 4, Instructions: 136threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 0120D65E
                                          • GetCurrentThread.KERNEL32 ref: 0120D69B
                                          • GetCurrentProcess.KERNEL32 ref: 0120D6D8
                                          • GetCurrentThreadId.KERNEL32 ref: 0120D731
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1296827063.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_1200000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID:
                                          • API String ID: 2063062207-0
                                          • Opcode ID: 6fa5a14d689695ecc7341689bca8234016f1970d51d35375dda98a559b803d3b
                                          • Instruction ID: bc8b135882f95bcedfa15e0aa23b24b6fad0284f454f8d37beebd134971ddf7a
                                          • Opcode Fuzzy Hash: 6fa5a14d689695ecc7341689bca8234016f1970d51d35375dda98a559b803d3b
                                          • Instruction Fuzzy Hash: 0D5188B09113498FDB18CFAAE588BEEBBF1EF48300F20C059D019A7292D7755885CF25
                                          Function 0120D5E0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 0120D65E
                                          • GetCurrentThread.KERNEL32 ref: 0120D69B
                                          • GetCurrentProcess.KERNEL32 ref: 0120D6D8
                                          • GetCurrentThreadId.KERNEL32 ref: 0120D731
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1296827063.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_1200000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID:
                                          • API String ID: 2063062207-0
                                          • Opcode ID: 5d02152c2d9b053f7765eac72e0645a4ae0969489fe45a94b69bbb95795f2c0e
                                          • Instruction ID: f3675ce008d46c4408674dcee9230cadd9816cb6aea7c79eb51a1c4af2ec9bb9
                                          • Opcode Fuzzy Hash: 5d02152c2d9b053f7765eac72e0645a4ae0969489fe45a94b69bbb95795f2c0e
                                          • Instruction Fuzzy Hash: 0A5187B09013498FDB18CFAAE588BDEBBF1EF88304F20C059D019A7292C7755881CF65
                                          Function 0777D664 Relevance: 1.8, APIs: 1, Instructions: 259processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 44 777d664-777d66c 45 777d66e-777d705 44->45 46 777d64b-777d658 44->46 49 777d707-777d711 45->49 50 777d73e-777d75e 45->50 49->50 51 777d713-777d715 49->51 55 777d797-777d7c6 50->55 56 777d760-777d76a 50->56 53 777d717-777d721 51->53 54 777d738-777d73b 51->54 57 777d725-777d734 53->57 58 777d723 53->58 54->50 66 777d7ff-777d8b9 CreateProcessA 55->66 67 777d7c8-777d7d2 55->67 56->55 59 777d76c-777d76e 56->59 57->57 60 777d736 57->60 58->57 61 777d791-777d794 59->61 62 777d770-777d77a 59->62 60->54 61->55 64 777d77e-777d78d 62->64 65 777d77c 62->65 64->64 68 777d78f 64->68 65->64 78 777d8c2-777d948 66->78 79 777d8bb-777d8c1 66->79 67->66 69 777d7d4-777d7d6 67->69 68->61 71 777d7f9-777d7fc 69->71 72 777d7d8-777d7e2 69->72 71->66 73 777d7e6-777d7f5 72->73 74 777d7e4 72->74 73->73 75 777d7f7 73->75 74->73 75->71 89 777d94a-777d94e 78->89 90 777d958-777d95c 78->90 79->78 89->90 93 777d950 89->93 91 777d95e-777d962 90->91 92 777d96c-777d970 90->92 91->92 94 777d964 91->94 95 777d972-777d976 92->95 96 777d980-777d984 92->96 93->90 94->92 95->96 97 777d978 95->97 98 777d996-777d99d 96->98 99 777d986-777d98c 96->99 97->96 100 777d9b4 98->100 101 777d99f-777d9ae 98->101 99->98 102 777d9b5 100->102 101->100 102->102
                                          APIs
                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0777D8A6
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1306011573.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7770000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 963d3b4f6c56e42c72ab820272b83c142616174d6af2ee54670f8b4801671f66
                                          • Instruction ID: 56c25f8ecbb341f2dd9c0f8f9b3cc8c38289d5abd5dc3887573b917fc0f9b1ef
                                          • Opcode Fuzzy Hash: 963d3b4f6c56e42c72ab820272b83c142616174d6af2ee54670f8b4801671f66
                                          • Instruction Fuzzy Hash: 30A149B1E0065A9FEF20DFA8C840BEDBBB2FF48354F148569D849A7240DB749985CF91
                                          Function 0777D670 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 104 777d670-777d705 106 777d707-777d711 104->106 107 777d73e-777d75e 104->107 106->107 108 777d713-777d715 106->108 112 777d797-777d7c6 107->112 113 777d760-777d76a 107->113 110 777d717-777d721 108->110 111 777d738-777d73b 108->111 114 777d725-777d734 110->114 115 777d723 110->115 111->107 123 777d7ff-777d8b9 CreateProcessA 112->123 124 777d7c8-777d7d2 112->124 113->112 116 777d76c-777d76e 113->116 114->114 117 777d736 114->117 115->114 118 777d791-777d794 116->118 119 777d770-777d77a 116->119 117->111 118->112 121 777d77e-777d78d 119->121 122 777d77c 119->122 121->121 125 777d78f 121->125 122->121 135 777d8c2-777d948 123->135 136 777d8bb-777d8c1 123->136 124->123 126 777d7d4-777d7d6 124->126 125->118 128 777d7f9-777d7fc 126->128 129 777d7d8-777d7e2 126->129 128->123 130 777d7e6-777d7f5 129->130 131 777d7e4 129->131 130->130 132 777d7f7 130->132 131->130 132->128 146 777d94a-777d94e 135->146 147 777d958-777d95c 135->147 136->135 146->147 150 777d950 146->150 148 777d95e-777d962 147->148 149 777d96c-777d970 147->149 148->149 151 777d964 148->151 152 777d972-777d976 149->152 153 777d980-777d984 149->153 150->147 151->149 152->153 154 777d978 152->154 155 777d996-777d99d 153->155 156 777d986-777d98c 153->156 154->153 157 777d9b4 155->157 158 777d99f-777d9ae 155->158 156->155 159 777d9b5 157->159 158->157 159->159
                                          APIs
                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0777D8A6
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1306011573.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7770000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: c41c48ec17fd3c30d0369ef5d41c0a8beffa1949d8dd09ec4a07ebe6119e7006
                                          • Instruction ID: d8382ff3d043b01548348c436b0ed987331aa8e1c0df0a7e5d5cfa3768a269e4
                                          • Opcode Fuzzy Hash: c41c48ec17fd3c30d0369ef5d41c0a8beffa1949d8dd09ec4a07ebe6119e7006
                                          • Instruction Fuzzy Hash: 219149B1E0025A9FEF20DF68C840BEDBBB2BF48354F148569D849A7240DB749985CF91
                                          Function 0120B33B Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 161 120b33b-120b357 162 120b383-120b387 161->162 163 120b359-120b366 call 1209db8 161->163 164 120b389-120b393 162->164 165 120b39b-120b3dc 162->165 170 120b368 163->170 171 120b37c 163->171 164->165 172 120b3e9-120b3f7 165->172 173 120b3de-120b3e6 165->173 216 120b36e call 120b5e0 170->216 217 120b36e call 120b5d0 170->217 171->162 174 120b3f9-120b3fe 172->174 175 120b41b-120b41d 172->175 173->172 178 120b400-120b407 call 120b000 174->178 179 120b409 174->179 177 120b420-120b427 175->177 176 120b374-120b376 176->171 180 120b4b8-120b578 176->180 181 120b434-120b43b 177->181 182 120b429-120b431 177->182 184 120b40b-120b419 178->184 179->184 211 120b580-120b5ab GetModuleHandleW 180->211 212 120b57a-120b57d 180->212 185 120b448-120b451 call 120b010 181->185 186 120b43d-120b445 181->186 182->181 184->177 192 120b453-120b45b 185->192 193 120b45e-120b463 185->193 186->185 192->193 194 120b481-120b48e 193->194 195 120b465-120b46c 193->195 201 120b490-120b4ae 194->201 202 120b4b1-120b4b7 194->202 195->194 197 120b46e-120b47e call 120b020 call 120b030 195->197 197->194 201->202 213 120b5b4-120b5c8 211->213 214 120b5ad-120b5b3 211->214 212->211 214->213 216->176 217->176
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0120B59E
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1296827063.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_1200000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 1a695634b5fa339513d3836647fbed4864af4fbf5a57f548ec0a1fbdf2666af1
                                          • Instruction ID: ed3badf1caa571d6192f5959f0f3360b402470c47bd545b9356948f9fe7fddb4
                                          • Opcode Fuzzy Hash: 1a695634b5fa339513d3836647fbed4864af4fbf5a57f548ec0a1fbdf2666af1
                                          • Instruction Fuzzy Hash: 60816574A10B068FEB36CF29D0547AABBF1FF48200F008A2DD596D7A81D775E946CB91
                                          Function 01205D0C Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 218 1205d0c-1205d10 219 1205d12-1205d69 218->219 220 1205d6e-1205dd9 CreateActCtxA 218->220 219->220 222 1205de2-1205e3c 220->222 223 1205ddb-1205de1 220->223 230 1205e4b-1205e4f 222->230 231 1205e3e-1205e41 222->231 223->222 232 1205e60 230->232 233 1205e51-1205e5d 230->233 231->230 234 1205e61 232->234 233->232 234->234
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 01205DC9
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1296827063.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_1200000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 6e803ce53d1316b16104fa826fd74be618cd196e5f1c215df8f6caa301f21bc6
                                          • Instruction ID: fc8536051f8d662e7306c8a7520bf1511e531d242a0f296d2c7d3428c641cd18
                                          • Opcode Fuzzy Hash: 6e803ce53d1316b16104fa826fd74be618cd196e5f1c215df8f6caa301f21bc6
                                          • Instruction Fuzzy Hash: BC410370C00719CBEB25DFA9C884BDEFBB1BF49304F20815AD508AB251DB715986CF90
                                          Function 01204560 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 236 1204560-1205dd9 CreateActCtxA 239 1205de2-1205e3c 236->239 240 1205ddb-1205de1 236->240 247 1205e4b-1205e4f 239->247 248 1205e3e-1205e41 239->248 240->239 249 1205e60 247->249 250 1205e51-1205e5d 247->250 248->247 251 1205e61 249->251 250->249 251->251
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 01205DC9
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1296827063.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_1200000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 3df79dde87081ae2ca2360c61c139a5af2283517a48a7c1291af77af9e7c6505
                                          • Instruction ID: c5de8feaca4888f9baff925396c72ddbe2b0aecd524397161cb1b022085f973e
                                          • Opcode Fuzzy Hash: 3df79dde87081ae2ca2360c61c139a5af2283517a48a7c1291af77af9e7c6505
                                          • Instruction Fuzzy Hash: C241E570C00719CBEB25DFA9C884B9EFBF5BF49304F20815AD509AB255DBB16986CF90
                                          Function 0777D248 Relevance: 1.6, APIs: 1, Instructions: 71threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 253 777d248-777d29b 256 777d29d-777d2a9 253->256 257 777d2ab-777d2ae 253->257 256->257 258 777d2b5-777d2db Wow64SetThreadContext 257->258 259 777d2e4-777d314 258->259 260 777d2dd-777d2e3 258->260 260->259
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0777D2CE
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1306011573.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7770000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: e705dad174f50081b754486428db667475b02e4e4511c7fd873475275f8ee4fe
                                          • Instruction ID: cf5b8b0afa8b22e907ec8c269e436a9894ffdb11871df65f54b9dfb193156696
                                          • Opcode Fuzzy Hash: e705dad174f50081b754486428db667475b02e4e4511c7fd873475275f8ee4fe
                                          • Instruction Fuzzy Hash: 08214AB1E003098FDB20DFAAC4857EEBBF5FF88314F248829D555A7241C7789946CBA4
                                          Function 0777D3E7 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 264 777d3e7-777d436 267 777d446-777d485 WriteProcessMemory 264->267 268 777d438-777d444 264->268 270 777d487-777d48d 267->270 271 777d48e-777d4be 267->271 268->267 270->271
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0777D478
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1306011573.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7770000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 77736acc15c7cb35547991017ebeb91ca30a683b835eb0967b358368d37c6f39
                                          • Instruction ID: 745a1ea6d7af9d0878a500b38daa6f73975d3e8032f47f9a435a6421d429142d
                                          • Opcode Fuzzy Hash: 77736acc15c7cb35547991017ebeb91ca30a683b835eb0967b358368d37c6f39
                                          • Instruction Fuzzy Hash: E9212AB59003599FDF10DFAAC885BDEBBF5FF48310F108429E919A7240C778A944CBA5
                                          Function 0777D3E8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 275 777d3e8-777d436 277 777d446-777d485 WriteProcessMemory 275->277 278 777d438-777d444 275->278 280 777d487-777d48d 277->280 281 777d48e-777d4be 277->281 278->277 280->281
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0777D478
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1306011573.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7770000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 38b008dcd8dc13b9e43f028f3d1f3c2a843388d700785fc5ab8ed00b58768c74
                                          • Instruction ID: 1d63a866e2ca19b2db0de5e61607d7ebbd5e56535d747983cd37ff53a820901a
                                          • Opcode Fuzzy Hash: 38b008dcd8dc13b9e43f028f3d1f3c2a843388d700785fc5ab8ed00b58768c74
                                          • Instruction Fuzzy Hash: 602127B19003599FDF10DFAAC885BDEBBF5FF48310F108429E919A7240C778A944CBA4
                                          Function 0120D820 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 285 120d820-120d8bc DuplicateHandle 286 120d8c5-120d8e2 285->286 287 120d8be-120d8c4 285->287 287->286
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0120D8AF
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1296827063.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_1200000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: adad0441f9a91cab5c38918c77b08128102651bcc6ce4c290ef8bef3dc47b856
                                          • Instruction ID: 698623d1bfdcca771be686976c0195fa80d21e73dc0aa93e4e2c77b7815663a7
                                          • Opcode Fuzzy Hash: adad0441f9a91cab5c38918c77b08128102651bcc6ce4c290ef8bef3dc47b856
                                          • Instruction Fuzzy Hash: 3A2103B5D01249EFDB10CFAAD484AEEBBF5FB48310F14841AE918A7350C374A941CF60
                                          Function 0777D4D7 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 290 777d4d7-777d565 ReadProcessMemory 294 777d567-777d56d 290->294 295 777d56e-777d59e 290->295 294->295
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0777D558
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1306011573.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7770000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 5f1153de8bfa019202cc431b614c0e85aa7d5a354a4a048f8bf0eb0f2b5df228
                                          • Instruction ID: 6b4c9d41fbbbfc1364cd715fc30fbcb13ab322105eead1898f539e499652a030
                                          • Opcode Fuzzy Hash: 5f1153de8bfa019202cc431b614c0e85aa7d5a354a4a048f8bf0eb0f2b5df228
                                          • Instruction Fuzzy Hash: 1B2119B1D003599FDB10DFAAD881BEEBBF5FF48310F508429E519A7240C7759541CBA4
                                          Function 0777D4D8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 309 777d4d8-777d565 ReadProcessMemory 312 777d567-777d56d 309->312 313 777d56e-777d59e 309->313 312->313
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0777D558
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1306011573.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7770000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 6a117ce6d650d1d9d00af4dedd9fecbc16e58a0e351876b3a0e17607f9b6f516
                                          • Instruction ID: c618ff1faa4d30b1af0a218aee8dec45f6562cb7e9cb9d9b61fb692ce894df9f
                                          • Opcode Fuzzy Hash: 6a117ce6d650d1d9d00af4dedd9fecbc16e58a0e351876b3a0e17607f9b6f516
                                          • Instruction Fuzzy Hash: B92116B1D003599FDB10DFAAC880BEEBBF5FF48310F508429E919A7240C7799941CBA4
                                          Function 0777D250 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 299 777d250-777d29b 301 777d29d-777d2a9 299->301 302 777d2ab-777d2db Wow64SetThreadContext 299->302 301->302 304 777d2e4-777d314 302->304 305 777d2dd-777d2e3 302->305 305->304
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0777D2CE
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1306011573.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7770000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: 0aadc8484a01d71f527f5ac20e11062725e2c6f9393c9c71dda5d827ae349d1e
                                          • Instruction ID: 63b9501a39ffce68270278fae848533ac9c4438449cac7bde62333e1728233d8
                                          • Opcode Fuzzy Hash: 0aadc8484a01d71f527f5ac20e11062725e2c6f9393c9c71dda5d827ae349d1e
                                          • Instruction Fuzzy Hash: 612129B1D003098FDB24DFAAC4857EEBBF5EF88324F14842AD559A7241C7789945CFA4
                                          Function 0120D828 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 317 120d828-120d8bc DuplicateHandle 318 120d8c5-120d8e2 317->318 319 120d8be-120d8c4 317->319 319->318
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0120D8AF
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1296827063.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_1200000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: ef3f3eb8d6b72da293141edf6db02bc12f175b0168b3f9b1678e09c9557ada54
                                          • Instruction ID: bbeb38dc2842cd449175e2f61557644a83fd637767f79b4168d33ad96bc4eacd
                                          • Opcode Fuzzy Hash: ef3f3eb8d6b72da293141edf6db02bc12f175b0168b3f9b1678e09c9557ada54
                                          • Instruction Fuzzy Hash: 0421E2B5D013499FDB10CFAAD884ADEBBF9FB48320F14841AE918A7350D374A940CFA4
                                          Function 0777D320 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0777D396
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1306011573.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7770000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 343d60256938c4bf007f6f40eb346bbf2fec36e2dde0dcc40f205edc0d0f0b9d
                                          • Instruction ID: 66522a42d115ea9d41bc72480aac118ef39bf4fcdd6cc7f4da4847b70fd71c02
                                          • Opcode Fuzzy Hash: 343d60256938c4bf007f6f40eb346bbf2fec36e2dde0dcc40f205edc0d0f0b9d
                                          • Instruction Fuzzy Hash: BB1147B69003499FDF20DFAAD844BDEFBF5EF89320F248819E519A7250C775A540CBA0
                                          Function 0777D328 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0777D396
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1306011573.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7770000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 8fb3d76d719a798a7d9d9d7695f4bc8d3fabdd0baaa8c0d7b0dc630a92a3211e
                                          • Instruction ID: 8da4f90ad4ea5e015e5f48461560097b8db1ec383c0d10c47062419d27018b61
                                          • Opcode Fuzzy Hash: 8fb3d76d719a798a7d9d9d7695f4bc8d3fabdd0baaa8c0d7b0dc630a92a3211e
                                          • Instruction Fuzzy Hash: F5113A759003499FDF20DFAAD844BDEBBF5EF88310F248819E515A7250C7759540CFA0
                                          Function 0777D198 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1306011573.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7770000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: 1e18e076bb49925afdca34d009b1ade2acd76b88b274e608dc0bf66f1a45c556
                                          • Instruction ID: cc540e376997ee2c07431e4369ccbe4260cc9279776ccbb45449ae6959d97d67
                                          • Opcode Fuzzy Hash: 1e18e076bb49925afdca34d009b1ade2acd76b88b274e608dc0bf66f1a45c556
                                          • Instruction Fuzzy Hash: 6B115BB1D003498FDB20DFAAD4457DEFBF9EF88320F248819D519A7240CB75A945CBA5
                                          Function 0777D1A0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1306011573.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7770000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: db44a9f9dc5680a2c9b13e1c7229c49923ea57283bff7446e47551169909d6d7
                                          • Instruction ID: 380946dd163a281d5e6d7a449497dad99dd99d8930b91e4f65989a8e6fd7d13c
                                          • Opcode Fuzzy Hash: db44a9f9dc5680a2c9b13e1c7229c49923ea57283bff7446e47551169909d6d7
                                          • Instruction Fuzzy Hash: D0116AB1D003488FDB20DFAAC4447DEFBF5EF88320F248819C519A7240CB75A941CBA4
                                          Function 0120B538 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0120B59E
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1296827063.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_1200000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 852d7b70ae7588b2baf9f3cdccb4b0c8961ef58a18630145fd5dc8fd33272e2d
                                          • Instruction ID: 9ab96010b8631a1c80b0e91377958d4963b7f607ee9cc6ab6766cb1f7edc8c9d
                                          • Opcode Fuzzy Hash: 852d7b70ae7588b2baf9f3cdccb4b0c8961ef58a18630145fd5dc8fd33272e2d
                                          • Instruction Fuzzy Hash: D01140B6C003498FDB20CF9AD444BDEFBF4EB88310F14802AC928A7240C375A545CFA0
                                          Function 0118D3D8 Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1296367620.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_118d000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 48a68bba265631aa423f8fb689b662793dd34b04bbf86a55abc65be37754c443
                                          • Instruction ID: edadc12b4691ebed6667f0b8a276ad182368a4efba017de78cac87ee1f0d5af0
                                          • Opcode Fuzzy Hash: 48a68bba265631aa423f8fb689b662793dd34b04bbf86a55abc65be37754c443
                                          • Instruction Fuzzy Hash: 212106B1504304DFDF09EF58E9C0B56BB65FB84324F24C169D90A0B696C336E456CEA2
                                          Function 0118D4C4 Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1296367620.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_118d000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4ec60cde6ba0ff21fae0c12564e9f471e5da92b1545efad04c3eeef5bb71566f
                                          • Instruction ID: 18ab8cc37f144c3f560107c88cda80440607bcb72734b2769f57cc128d1c8c44
                                          • Opcode Fuzzy Hash: 4ec60cde6ba0ff21fae0c12564e9f471e5da92b1545efad04c3eeef5bb71566f
                                          • Instruction Fuzzy Hash: 3C21F4B1504340DFDF19EF54E9C0B26BB75FB84218F24C56AE9050A696C336D456CAB2
                                          Function 0119D01C Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1296422088.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_119d000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 89999c99db3f79b79eaad3485e4bd5150b806beb6d0c3d5aee4321277f42f199
                                          • Instruction ID: 02a7d8d8d8cf672f08ac5e7c72861c79888b8c836ca989590ade41b3d220368c
                                          • Opcode Fuzzy Hash: 89999c99db3f79b79eaad3485e4bd5150b806beb6d0c3d5aee4321277f42f199
                                          • Instruction Fuzzy Hash: 0B212271604300DFDF19DF64E880B26BBA1FB84354F28C56DD80A0B246C33BD847CA62
                                          Function 0119D1D4 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1296422088.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_119d000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ac82c0df004102b636d649a2cb35b1c04ea4292ff61120d85ca786913615ed6a
                                          • Instruction ID: e6608af6a66d56f346dfefd0b13c2ad5ab41fff6fcd7502e18b7eaa2bca07f28
                                          • Opcode Fuzzy Hash: ac82c0df004102b636d649a2cb35b1c04ea4292ff61120d85ca786913615ed6a
                                          • Instruction Fuzzy Hash: 1D2129B5504304DFDF09DF94E5C0B25BBA5FB84324F24C5ADE91A4B296C336D446CA62
                                          Function 0118D3D3 Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1296367620.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_118d000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
                                          • Instruction ID: bf4ca7dd759613ef1318fa3a79913bfdc61431d60c63209d04af602b190f47e7
                                          • Opcode Fuzzy Hash: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
                                          • Instruction Fuzzy Hash: D511CD76404240DFDF16DF48D5C0B56BF71FB84224F24C2A9D8090A656C33AE45ACFA2
                                          Function 0118D4BF Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1296367620.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_118d000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
                                          • Instruction ID: fa124d88a0e83447d852ff8142dd19bb16f0bbb01be5352382917b1f238d9015
                                          • Opcode Fuzzy Hash: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
                                          • Instruction Fuzzy Hash: 4B11CD76404280CFCF16DF54E5C0B16BF71FB84214F24C6AAD8490B656C33AD456CBA2
                                          Function 0119D1CF Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1296422088.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_119d000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
                                          • Instruction ID: ec04d478c5a2b8803ebac60f710acbe66a43505c062ca3f6cc5f29288d71d1fc
                                          • Opcode Fuzzy Hash: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
                                          • Instruction Fuzzy Hash: AC118B75504280DFDF16CF54D5C4B15BBB1FB84224F28C6AAD8494B696C33AD44ACB62
                                          Function 0119D017 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1296422088.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_119d000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
                                          • Instruction ID: cb0f6832464ab5e95c3326454e35ff5b67fa76ba045a7762805989a462919b39
                                          • Opcode Fuzzy Hash: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
                                          • Instruction Fuzzy Hash: 46118B75504280DFDF16CF58E5C4B15BBA2FB84314F28C6AAD8494B656C33AD44ACBA2
                                          Function 0118D745 Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1296367620.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_118d000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cc59924f4fa11ff019e1c051e63a8ece2e83fb459292a0eed8f435d9446de7fb
                                          • Instruction ID: 85835443d6d4640e5ed6f5856f13cd687ed9c7dc9ec9086173bcd4c88d387027
                                          • Opcode Fuzzy Hash: cc59924f4fa11ff019e1c051e63a8ece2e83fb459292a0eed8f435d9446de7fb
                                          • Instruction Fuzzy Hash: 70012B710047C09BFB287EA5EDC4B66BB98DF42268F18C51AEE090F2C6D3799440CE76
                                          Function 0118D744 Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1296367620.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_118d000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 065d96066699d859d254745e9eb6f2104a3468a64a7805740f74aaee7203d991
                                          • Instruction ID: dcb50b2744f4fed6f79161e6a5b0b44ae7495b09493bcf6c8cdeb6a1058ef27b
                                          • Opcode Fuzzy Hash: 065d96066699d859d254745e9eb6f2104a3468a64a7805740f74aaee7203d991
                                          • Instruction Fuzzy Hash: 56F0C8714047809FEB149E5AD8C4B62FF98EB41238F28C45AED084F287C3755840CF71

                                          Non-executed Functions

                                          Function 077730D0 Relevance: .3, Instructions: 316COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1306011573.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7770000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f5082f5a5ef27186185cc6b54aad270ba56a86787645ca0d9b4c56435b6ae94c
                                          • Instruction ID: 129dc3f3bf6678a88bc361b8f3af6b88c721705d4cad07c35112330b7828cc59
                                          • Opcode Fuzzy Hash: f5082f5a5ef27186185cc6b54aad270ba56a86787645ca0d9b4c56435b6ae94c
                                          • Instruction Fuzzy Hash: 83E119B4E002598FDB14DFA9C980AAEFBB2FF89305F248169D414AB356D735AD41CF60
                                          Function 0777A5C8 Relevance: .3, Instructions: 312COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1306011573.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7770000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: aea81a7f12dbe7a97d6fbcef88b1b20eeed93dc0a71995545079522e80fa2516
                                          • Instruction ID: 2c00973b0d595a38a76dd88a00f9f9b1ff92d175599a6335e04314be22524aad
                                          • Opcode Fuzzy Hash: aea81a7f12dbe7a97d6fbcef88b1b20eeed93dc0a71995545079522e80fa2516
                                          • Instruction Fuzzy Hash: 3DE118B4E002198FDB14DFA9C580AAEBBB2FF89344F24C169D415AB356D734AD41CFA1
                                          Function 0777B270 Relevance: .3, Instructions: 312COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1306011573.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7770000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 478dff5247364f7bb3a29491b56924011e4c5c98c97ccc6cd816f0e1c3ff8216
                                          • Instruction ID: 723fde46e5942faa92f6c93ec78e2f20f75ec303fe4c2cdb9bf3077e5c7c88dc
                                          • Opcode Fuzzy Hash: 478dff5247364f7bb3a29491b56924011e4c5c98c97ccc6cd816f0e1c3ff8216
                                          • Instruction Fuzzy Hash: 13E1E7B4E002198FDB14DFA9C580AAEFBB2FF89344F248169E415AB356D734AD41CF61
                                          Function 0777AE38 Relevance: .3, Instructions: 312COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1306011573.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7770000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: feb890047b15b34aadef586f82acff75e5aee9e98e861deb149c9a9d0b620ed1
                                          • Instruction ID: 9ae50268bebdd792fb6b20650f4cf02448fde21f91ca11bc172be28703899935
                                          • Opcode Fuzzy Hash: feb890047b15b34aadef586f82acff75e5aee9e98e861deb149c9a9d0b620ed1
                                          • Instruction Fuzzy Hash: 25E12AB4E002198FDB14DFA9C580AAEFBB2FF89304F248169E415AB356D734AD41CF61
                                          Function 0777AA00 Relevance: .3, Instructions: 312COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1306011573.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7770000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 14463b5214cce2023f3b577e1441cc549b45f5b8d970423fef01bf781c597f05
                                          • Instruction ID: 08ff07bc08c79abdb9a6aa0decb21d66c162bc8cffaf700e9be29f12fe6cc883
                                          • Opcode Fuzzy Hash: 14463b5214cce2023f3b577e1441cc549b45f5b8d970423fef01bf781c597f05
                                          • Instruction Fuzzy Hash: 36E108B4E002198FDB14DFA9C580AAEBBB2FF89304F24C169E415AB355D734AD41CFA1
                                          Function 0777C978 Relevance: .3, Instructions: 312COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1306011573.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7770000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ae03943fc1124a0b0a908b8b667fc1f070ac844b509bc490857cd520002d9ad9
                                          • Instruction ID: 4079327f96a855d02ebfc244f3e1644451c50b1b6ed1cac9786d77b63a22dc47
                                          • Opcode Fuzzy Hash: ae03943fc1124a0b0a908b8b667fc1f070ac844b509bc490857cd520002d9ad9
                                          • Instruction Fuzzy Hash: 05E11BB4E002198FDB14DFA9C580AAEFBB6FF89304F248169E415AB356D734AD41CF61
                                          Function 0120E134 Relevance: .3, Instructions: 264COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1296827063.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_1200000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c842e99b069d97015a9f6f4377d1b3e0641ebbdf41f59770488537e5b8d64fd4
                                          • Instruction ID: b0ca2df46510038d3a4d95bc2e76eb41d8e31a392699ed3770c646fdcb767556
                                          • Opcode Fuzzy Hash: c842e99b069d97015a9f6f4377d1b3e0641ebbdf41f59770488537e5b8d64fd4
                                          • Instruction Fuzzy Hash: AEA1A232E102168FCF1ADFB4C9445EEB7B2FF85300B154669E905AB2A6DB31DD45CB80
                                          Function 07773F88 Relevance: .2, Instructions: 169COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1306011573.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7770000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 385c9c9deb11f7f0730a7ce0f1427e82af0b065d3074964ab77e67c235bb1b8f
                                          • Instruction ID: 08d2bf407ea779291a4eec15c72bffcd1d88be6bea1799c81db3c8fd3f565692
                                          • Opcode Fuzzy Hash: 385c9c9deb11f7f0730a7ce0f1427e82af0b065d3074964ab77e67c235bb1b8f
                                          • Instruction Fuzzy Hash: 1C7180B4E012598FDB04DFAAC9849DEFBF2BF88300F24D566D818AB215D7349942CF50
                                          Function 07773CF0 Relevance: .1, Instructions: 140COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1306011573.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7770000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 78a865683be74344f6805db39ff6620923132c566688b1620f582882a93dcc1b
                                          • Instruction ID: b3bc206cc1a7fc4a474e2fede30e95fe7bd5882202ff58041a1713c00516ed53
                                          • Opcode Fuzzy Hash: 78a865683be74344f6805db39ff6620923132c566688b1620f582882a93dcc1b
                                          • Instruction Fuzzy Hash: C5517FB5D016199BDF04DFEAC8846EEBBB2BF89300F14902AE819AB254DB345946CF40
                                          Function 07773F77 Relevance: .1, Instructions: 128COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1306011573.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7770000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: be5df9ca04017165cc4decbac08a2347fede897533df6e6684ba6cf9aece6f41
                                          • Instruction ID: 4e5cbe1984bef98ad6b5764f99e0d916b7d93251b990135215a77a64027c72ad
                                          • Opcode Fuzzy Hash: be5df9ca04017165cc4decbac08a2347fede897533df6e6684ba6cf9aece6f41
                                          • Instruction Fuzzy Hash: 9D5174B5E006598FDB08DFAAC94469DFBF2BF88300F14C56AD818AB355DB349946CF50
                                          Function 07773CEB Relevance: .1, Instructions: 98COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1306011573.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7770000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c1c930c93ff0fb01359732a6ced3735456606710c1a6e9aa8ed68bf6abca1b56
                                          • Instruction ID: 6e1babbbacbc9de9baaa6b7c515e28be8f058373448b4135c637e8be612e02d7
                                          • Opcode Fuzzy Hash: c1c930c93ff0fb01359732a6ced3735456606710c1a6e9aa8ed68bf6abca1b56
                                          • Instruction Fuzzy Hash: FE4183B5E006199BDB08DFEAC9856DEFBF2BF88300F14C42AD419AB254EB345945CF40

                                          Execution Graph

                                          Execution Coverage:13.2%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:32.5%
                                          Total number of Nodes:40
                                          Total number of Limit Nodes:4
                                          execution_graph 17730 53cca58 17731 53cca5f 17730->17731 17733 53cca65 17730->17733 17731->17733 17735 53ccde6 17731->17735 17736 53cc168 17731->17736 17734 53cc168 LdrInitializeThunk 17734->17735 17735->17733 17735->17734 17737 53cc17a 17736->17737 17739 53cc17f 17736->17739 17737->17735 17738 53cc8a9 LdrInitializeThunk 17738->17737 17739->17737 17739->17738 17740 53c46d8 17741 53c46e4 17740->17741 17744 53c48c9 17741->17744 17742 53c4713 17745 53c48e4 17744->17745 17752 53c4f08 17745->17752 17757 53c4ef8 17745->17757 17746 53c48f0 17762 67515e9 17746->17762 17767 67515f8 17746->17767 17747 53c491a 17747->17742 17753 53c4f2a 17752->17753 17754 53c4ff6 17753->17754 17756 53cc168 LdrInitializeThunk 17753->17756 17772 53cc76c 17753->17772 17754->17746 17756->17754 17758 53c4f08 17757->17758 17759 53c4ff6 17758->17759 17760 53cc76c 2 API calls 17758->17760 17761 53cc168 LdrInitializeThunk 17758->17761 17759->17746 17760->17759 17761->17759 17763 67515f8 17762->17763 17764 675172c 17763->17764 17765 53cc76c 2 API calls 17763->17765 17766 53cc168 LdrInitializeThunk 17763->17766 17764->17747 17765->17764 17766->17764 17768 675161a 17767->17768 17769 675172c 17768->17769 17770 53cc76c 2 API calls 17768->17770 17771 53cc168 LdrInitializeThunk 17768->17771 17769->17747 17770->17769 17771->17769 17777 53cc623 17772->17777 17773 53cc764 LdrInitializeThunk 17775 53cc8c1 17773->17775 17775->17754 17776 53cc168 LdrInitializeThunk 17776->17777 17777->17773 17777->17776

                                          Executed Functions

                                          Function 053CC168 Relevance: 2.0, APIs: 1, Instructions: 529COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1023 53cc168-53cc178 1024 53cc17f-53cc18b 1023->1024 1025 53cc17a 1023->1025 1028 53cc18d 1024->1028 1029 53cc192-53cc1a7 1024->1029 1026 53cc2ab-53cc2b5 1025->1026 1028->1026 1032 53cc1ad-53cc1b8 1029->1032 1033 53cc2bb-53cc2fb call 53c5d08 1029->1033 1036 53cc1be-53cc1c5 1032->1036 1037 53cc2b6 1032->1037 1049 53cc302-53cc378 call 53c5d08 call 53c5c00 1033->1049 1038 53cc1c7-53cc1de 1036->1038 1039 53cc1f2-53cc1fd 1036->1039 1037->1033 1048 53cc1e4-53cc1e7 1038->1048 1038->1049 1044 53cc1ff-53cc207 1039->1044 1045 53cc20a-53cc214 1039->1045 1044->1045 1055 53cc29e-53cc2a3 1045->1055 1056 53cc21a-53cc224 1045->1056 1048->1037 1053 53cc1ed-53cc1f0 1048->1053 1083 53cc3df-53cc454 call 53c5ca8 1049->1083 1084 53cc37a-53cc3b7 1049->1084 1053->1038 1053->1039 1055->1026 1056->1037 1061 53cc22a-53cc246 1056->1061 1066 53cc248 1061->1066 1067 53cc24a-53cc24d 1061->1067 1066->1026 1068 53cc24f-53cc252 1067->1068 1069 53cc254-53cc257 1067->1069 1072 53cc25a-53cc268 1068->1072 1069->1072 1072->1037 1077 53cc26a-53cc271 1072->1077 1077->1026 1078 53cc273-53cc279 1077->1078 1078->1037 1080 53cc27b-53cc280 1078->1080 1080->1037 1081 53cc282-53cc295 1080->1081 1081->1037 1086 53cc297-53cc29a 1081->1086 1092 53cc4f3-53cc4f9 1083->1092 1087 53cc3be-53cc3dc 1084->1087 1088 53cc3b9 1084->1088 1086->1078 1090 53cc29c 1086->1090 1087->1083 1088->1087 1090->1026 1093 53cc4ff-53cc517 1092->1093 1094 53cc459-53cc46c 1092->1094 1095 53cc519-53cc526 1093->1095 1096 53cc52b-53cc53e 1093->1096 1097 53cc46e 1094->1097 1098 53cc473-53cc4c4 1094->1098 1099 53cc8c1-53cc9bf 1095->1099 1100 53cc545-53cc561 1096->1100 1101 53cc540 1096->1101 1097->1098 1115 53cc4c6-53cc4d4 1098->1115 1116 53cc4d7-53cc4e9 1098->1116 1106 53cc9c7-53cc9d1 1099->1106 1107 53cc9c1-53cc9c6 call 53c5ca8 1099->1107 1103 53cc568-53cc58c 1100->1103 1104 53cc563 1100->1104 1101->1100 1111 53cc58e 1103->1111 1112 53cc593-53cc5c5 1103->1112 1104->1103 1107->1106 1111->1112 1121 53cc5cc-53cc60e 1112->1121 1122 53cc5c7 1112->1122 1115->1093 1118 53cc4eb 1116->1118 1119 53cc4f0 1116->1119 1118->1119 1119->1092 1124 53cc615-53cc61e 1121->1124 1125 53cc610 1121->1125 1122->1121 1126 53cc846-53cc84c 1124->1126 1125->1124 1127 53cc852-53cc865 1126->1127 1128 53cc623-53cc648 1126->1128 1131 53cc86c-53cc887 1127->1131 1132 53cc867 1127->1132 1129 53cc64f-53cc686 1128->1129 1130 53cc64a 1128->1130 1140 53cc68d-53cc6bf 1129->1140 1141 53cc688 1129->1141 1130->1129 1133 53cc88e-53cc8a2 1131->1133 1134 53cc889 1131->1134 1132->1131 1138 53cc8a9-53cc8bf LdrInitializeThunk 1133->1138 1139 53cc8a4 1133->1139 1134->1133 1138->1099 1139->1138 1143 53cc6c1-53cc6e6 1140->1143 1144 53cc723-53cc736 1140->1144 1141->1140 1145 53cc6ed-53cc71b 1143->1145 1146 53cc6e8 1143->1146 1147 53cc73d-53cc762 1144->1147 1148 53cc738 1144->1148 1145->1144 1146->1145 1151 53cc764-53cc765 1147->1151 1152 53cc771-53cc7a9 1147->1152 1148->1147 1151->1127 1153 53cc7ab 1152->1153 1154 53cc7b0-53cc811 call 53cc168 1152->1154 1153->1154 1160 53cc818-53cc83c 1154->1160 1161 53cc813 1154->1161 1164 53cc83e 1160->1164 1165 53cc843 1160->1165 1161->1160 1164->1165 1165->1126
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2541825485.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_53c0000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 96202a45e51d609a79f48b40500479140ffc77ccacd73841730f9553d28bc961
                                          • Instruction ID: d47d296e1425ba179bab23ce51fc215dee69434708080305807e8c76f4acd895
                                          • Opcode Fuzzy Hash: 96202a45e51d609a79f48b40500479140ffc77ccacd73841730f9553d28bc961
                                          • Instruction Fuzzy Hash: AB223B74E00218CFDB14DFA9D884BAEBBB2BF88300F5491AAD419AB355DB749D85CF50
                                          Function 06756998 Relevance: 1.0, Instructions: 995COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9344c32e868772f8ef67f054dfa63637bffe407c2385cc1cdce173001246881f
                                          • Instruction ID: eb443c71b341947dd4286a6f65071b4acdf9bbc4870808fe172012cf0b4f89d4
                                          • Opcode Fuzzy Hash: 9344c32e868772f8ef67f054dfa63637bffe407c2385cc1cdce173001246881f
                                          • Instruction Fuzzy Hash: 7C826370A102199FDB58DF69C844AAEBBF6FF88300F6585A9E805DB361DB74DC41CB90
                                          Function 06757770 Relevance: .9, Instructions: 925COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8c44ae3d211696062df8e902ebef4af0e7723f18c8db9ab535e08982afaee1d7
                                          • Instruction ID: 6b60477809e4297a805df05cf47d9393344a12e1e98be40744ab219351ff3751
                                          • Opcode Fuzzy Hash: 8c44ae3d211696062df8e902ebef4af0e7723f18c8db9ab535e08982afaee1d7
                                          • Instruction Fuzzy Hash: 8A826E30A00619CFDB58CF68C984AAEBBF2FF49314F168599E8459B361DBB0ED41CB51
                                          Function 06754500 Relevance: .7, Instructions: 745COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2103 6754500-6754520 2104 6754527-67545a0 2103->2104 2105 6754522 2103->2105 2109 67545a2-67545e9 2104->2109 2110 67545ee-6754641 2104->2110 2105->2104 2118 6754689-6754743 call 6755858 2109->2118 2117 6754643-6754688 2110->2117 2110->2118 2117->2118 2128 6754749-675476f 2118->2128 2130 6754775-6754878 2128->2130 2131 6755330-6755365 2128->2131 2141 6755323-6755329 2130->2141 2142 675487d-675495b 2141->2142 2143 675532f 2141->2143 2151 6754962-67549cb 2142->2151 2152 675495d 2142->2152 2143->2131 2156 67549d2-67549e3 2151->2156 2157 67549cd 2151->2157 2152->2151 2158 6754a70-6754b77 2156->2158 2159 67549e9-67549f3 2156->2159 2157->2156 2177 6754b7e-6754be7 2158->2177 2178 6754b79 2158->2178 2160 67549f5 2159->2160 2161 67549fa-6754a6f 2159->2161 2160->2161 2161->2158 2182 6754bee-6754bff 2177->2182 2183 6754be9 2177->2183 2178->2177 2184 6754c05-6754c0f 2182->2184 2185 6754c8c-6754e40 2182->2185 2183->2182 2186 6754c16-6754c8b 2184->2186 2187 6754c11 2184->2187 2206 6754e47-6754ec5 2185->2206 2207 6754e42 2185->2207 2186->2185 2187->2186 2211 6754ec7 2206->2211 2212 6754ecc-6754edd 2206->2212 2207->2206 2211->2212 2213 6754ee3-6754eed 2212->2213 2214 6754f6a-6755003 2212->2214 2215 6754ef4-6754f69 2213->2215 2216 6754eef 2213->2216 2224 6755005 2214->2224 2225 675500a-6755082 2214->2225 2215->2214 2216->2215 2224->2225 2232 6755084 2225->2232 2233 6755089-675509a 2225->2233 2232->2233 2234 67550a0-6755134 2233->2234 2235 6755188-675521c call 6752a50 * 2 2233->2235 2252 6755136 2234->2252 2253 675513b-6755187 2234->2253 2246 6755222-675530d 2235->2246 2247 675530e-6755319 2235->2247 2246->2247 2248 6755320 2247->2248 2249 675531b 2247->2249 2248->2141 2249->2248 2252->2253 2253->2235
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9bbf39fbd160a4859c563ab7f9749fd87ada888da2e9cdfc75b963c73f6b5c41
                                          • Instruction ID: 68ca185c8fba638ec619d030ba431214b435db3156eceeb31f3de524ae4beeec
                                          • Opcode Fuzzy Hash: 9bbf39fbd160a4859c563ab7f9749fd87ada888da2e9cdfc75b963c73f6b5c41
                                          • Instruction Fuzzy Hash: CD826D74E012289FDB64DF69CC98BDDBBB2BB89300F1081EA985DA7255DB705E81CF41
                                          Function 067515F8 Relevance: .3, Instructions: 296COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2513 67515f8-6751618 2514 675161f-67516e1 2513->2514 2515 675161a 2513->2515 2520 67516e7-6751704 2514->2520 2521 6751aac-6751baa 2514->2521 2515->2514 2572 6751707 call 53c56af 2520->2572 2573 6751707 call 53c5366 2520->2573 2524 6751bb2-6751bb8 2521->2524 2525 6751bac-6751bb1 2521->2525 2525->2524 2526 675170c-6751725 2574 6751727 call 53cc76c 2526->2574 2575 6751727 call 53cc168 2526->2575 2528 675172c-675174e 2530 6751755-675175e 2528->2530 2531 6751750 2528->2531 2532 6751a9f-6751aa5 2530->2532 2531->2530 2533 6751763-67517fb 2532->2533 2534 6751aab 2532->2534 2539 6751801-675183d 2533->2539 2540 67518d3-6751934 2533->2540 2534->2521 2576 6751843 call 6751eb9 2539->2576 2577 6751843 call 6751c58 2539->2577 2551 6751935-6751944 2540->2551 2547 6751849-6751884 2549 6751886-67518a3 2547->2549 2550 67518ce-67518d1 2547->2550 2554 67518a9-67518cd 2549->2554 2550->2551 2552 675194d-675198c 2551->2552 2556 6751a83-6751a95 2552->2556 2557 6751992-6751a82 2552->2557 2554->2550 2559 6751a97 2556->2559 2560 6751a9c 2556->2560 2557->2556 2559->2560 2560->2532 2572->2526 2573->2526 2574->2528 2575->2528 2576->2547 2577->2547
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2b19d32f04707676c7252fb74728b8fa8d695e20edabb36b4bee599b1f39b682
                                          • Instruction ID: 3c643e78b88d2822d3d4415e93737b751e9e69de48a46a2a91907b78d8a9db7e
                                          • Opcode Fuzzy Hash: 2b19d32f04707676c7252fb74728b8fa8d695e20edabb36b4bee599b1f39b682
                                          • Instruction Fuzzy Hash: 5CE1BF74E01218CFEB64DFA9C844B9DBBB2BF89304F6081A9D809A7394DB755E85CF50
                                          Function 053C4F08 Relevance: .3, Instructions: 268COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2578 53c4f08-53c4f28 2579 53c4f2f-53c4fc0 2578->2579 2580 53c4f2a 2578->2580 2584 53c5314-53c5348 2579->2584 2585 53c4fc6-53c4fd6 2579->2585 2580->2579 2634 53c4fd9 call 53c56af 2585->2634 2635 53c4fd9 call 53c5366 2585->2635 2588 53c4fdf-53c4fee 2636 53c4ff0 call 53cc76c 2588->2636 2637 53c4ff0 call 53cc168 2588->2637 2589 53c4ff6-53c5012 2591 53c5019-53c5022 2589->2591 2592 53c5014 2589->2592 2593 53c5307-53c530d 2591->2593 2592->2591 2594 53c5027-53c50a1 2593->2594 2595 53c5313 2593->2595 2600 53c515d-53c51b8 2594->2600 2601 53c50a7-53c5115 call 53c3760 2594->2601 2595->2584 2613 53c51b9-53c5209 2600->2613 2611 53c5158-53c515b 2601->2611 2612 53c5117-53c5157 2601->2612 2611->2613 2612->2611 2618 53c520f-53c52f1 2613->2618 2619 53c52f2-53c52fd 2613->2619 2618->2619 2621 53c52ff 2619->2621 2622 53c5304 2619->2622 2621->2622 2622->2593 2634->2588 2635->2588 2636->2589 2637->2589
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2541825485.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_53c0000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e9235e24fc088c201582a6bf62a8967e09f3f84dffcd993a89a3036aefb1e49e
                                          • Instruction ID: e974b3bc86017c723beead10477bc23c1ed334dff663db41dd107bcabf8e09ab
                                          • Opcode Fuzzy Hash: e9235e24fc088c201582a6bf62a8967e09f3f84dffcd993a89a3036aefb1e49e
                                          • Instruction Fuzzy Hash: AFC1B174E10228CFDB14DFA9D994B9DBBB2BF89300F5081A9D809A7354DB75AE81CF50
                                          Function 053C5366 Relevance: .2, Instructions: 219COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2798 53c5366-53c5393 2799 53c539a-53c542d 2798->2799 2800 53c5395 2798->2800 2810 53c5687-53c5786 2799->2810 2811 53c5433-53c5445 2799->2811 2800->2799 2816 53c578f-53c5796 2810->2816 2817 53c5788-53c578e 2810->2817 2859 53c544a call 53c5e30 2811->2859 2860 53c544a call 53c5e21 2811->2860 2813 53c5450-53c546e 2820 53c547d-53c5481 2813->2820 2821 53c5470-53c5474 2813->2821 2817->2816 2822 53c5488 2820->2822 2823 53c5483 2820->2823 2824 53c547b 2821->2824 2825 53c5476 2821->2825 2861 53c5488 call 53c7560 2822->2861 2862 53c5488 call 53c75d0 2822->2862 2863 53c5488 call 53c75c0 2822->2863 2823->2822 2824->2822 2825->2824 2826 53c548e-53c54af 2864 53c54b4 call 53c7560 2826->2864 2865 53c54b4 call 53c75d0 2826->2865 2866 53c54b4 call 53c75c0 2826->2866 2828 53c54ba-53c54e1 2831 53c54e8-53c54ef 2828->2831 2832 53c54e3 2828->2832 2855 53c54f5 call 53c78a9 2831->2855 2856 53c54f5 call 53c7a40 2831->2856 2832->2831 2833 53c54fb-53c556d 2839 53c556f 2833->2839 2840 53c5574-53c5578 2833->2840 2839->2840 2841 53c557f-53c5584 2840->2841 2842 53c557a 2840->2842 2843 53c558b-53c5655 2841->2843 2844 53c5586 2841->2844 2842->2841 2851 53c566d-53c567c 2843->2851 2852 53c5657-53c566a 2843->2852 2844->2843 2857 53c567f call 53c7e68 2851->2857 2858 53c567f call 53c7e59 2851->2858 2852->2851 2853 53c5685-53c5686 2853->2810 2855->2833 2856->2833 2857->2853 2858->2853 2859->2813 2860->2813 2861->2826 2862->2826 2863->2826 2864->2828 2865->2828 2866->2828
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2541825485.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_53c0000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7b13a311a36845c12d10c7c70ea0aad8ac12f51ab52a59f069c598492e4261e3
                                          • Instruction ID: 02617627bdafe15d3127faa3b4cfa9e00690ff59ba1b9c3d1ccf73db7e8dfb4d
                                          • Opcode Fuzzy Hash: 7b13a311a36845c12d10c7c70ea0aad8ac12f51ab52a59f069c598492e4261e3
                                          • Instruction Fuzzy Hash: CAA1F470D00218CFEB24DFA9D988BDDBBB1FF88304F2482A9E409A7291DB745985CF54
                                          Function 053C56AF Relevance: .2, Instructions: 202COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2541825485.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_53c0000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 34cc1329a91a36c10acddecc156ac2c22c972ba61c2d58d2b467af06d0d7a7c7
                                          • Instruction ID: 2fab51d8fc219dcaccd14663f27c87d96bad9ea1a2784b7bab77263a7a8aa590
                                          • Opcode Fuzzy Hash: 34cc1329a91a36c10acddecc156ac2c22c972ba61c2d58d2b467af06d0d7a7c7
                                          • Instruction Fuzzy Hash: 5391F470D00218CFDB24DFA8D588BDDBBB1FF49304F209299E409AB291DB74A984CF54
                                          Function 06751C58 Relevance: .2, Instructions: 182COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b9bd153470243e420bc9865b948cf4ff8484208e9ce1bb696d41a30651399034
                                          • Instruction ID: a882213c374d601cd8a69c7b3c42c03ab643f866ef2be06fef54c0e7df7f780b
                                          • Opcode Fuzzy Hash: b9bd153470243e420bc9865b948cf4ff8484208e9ce1bb696d41a30651399034
                                          • Instruction Fuzzy Hash: 7A81D074E00218CFDB68DFAAC8547ADBBF2BF89301F20816AD819AB394DB745945CF40
                                          Function 067515E9 Relevance: .1, Instructions: 114COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d67f21519f297a698c943782df10e64dbe4ecbc3e6c1fa5c316b57fe4564be2d
                                          • Instruction ID: bbeb0fe70d5d1a6090c4a385df39c84ea3ddbd181fa6424057864d9da69fdede
                                          • Opcode Fuzzy Hash: d67f21519f297a698c943782df10e64dbe4ecbc3e6c1fa5c316b57fe4564be2d
                                          • Instruction Fuzzy Hash: 4041C2B1D002188BEB58DFAAD8447DDFBB2BF88300F54C1AAC818BB254DB755946CF54
                                          Function 053CC76C Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1250 53cc76c 1251 53cc82b-53cc83c 1250->1251 1252 53cc83e 1251->1252 1253 53cc843-53cc84c 1251->1253 1252->1253 1255 53cc852-53cc865 1253->1255 1256 53cc623-53cc648 1253->1256 1259 53cc86c-53cc887 1255->1259 1260 53cc867 1255->1260 1257 53cc64f-53cc686 1256->1257 1258 53cc64a 1256->1258 1268 53cc68d-53cc6bf 1257->1268 1269 53cc688 1257->1269 1258->1257 1261 53cc88e-53cc8a2 1259->1261 1262 53cc889 1259->1262 1260->1259 1266 53cc8a9-53cc8bf LdrInitializeThunk 1261->1266 1267 53cc8a4 1261->1267 1262->1261 1270 53cc8c1-53cc9bf 1266->1270 1267->1266 1275 53cc6c1-53cc6e6 1268->1275 1276 53cc723-53cc736 1268->1276 1269->1268 1273 53cc9c7-53cc9d1 1270->1273 1274 53cc9c1-53cc9c6 call 53c5ca8 1270->1274 1274->1273 1278 53cc6ed-53cc71b 1275->1278 1279 53cc6e8 1275->1279 1281 53cc73d-53cc762 1276->1281 1282 53cc738 1276->1282 1278->1276 1279->1278 1285 53cc764-53cc765 1281->1285 1286 53cc771-53cc7a9 1281->1286 1282->1281 1285->1255 1287 53cc7ab 1286->1287 1288 53cc7b0-53cc811 call 53cc168 1286->1288 1287->1288 1294 53cc818-53cc82a 1288->1294 1295 53cc813 1288->1295 1294->1251 1295->1294
                                          APIs
                                          • LdrInitializeThunk.NTDLL(00000000), ref: 053CC8AE
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2541825485.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_53c0000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: e152b6e997158b0a42faab780dd6dd749da51e0d0ad0a2ab0adb24c5f95048f6
                                          • Instruction ID: 237c7d1d472b6bd2a8924c9f788b9b7e032238937629b86fe39fb762cc6c7f3f
                                          • Opcode Fuzzy Hash: e152b6e997158b0a42faab780dd6dd749da51e0d0ad0a2ab0adb24c5f95048f6
                                          • Instruction Fuzzy Hash: 37114F74E0020D9FDB08DFA8D484EEEBBB9FB88304F5491A9E858E7241D734AD41CB60
                                          Function 06758848 Relevance: .8, Instructions: 831COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1870 6758848-6758d36 1945 6758d3c-6758d4c 1870->1945 1946 6759288-67592a8 1870->1946 1945->1946 1947 6758d52-6758d62 1945->1947 1951 67592f9-6759301 1946->1951 1952 67592aa 1946->1952 1947->1946 1949 6758d68-6758d78 1947->1949 1949->1946 1950 6758d7e-6758d8e 1949->1950 1950->1946 1953 6758d94-6758da4 1950->1953 1961 6759326-6759329 1951->1961 1962 6759303-675930e 1951->1962 1954 67592b2-67592bd 1952->1954 1955 67592ac-67592b1 1952->1955 1953->1946 1956 6758daa-6758dba 1953->1956 1958 67592bf-67592c4 1954->1958 1959 67592c9-67592e7 1954->1959 1955->1954 1956->1946 1960 6758dc0-6758dd0 1956->1960 1963 67593ae-67593b3 1958->1963 1989 675935e-675936a 1959->1989 1990 67592e9-67592f3 1959->1990 1960->1946 1965 6758dd6-6758de6 1960->1965 1966 6759340-675934c 1961->1966 1967 675932b-6759337 1961->1967 1962->1961 1972 6759310-675931a 1962->1972 1965->1946 1968 6758dec-6758dfc 1965->1968 1969 67593b4-67593c2 1966->1969 1970 675934e-6759355 1966->1970 1967->1966 1978 6759339-675933e 1967->1978 1968->1946 1974 6758e02-6758e12 1968->1974 1980 67593c4 1969->1980 1981 67593ca 1969->1981 1970->1969 1976 6759357-675935c 1970->1976 1972->1961 1986 675931c-6759321 1972->1986 1974->1946 1977 6758e18-6759287 1974->1977 1976->1963 1978->1963 1984 6759416-675941d 1980->1984 1985 67593c6 1980->1985 1987 67593d2-6759410 1981->1987 1988 67593cc 1981->1988 1994 67594a6-67594f8 1984->1994 1995 6759423-675942e 1984->1995 1992 67593ce-67593cf 1985->1992 1993 67593c8-67593c9 1985->1993 1986->1963 1987->1995 2011 6759412 1987->2011 1988->1992 2003 6759381-675938d 1989->2003 2004 675936c-6759378 1989->2004 1990->1989 2001 67592f5-67592f7 1990->2001 1992->1987 1993->1981 2006 67594ff-6759544 call 67582c0 1994->2006 2005 6759434-6759491 1995->2005 1995->2006 2001->1951 2015 67593a4-67593a6 2003->2015 2016 675938f-675939b 2003->2016 2004->2003 2013 675937a-675937f 2004->2013 2024 675949a-67594a3 2005->2024 2039 6759555-6759563 2006->2039 2040 6759546-6759553 2006->2040 2011->1984 2013->1963 2015->1963 2016->2015 2025 675939d-67593a2 2016->2025 2025->1963 2046 6759565-675956f 2039->2046 2047 6759571 2039->2047 2045 6759573-6759576 2040->2045 2046->2045 2047->2045
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 89d68bddfd94d235f585f52df774e49687042da8367a2b3bd4d66365b037f983
                                          • Instruction ID: aab2015fa8c51da313935bb7dd38e206e9a656350ce4e9570ba61237b5b87bd7
                                          • Opcode Fuzzy Hash: 89d68bddfd94d235f585f52df774e49687042da8367a2b3bd4d66365b037f983
                                          • Instruction Fuzzy Hash: B2723174A00318CFEB559BA5C850BDEBBB2FF88300F1081A9D50AAB794DE759D85CF91
                                          Function 067565F1 Relevance: .2, Instructions: 230COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2638 67565f1-675660d 2639 6756615-6756617 2638->2639 2640 675660f-6756613 2638->2640 2642 6756828-675682f 2639->2642 2640->2639 2641 675661c-6756627 2640->2641 2643 6756830 2641->2643 2644 675662d-6756634 2641->2644 2647 6756835-675686d 2643->2647 2645 67567c9-67567cf 2644->2645 2646 675663a-6756649 2644->2646 2649 67567d5-67567d9 2645->2649 2650 67567d1-67567d3 2645->2650 2646->2647 2648 675664f-675665e 2646->2648 2676 6756876-675687a 2647->2676 2677 675686f-6756874 2647->2677 2658 6756660-6756663 2648->2658 2659 6756673-6756676 2648->2659 2651 6756826 2649->2651 2652 67567db-67567e1 2649->2652 2650->2642 2651->2642 2652->2643 2653 67567e3-67567e6 2652->2653 2653->2643 2656 67567e8-67567fd 2653->2656 2674 6756821-6756824 2656->2674 2675 67567ff-6756805 2656->2675 2660 6756665-6756668 2658->2660 2661 6756682-6756688 2658->2661 2659->2661 2662 6756678-675667b 2659->2662 2663 675666e 2660->2663 2664 6756769-675676f 2660->2664 2669 67566a0-67566bd 2661->2669 2670 675668a-6756690 2661->2670 2666 675667d 2662->2666 2667 67566ce-67566d4 2662->2667 2671 6756794-67567a1 2663->2671 2680 6756787-6756791 2664->2680 2681 6756771-6756777 2664->2681 2666->2671 2672 67566d6-67566dc 2667->2672 2673 67566ec-67566fe 2667->2673 2709 67566c6-67566c9 2669->2709 2678 6756694-675669e 2670->2678 2679 6756692 2670->2679 2699 67567b5-67567b7 2671->2699 2700 67567a3-67567a7 2671->2700 2683 67566e0-67566ea 2672->2683 2684 67566de 2672->2684 2702 6756700-675670c 2673->2702 2703 675670e-6756731 2673->2703 2674->2642 2685 6756817-675681a 2675->2685 2686 6756807-6756815 2675->2686 2682 6756880-6756882 2676->2682 2677->2682 2678->2669 2679->2669 2680->2671 2687 6756779 2681->2687 2688 675677b-6756785 2681->2688 2692 6756884-6756896 2682->2692 2693 6756897-675689e 2682->2693 2683->2673 2684->2673 2685->2643 2695 675681c-675681f 2685->2695 2686->2643 2686->2685 2687->2680 2688->2680 2695->2674 2695->2675 2707 67567bb-67567be 2699->2707 2700->2699 2705 67567a9-67567ad 2700->2705 2713 6756759-6756767 2702->2713 2703->2643 2715 6756737-675673a 2703->2715 2705->2643 2710 67567b3 2705->2710 2707->2643 2711 67567c0-67567c3 2707->2711 2709->2671 2710->2707 2711->2645 2711->2646 2713->2671 2715->2643 2717 6756740-6756752 2715->2717 2717->2713
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 30cd6f8b883fd1c0e41c4f2e39dfab69f0c29f592f2534f3b996d5097d7f1a8f
                                          • Instruction ID: 3281132150ef34dce901371e7f3337b6319b8d7cd276f499febcf2fb2f1e8cce
                                          • Opcode Fuzzy Hash: 30cd6f8b883fd1c0e41c4f2e39dfab69f0c29f592f2534f3b996d5097d7f1a8f
                                          • Instruction Fuzzy Hash: DF81C374B002058FDB94CF69C884A6AB7B2FF8A204B9685E9DC15E7371DB71EC41CB91
                                          Function 067562A8 Relevance: .2, Instructions: 221COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2719 67562a8-67562b6 2720 67562c5-67562d6 call 6752a50 2719->2720 2721 67562b8-67562be 2719->2721 2724 67562dc-67562e0 2720->2724 2725 675636a-675636c 2720->2725 2721->2720 2726 67562f0-67562fd 2724->2726 2727 67562e2-67562ee 2724->2727 2796 675636e call 6756130 2725->2796 2797 675636e call 67562a8 2725->2797 2733 67562ff-6756309 2726->2733 2727->2733 2728 6756374-675637a 2730 6756386-675638d 2728->2730 2731 675637c-6756382 2728->2731 2734 6756384 2731->2734 2735 67563e8-6756447 2731->2735 2738 6756336-675633a 2733->2738 2739 675630b-675631a 2733->2739 2734->2730 2748 675644e-675645a 2735->2748 2741 6756346-675634a 2738->2741 2742 675633c-6756342 2738->2742 2750 675631c-6756323 2739->2750 2751 675632a-6756334 2739->2751 2741->2730 2743 675634c-6756350 2741->2743 2745 6756344 2742->2745 2746 6756390-67563e1 2742->2746 2747 6756356-6756368 2743->2747 2743->2748 2745->2730 2746->2735 2747->2730 2758 6756462 2748->2758 2759 675645c-6756460 2748->2759 2750->2751 2751->2738 2760 6756464-6756469 2758->2760 2761 675646a-675647e 2758->2761 2759->2758 2760->2761 2768 6756480-675648d 2761->2768 2769 67564a3-67564b0 2761->2769 2775 675649f-67564a1 2768->2775 2776 675648f-675649d 2768->2776 2774 67564b2-67564bc 2769->2774 2781 67564e4-67564e6 call 67565f1 2774->2781 2782 67564be-67564cc 2774->2782 2775->2774 2776->2774 2785 67564ec-67564f0 2781->2785 2786 67564ce-67564d2 2782->2786 2787 67564d9-67564e2 2782->2787 2788 67564f2-6756507 2785->2788 2789 6756509-675650d 2785->2789 2786->2787 2787->2781 2791 675652b-6756531 2788->2791 2790 675650f-6756524 2789->2790 2789->2791 2790->2791 2796->2728 2797->2728
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fc04256366efd5db9643b1663b660c02b59574958a05dd7f20baebb6006fbb2e
                                          • Instruction ID: 067301f3b093ad442860eb809f24a6313a68cd9fc03b94ed6d850fa132bb8256
                                          • Opcode Fuzzy Hash: fc04256366efd5db9643b1663b660c02b59574958a05dd7f20baebb6006fbb2e
                                          • Instruction Fuzzy Hash: EC71D130B002218FDB559B79D4A473E7BA2BFC9640B5584AAE906CB3A5DFB4CC42C781
                                          Function 06752508 Relevance: .2, Instructions: 211COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2867 6752508-6752527 2868 67526e2-6752707 2867->2868 2869 675252d-6752536 2867->2869 2873 675270e-67527a8 call 6752270 2868->2873 2872 675253c-6752591 2869->2872 2869->2873 2882 6752593-67525b8 2872->2882 2883 67525bb-67525c4 2872->2883 2913 67527ad-67527b2 2873->2913 2882->2883 2885 67525c6 2883->2885 2886 67525c9-67525d9 2883->2886 2885->2886 2924 67525db call 67526e9 2886->2924 2925 67525db call 67524f8 2886->2925 2926 67525db call 6752508 2886->2926 2888 67525e1-67525e3 2890 67525e5-67525ea 2888->2890 2891 675263d-675268a 2888->2891 2893 6752623-6752636 2890->2893 2894 67525ec-6752621 2890->2894 2904 6752691-6752696 2891->2904 2893->2891 2894->2904 2907 67526a0-67526a5 2904->2907 2908 6752698 2904->2908 2910 67526a7 2907->2910 2911 67526af-67526b4 2907->2911 2908->2907 2910->2911 2914 67526b6-67526c4 call 67520e4 call 67520fc 2911->2914 2915 67526c9-67526ca 2911->2915 2914->2915 2915->2868 2924->2888 2925->2888 2926->2888
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 587e87089d7848a71dc080c9ea7391de69cda76991632d90657836a48a0b4d96
                                          • Instruction ID: 9e62d8118a638b81e6f8b76455f23cde125a6a876ed286e4f9c8feffb0ac4365
                                          • Opcode Fuzzy Hash: 587e87089d7848a71dc080c9ea7391de69cda76991632d90657836a48a0b4d96
                                          • Instruction Fuzzy Hash: 5B71B231F102189BDB55DBA8C8506AE7BB2BF88700F158169E816B7381EF709D46CB95
                                          Function 067584F8 Relevance: .2, Instructions: 186COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a34c138a482c798973afd85dbfcda9a0baa168d802544d2b3546be663e0ac7de
                                          • Instruction ID: 41f34a567fcb85051f652bded59955b00f4d7098121dc49d84662277f0b79198
                                          • Opcode Fuzzy Hash: a34c138a482c798973afd85dbfcda9a0baa168d802544d2b3546be663e0ac7de
                                          • Instruction Fuzzy Hash: 4A519031B242258FD794DF79D89497A7BE9FF4524030644EAE816CB362EB61DC01CB92
                                          Function 06756130 Relevance: .2, Instructions: 184COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9798e37651403bdc8feaf56fd3e1e297751b84a5a74b1a7df6ee718ba20205aa
                                          • Instruction ID: 2032f82f302f4134717a2e505b1821297171d66cdfd44882d5dc1b48f908b5dc
                                          • Opcode Fuzzy Hash: 9798e37651403bdc8feaf56fd3e1e297751b84a5a74b1a7df6ee718ba20205aa
                                          • Instruction Fuzzy Hash: 0651E231B042119FDB658F64D844BBE7FE2FF88200F4689AAF9458B3A1DBB5D801C790
                                          Function 067544F0 Relevance: .2, Instructions: 173COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: de4eb07304acecaeb774a686b9f7303cb804b1bb38a1f44fab0f6481f4a228bf
                                          • Instruction ID: 6bf446570222a88cd8f69fb2f24cc415444bd310b8de6977cd3c6026360eff13
                                          • Opcode Fuzzy Hash: de4eb07304acecaeb774a686b9f7303cb804b1bb38a1f44fab0f6481f4a228bf
                                          • Instruction Fuzzy Hash: 6281C174E012289FDB64DF69D884BEDBBB2BB89300F1081EAD85DA3250DB715E81CF40
                                          Function 06755F08 Relevance: .1, Instructions: 146COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: abf555acd79518adf34e3e3f33ad9238b8ec5e994a257cf42ef6bbdaad372a1d
                                          • Instruction ID: 0f74dd40427693642cf69f721b25e3c6d2be5bb11e2092e1cacc7fd2366469ed
                                          • Opcode Fuzzy Hash: abf555acd79518adf34e3e3f33ad9238b8ec5e994a257cf42ef6bbdaad372a1d
                                          • Instruction Fuzzy Hash: 4F4116307107008FD7659739D854B7E7BE2AFC5200B4685AEE95ACB3A1DFA1EC06CB91
                                          Function 067524F8 Relevance: .1, Instructions: 120COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 47ee25e014294b9956af96b5a6b92d47ec8129ee46e4e15a38d60c05f0992717
                                          • Instruction ID: a8546ad70d967d9bcb151c48b3f045d43550a6158d40f695c8b69415614bbe0e
                                          • Opcode Fuzzy Hash: 47ee25e014294b9956af96b5a6b92d47ec8129ee46e4e15a38d60c05f0992717
                                          • Instruction Fuzzy Hash: EE417731E103199BDB54CFA5C890BEEBBB5FF84700F258159E815B7241EB70AE45CB90
                                          Function 067582F8 Relevance: .1, Instructions: 117COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fd6c8c168392de959b43b9e271a28be2bfb091541310596ae0969281bde6bdfe
                                          • Instruction ID: 3c6fce1124991e40481eb669cf2d0835ab33cb684c1df0a6add7435df1f21666
                                          • Opcode Fuzzy Hash: fd6c8c168392de959b43b9e271a28be2bfb091541310596ae0969281bde6bdfe
                                          • Instruction Fuzzy Hash: 2F414B75A00225CFDB549F28D844AAE3BB5BF48350F0240A5F916CB361CBB0DC41CB92
                                          Function 06755858 Relevance: .1, Instructions: 110COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d7e0544627e499c1238268c5f21ac173a3d40532cff13bd9d506ab5d8c00f1eb
                                          • Instruction ID: ff76c158bc6eeac89b68d08f25caef3f0b1704a124c8810e5d533fc9c53c8ce1
                                          • Opcode Fuzzy Hash: d7e0544627e499c1238268c5f21ac173a3d40532cff13bd9d506ab5d8c00f1eb
                                          • Instruction Fuzzy Hash: F741EF30A142599FDF019F65D844ABF7FB2FB88210F0080AAFD0597250CB79DD22CBA1
                                          Function 06758729 Relevance: .1, Instructions: 97COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a76a9b1a006d1f43c472948eedc53557586d6994abfbbbb80a9e6e72118329f6
                                          • Instruction ID: 80352770240650cd27a21cb6f343ecfe3d2db363f07ddd2aa20f0cab368c2728
                                          • Opcode Fuzzy Hash: a76a9b1a006d1f43c472948eedc53557586d6994abfbbbb80a9e6e72118329f6
                                          • Instruction Fuzzy Hash: AF21E434B242204FEB655739946433D2A97EFC4755F1584B9E802CB394EEB6CC829383
                                          Function 06758640 Relevance: .1, Instructions: 86COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f3b32bf91199cc1bcb1320f93b21a2a5e3246b9f2c737bc8d2fb2008b48fac3d
                                          • Instruction ID: 76bdd500cb70a6619064ad891f9ce71b868bdd19deefa7562cdbe769b02719ca
                                          • Opcode Fuzzy Hash: f3b32bf91199cc1bcb1320f93b21a2a5e3246b9f2c737bc8d2fb2008b48fac3d
                                          • Instruction Fuzzy Hash: DA21B7317183698FDB94DE659C5067B7FE6EF85200B0684A6FC11C7245EFB0D850CBA2
                                          Function 013DD006 Relevance: .1, Instructions: 76COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2540073563.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_13dd000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 752d6b7aba3f0f53edcc66fefd62e1a13668557f2b2e9e862f6618c86892478e
                                          • Instruction ID: 5e1c1cfb4544db07a0dd0f58e08fa28542ba5121e0427d2f72d4d969af65d32c
                                          • Opcode Fuzzy Hash: 752d6b7aba3f0f53edcc66fefd62e1a13668557f2b2e9e862f6618c86892478e
                                          • Instruction Fuzzy Hash: 2621807650D3C49FC713CF64D990711BF71AB46214F28C5DBD9898F2A7C23A980ACB62
                                          Function 013DD030 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2540073563.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_13dd000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3a94b700cb91f294924c1cf0404fa41c080fd9b5033a9e755627fd51af82c042
                                          • Instruction ID: ced859169654d7d9253954a85e0a76da3bc52bea3c25ee90e2bffcc4ed89d182
                                          • Opcode Fuzzy Hash: 3a94b700cb91f294924c1cf0404fa41c080fd9b5033a9e755627fd51af82c042
                                          • Instruction Fuzzy Hash: 8E2134B2504304DFDB15DFA4E9C0B26BBA5FBC4318F24C56DD90A0B686C33AD847CA62
                                          Function 067526E9 Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cf0c497e031761930647a9d5c68902b7a02093a6c9196b3974fdd851d87c98d0
                                          • Instruction ID: 9d6c1a4d5797614e3eb396f3841f34a5686c6964996e5d9752d2d09abe94e03e
                                          • Opcode Fuzzy Hash: cf0c497e031761930647a9d5c68902b7a02093a6c9196b3974fdd851d87c98d0
                                          • Instruction Fuzzy Hash: 2E1108367183645FDF066B7898143AE3E93EFC9210B54446AE906EB391CF348D178396
                                          Function 06755EF8 Relevance: .1, Instructions: 57COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a2b26af5aba6f34d9093402527738e5bce3653190b3e4e85256c15e3e18599a3
                                          • Instruction ID: 8af1f879adbfec6b86cf67e20b021df295a3b70fc18095e9f7053a4e2f0746b1
                                          • Opcode Fuzzy Hash: a2b26af5aba6f34d9093402527738e5bce3653190b3e4e85256c15e3e18599a3
                                          • Instruction Fuzzy Hash: 5611E731610B414FE7319739C444B6AB7F66FC2644F05C599E4968B2A1DBF0F849CB92
                                          Function 06752270 Relevance: .1, Instructions: 55COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a6396222a4ce78618a4d6a5ae87a860b515f73036fa276e6fe6ecbf475e25925
                                          • Instruction ID: 594ede2b9b6517f66239666bcfcce8ddbc94edaaa4c54553b86a6a9e8429ecf7
                                          • Opcode Fuzzy Hash: a6396222a4ce78618a4d6a5ae87a860b515f73036fa276e6fe6ecbf475e25925
                                          • Instruction Fuzzy Hash: B51156728003499FDB20CF99D844BEEBBF5EB48320F148459E928A7251C375AA50CFA5
                                          Function 06751EB9 Relevance: .1, Instructions: 54COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 471494c90a4bea6c2321141c669aaa8000b06757937922e10502f43e37fec7df
                                          • Instruction ID: c3961de27ab07cc3c5f59cc1117fa9806890c501c688db2f2cf600e51c9d6740
                                          • Opcode Fuzzy Hash: 471494c90a4bea6c2321141c669aaa8000b06757937922e10502f43e37fec7df
                                          • Instruction Fuzzy Hash: 3E112E34E401488FEF10DFF8D840BDEBBB5BB89312F8180A5D808A7345E77499018F50
                                          Function 06752990 Relevance: .1, Instructions: 54COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c233af4400045c4a67d4818a644166e96057cb7fbef16461adca9c0bc2afeaf8
                                          • Instruction ID: cdb32b6b1a1005e1bfad95b77e85e9ff61b9d5a9f6c35174054c8ed7b6138a06
                                          • Opcode Fuzzy Hash: c233af4400045c4a67d4818a644166e96057cb7fbef16461adca9c0bc2afeaf8
                                          • Instruction Fuzzy Hash: 9D1167768003499FCB20CF9AD844BEEBFF4EF48320F148459E958A7251C375A654CFA5
                                          Function 067560B0 Relevance: .0, Instructions: 46COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2c41b0290d1b3049872216fec23f199feefbc7ebf556046417ac8dfd6301c64f
                                          • Instruction ID: 87f51de9d6d33a2e0f8381226de5bda4a098a62fd4c0f669d6e650ac1880480b
                                          • Opcode Fuzzy Hash: 2c41b0290d1b3049872216fec23f199feefbc7ebf556046417ac8dfd6301c64f
                                          • Instruction Fuzzy Hash: FC01D632B101186BDB859E59AC00EAF3FEBEBC8650F55806AFA05D7290DE71CC11D794
                                          Function 067560A0 Relevance: .0, Instructions: 46COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 51a34f6443d20946b4be4b0f3dca5ee4468ca9110134c73073db15883c6488fe
                                          • Instruction ID: 5a34924f5a3ce4195255535aee47a661a6d244ed5c6faa6ce59ef5098db7ff73
                                          • Opcode Fuzzy Hash: 51a34f6443d20946b4be4b0f3dca5ee4468ca9110134c73073db15883c6488fe
                                          • Instruction Fuzzy Hash: FD01F232A042587FCB428F549C01EEF3FAAEB89250F1980A6FA05C7151DA758911D7E0
                                          Function 067568A1 Relevance: .0, Instructions: 25COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 93bfa3c4ed00e62a9ef65f9e4b8dbe2525d21755e36d516786c22a4efa0e7441
                                          • Instruction ID: e84782013c6638b5eb3dc1408f3da1d8666ee5b3cf7ef5730c186252ab508057
                                          • Opcode Fuzzy Hash: 93bfa3c4ed00e62a9ef65f9e4b8dbe2525d21755e36d516786c22a4efa0e7441
                                          • Instruction Fuzzy Hash: D3E026798243104FDB01E7B9DE526E93F31AE821047898FD3D4828755BDEB0694AC76A
                                          Function 0675947D Relevance: .0, Instructions: 16COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 605e14a0b1474b102d094f64e07becc71717b60e6ff4d63c2649b9e0c8d2ce7d
                                          • Instruction ID: 9d9ea05c0ada67d8cc96b4d7fbdb1f42f230ba3d813d4120cbae98f02c485037
                                          • Opcode Fuzzy Hash: 605e14a0b1474b102d094f64e07becc71717b60e6ff4d63c2649b9e0c8d2ce7d
                                          • Instruction Fuzzy Hash: 6BD0673AB101089FCB149F98E8509DDFB76FB98221B048256FA15A3260C7319925DB54
                                          Function 067568B0 Relevance: .0, Instructions: 12COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 83afe1585c013873d2697bfdc41f40d59fd8c1b3b1a4f57f1f002aeb1012e6f0
                                          • Instruction ID: 1f56e3ea7120e7aa00081960db530522f4ba38761c800c1601860d5b5185a1e5
                                          • Opcode Fuzzy Hash: 83afe1585c013873d2697bfdc41f40d59fd8c1b3b1a4f57f1f002aeb1012e6f0
                                          • Instruction Fuzzy Hash: DBC012700303194FD901F762E945A9A372E6BC0504794CA61E1460554EDEB418864BA5

                                          Non-executed Functions

                                          Function 0675A270 Relevance: .3, Instructions: 268COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d8d84ebf2aa21529112f3024f0eb7be00606b50462dc9b2334d4f73963e00817
                                          • Instruction ID: 29392e51de1d966d19bc8bb673bb98d45d8183f5e12d90b2e15d428355c606cb
                                          • Opcode Fuzzy Hash: d8d84ebf2aa21529112f3024f0eb7be00606b50462dc9b2334d4f73963e00817
                                          • Instruction Fuzzy Hash: CAC1B274E00218CFDB54DFA9C994B9DBBB2BF89300F6081A9D809AB354DB759E81CF50
                                          Function 0675F630 Relevance: .3, Instructions: 268COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 57d8024bfc8de84e33e7caafbbb6a14038c8b3ef4576e327c806c8db22a4e283
                                          • Instruction ID: 4121ba610c1b448758589628cbec2bd99f1e1a1e2b8e9599c185f8e6fd750fc6
                                          • Opcode Fuzzy Hash: 57d8024bfc8de84e33e7caafbbb6a14038c8b3ef4576e327c806c8db22a4e283
                                          • Instruction Fuzzy Hash: 82C1C274E00218CFDB54DFA9C994B9DBBB2BF89300F6081A9D809AB354DB759E85CF50
                                          Function 0675D238 Relevance: .3, Instructions: 268COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b53e2a98afa8325012126a72e50d2b03bce99d598108fed5fd04122bd7f65ac1
                                          • Instruction ID: 62f70879d6e76dea24626ce5eaad2cec1f12607b8ff4f093f03af53e2419b3a7
                                          • Opcode Fuzzy Hash: b53e2a98afa8325012126a72e50d2b03bce99d598108fed5fd04122bd7f65ac1
                                          • Instruction Fuzzy Hash: 1CC1C274E00218CFDB54DFA9C994B9DBBB2BF89300F5081A9D809AB355DB759E82CF50
                                          Function 06759E18 Relevance: .3, Instructions: 268COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 46c046fa26ac9579aceee63b14d8ddbd0b84e5c34190a96a3c248acf72e8ea49
                                          • Instruction ID: 02592764ee604b5cf348c2c2a86d2dcab71c39adb53e7f67e159a1d4d0d7a03d
                                          • Opcode Fuzzy Hash: 46c046fa26ac9579aceee63b14d8ddbd0b84e5c34190a96a3c248acf72e8ea49
                                          • Instruction Fuzzy Hash: 51C1C374E00218CFDB54DFA9C994B9DBBB2BF89300F5081A9D809AB355DB759E81CF50
                                          Function 06752AF0 Relevance: .3, Instructions: 268COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c1bafbafb9b36848d177efca62d2527e9f0523a7b44199bb9b234043bd1d4c72
                                          • Instruction ID: bd56fc9657a6d72658bd5b69d663839b446f822c3737c9ef98d81369d6655e84
                                          • Opcode Fuzzy Hash: c1bafbafb9b36848d177efca62d2527e9f0523a7b44199bb9b234043bd1d4c72
                                          • Instruction Fuzzy Hash: 90C1D374E00218CFDB54DFA9C944B9DBBB2BF89300F6081A9D809AB355DB759E81CF50
                                          Function 0675A6C8 Relevance: .3, Instructions: 268COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 77433795e503810cf0545d6744c649e9ee6b12f0f477a238f5e7f56d54c96e9a
                                          • Instruction ID: 4e3277df87854f0accf588373dbd9fe26def44bae9496277565e37062ff3d5e6
                                          • Opcode Fuzzy Hash: 77433795e503810cf0545d6744c649e9ee6b12f0f477a238f5e7f56d54c96e9a
                                          • Instruction Fuzzy Hash: 37C1C374E00218CFDB54DFA9C994B9DBBB2BF89300F6081A9D809AB355DB759E81CF50
                                          Function 0675D690 Relevance: .3, Instructions: 268COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 02a10c6909dbbe8c4c7675ad38511ba93fcf6a038f80726440dc9b3016e7551e
                                          • Instruction ID: e36063347166d4b3f15ccc4eb89046e3f1a9e5586a2f40882748b7aa3c89af86
                                          • Opcode Fuzzy Hash: 02a10c6909dbbe8c4c7675ad38511ba93fcf6a038f80726440dc9b3016e7551e
                                          • Instruction Fuzzy Hash: 16C1D374E00218CFDB64DFA5C994B9DBBB2BF89300F6081A9D809AB355DB759E81CF10
                                          Function 0675FA88 Relevance: .3, Instructions: 268COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0237f387facbfdd1125bebd5e0396cf16d1c07ee9138bc9b5f25800977f3484d
                                          • Instruction ID: 42f10a5da64798a37e0fb917b06288bb70893b4a26b2a954494646418a3d6a20
                                          • Opcode Fuzzy Hash: 0237f387facbfdd1125bebd5e0396cf16d1c07ee9138bc9b5f25800977f3484d
                                          • Instruction Fuzzy Hash: 2AC1D274E00218CFDB54DFA9C994B9DBBB2BF89300F6081A9D809AB355DB759E81CF50
                                          Function 0675AF78 Relevance: .3, Instructions: 268COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f1344ffc9c51c6b6fa82f4b573b20af2f280ce353af6c3b811e79a4a4353c1d3
                                          • Instruction ID: d1c68acf666e6e496c3bcd2aeeaae3352160a25c6a17bd551c6d4d2a6f8aa2aa
                                          • Opcode Fuzzy Hash: f1344ffc9c51c6b6fa82f4b573b20af2f280ce353af6c3b811e79a4a4353c1d3
                                          • Instruction Fuzzy Hash: 41C1C374E00218CFDB54DFA5C994BADBBB2BF89300F5081A9D809AB354DB759E81CF50
                                          Function 06752F48 Relevance: .3, Instructions: 268COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c87b04f13aec068e3d3181eee790200e2e53614bcd6e1de787e72092cbd12aec
                                          • Instruction ID: 9aef5c544a12db056ec4d1df9770dd39adc241cb4b012d0e8d3a2c306adb0414
                                          • Opcode Fuzzy Hash: c87b04f13aec068e3d3181eee790200e2e53614bcd6e1de787e72092cbd12aec
                                          • Instruction Fuzzy Hash: A9C1C474E00218CFDB54DFA9C994B9DBBB2BF89300F5081A9D809AB365DB759E81CF50
                                          Function 0675AB20 Relevance: .3, Instructions: 268COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 36781d2c3f6172fed33346e01b93358beff6d1f7617031aac4aeb0cda8fbee31
                                          • Instruction ID: d67936a878bdd33d79ada5b38bec35b2c4b15a3504670409d6535d8580803c5a
                                          • Opcode Fuzzy Hash: 36781d2c3f6172fed33346e01b93358beff6d1f7617031aac4aeb0cda8fbee31
                                          • Instruction Fuzzy Hash: 26C1C274E00218CFDB54DFA9C994B9DBBB2BF89300F6081A9D809AB355DB759E81CF50
                                          Function 067537F8 Relevance: .3, Instructions: 268COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 45577a7cfc7d32c1a7ca8a1905d4a657e9ea60eb057f5b03df6f7eac76c95951
                                          • Instruction ID: 1978ddd12869d045b22f20e7b3fa1706e881600107501af0da3efc8b6f1c32cf
                                          • Opcode Fuzzy Hash: 45577a7cfc7d32c1a7ca8a1905d4a657e9ea60eb057f5b03df6f7eac76c95951
                                          • Instruction Fuzzy Hash: 2DC1C474E00218CFDB54DFA9C944B9DBBB2BF89300F5081A9D809AB355DB759E85CF50
                                          Function 0675B3D0 Relevance: .3, Instructions: 268COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5868cdf496c4b501ded56379c283063c1529685ceb1a4ac7310b61443e479d32
                                          • Instruction ID: 6bf8899741fcaa71466cae9f5b5008ef04f8892a8f26f76b8732d05120efcd4c
                                          • Opcode Fuzzy Hash: 5868cdf496c4b501ded56379c283063c1529685ceb1a4ac7310b61443e479d32
                                          • Instruction Fuzzy Hash: 22C1B374E00218CFDB54DFA5C954BADBBB2BF89300F6081A9D809AB355DB759E81CF50
                                          Function 067533A0 Relevance: .3, Instructions: 268COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 083870661d470018a16417e4c8c55f0eaad415056db9e21976bb2bb5dc42acb6
                                          • Instruction ID: 555128da94cdfeb5e2830e6f4ac9bf64e53c519eafc34958794e4ac1c6c1c008
                                          • Opcode Fuzzy Hash: 083870661d470018a16417e4c8c55f0eaad415056db9e21976bb2bb5dc42acb6
                                          • Instruction Fuzzy Hash: CBC1C474E00218CFDB54DFA9C994B9DBBB2BF89300F6081A9D809AB354DB759E85CF50
                                          Function 0675E078 Relevance: .3, Instructions: 268COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 595a166738581ca345dd0815af4857a2d20c0b6e66e7eb4ebec65e378c2143a6
                                          • Instruction ID: 716887f056fdf27da1c3f538b62766286f74ca77d827f717cdc782859be6c095
                                          • Opcode Fuzzy Hash: 595a166738581ca345dd0815af4857a2d20c0b6e66e7eb4ebec65e378c2143a6
                                          • Instruction Fuzzy Hash: C8C1D474E00218CFDB54DFA9C994B9DBBB2BF89300F6081A9D809AB355DB759E81CF50
                                          Function 06753C50 Relevance: .3, Instructions: 268COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9e0f54d51290df15e63f6183321f029588953919ff76509bb7517caa59ab94f0
                                          • Instruction ID: 9cdf04f792c3b05fae0616db07130a7d6097ad6f7f414cf9699310120bccb2a4
                                          • Opcode Fuzzy Hash: 9e0f54d51290df15e63f6183321f029588953919ff76509bb7517caa59ab94f0
                                          • Instruction Fuzzy Hash: 7BC1D474E00218CFDB54DFA9C944B9DBBB2BF89300F6081A9D809AB355DB759E85CF50
                                          Function 06750040 Relevance: .3, Instructions: 268COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c3370313d75c7dbc1c4ec5b6f8738a83f20c7e46b3a275aea3e844e13b602053
                                          • Instruction ID: 85c372b0aeb6a892aeccd3c7b7e9b85d9399721e48d5a7edbd423f915c86f958
                                          • Opcode Fuzzy Hash: c3370313d75c7dbc1c4ec5b6f8738a83f20c7e46b3a275aea3e844e13b602053
                                          • Instruction Fuzzy Hash: C4C1B174E00218CFDB54DFA9C984BADBBB2BF89300F5081A9D809AB355DB759E85CF50
                                          Function 0675DC20 Relevance: .3, Instructions: 268COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 36940fa698adef212c400e1ffd0a6e4b5e7b25b042c43e4a04e2eb150fea625d
                                          • Instruction ID: 96aed17d92c90ec40d29a04f27c97083523e01a9a4710761769ba0dc354f2447
                                          • Opcode Fuzzy Hash: 36940fa698adef212c400e1ffd0a6e4b5e7b25b042c43e4a04e2eb150fea625d
                                          • Instruction Fuzzy Hash: 62C1D274E00218CFDB54DFA9C994B9DBBB2BF89300F6081A9D809AB355DB759E81CF50
                                          Function 0675B828 Relevance: .3, Instructions: 268COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6fdf23bc7cc2713c61a8082b5afa93ebc806396d8fcc60934a74dcefdaacc8a2
                                          • Instruction ID: 02007dfa70c35b2b88631c1c59a702e31d9d456440356e76a8f44e765ce221bb
                                          • Opcode Fuzzy Hash: 6fdf23bc7cc2713c61a8082b5afa93ebc806396d8fcc60934a74dcefdaacc8a2
                                          • Instruction Fuzzy Hash: 22C1D374E00218CFDB54DFA9C994BADBBB2BF89300F5081A9D809AB354DB759E85CF50
                                          Function 067508F0 Relevance: .3, Instructions: 268COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6b460f9a362d1c06bf54149c48fb47f958744e12595acfbb652252e254c2e68d
                                          • Instruction ID: 65d3cad89e3b72651d3fc4f8550b378b22e593e4850a7885535f1c4999fed29f
                                          • Opcode Fuzzy Hash: 6b460f9a362d1c06bf54149c48fb47f958744e12595acfbb652252e254c2e68d
                                          • Instruction Fuzzy Hash: 3EC1A074E00218CFDB54DFA9C994B9DBBB2BF89300F6081A9D809AB354DB759E85CF50
                                          Function 0675E4D0 Relevance: .3, Instructions: 268COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: be8c326f401e0856731a3d10035f68c5aa766b6c8739753021dec7832afb2b98
                                          • Instruction ID: 3de89fdb87325a81e46ac980195bc84b5b52c8cf7e35177446f3da8112fb2d0e
                                          • Opcode Fuzzy Hash: be8c326f401e0856731a3d10035f68c5aa766b6c8739753021dec7832afb2b98
                                          • Instruction Fuzzy Hash: 0BC1B274E00218CFDB54DFA9C994B9DBBB2BF89300F5081A9D809AB355DB75AE81CF50
                                          Function 0675C0D8 Relevance: .3, Instructions: 268COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1ae1ab4d80dd7765b90de98de6dee7e2261b7d6216ac68f4b9b82ae83e97593e
                                          • Instruction ID: 00391548e7aaa7d5ef7f002a3587ef0ddddbc7cf81cc7092dc44de92f4b865b6
                                          • Opcode Fuzzy Hash: 1ae1ab4d80dd7765b90de98de6dee7e2261b7d6216ac68f4b9b82ae83e97593e
                                          • Instruction Fuzzy Hash: FDC1C274E00218CFDB54DFA9C994BADBBB2BF89300F5081A9D809AB354DB759E81CF50
                                          Function 067540A8 Relevance: .3, Instructions: 268COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8a1550df28583203953f7dfe9e7bc45f168e7c6b6149f65462a368d7134fe190
                                          • Instruction ID: 256be33f1450b1e5a6baa161f26ae4f671e7960e4ff28d12b0358d98e48e5205
                                          • Opcode Fuzzy Hash: 8a1550df28583203953f7dfe9e7bc45f168e7c6b6149f65462a368d7134fe190
                                          • Instruction Fuzzy Hash: 8BC1C274E00218CFDB54DFA9C994B9DBBB2BF89300F6081A9D809AB355DB759E81CF50
                                          Function 06750498 Relevance: .3, Instructions: 268COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0aeac06fa95a0fa03375a5778ce8665b2bda07447fa328d2349b7da122f17d6c
                                          • Instruction ID: 22f863475623f824365a10749d398dcd5dfb269883ab2e70dcfb3916b4b17f23
                                          • Opcode Fuzzy Hash: 0aeac06fa95a0fa03375a5778ce8665b2bda07447fa328d2349b7da122f17d6c
                                          • Instruction Fuzzy Hash: 22C1C274E00218CFDB54DFA9C944B9DBBB2BF89300F6081A9D809AB355DB75AE85CF50
                                          Function 0675BC80 Relevance: .3, Instructions: 268COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d8b0381a158ce329056ac0b8bf4afbfdc310278488aca3648e6942d040424d70
                                          • Instruction ID: 771e4b4cae5bd000b4e5070242997dc115aea97357489c5ac077c5d94ccba61f
                                          • Opcode Fuzzy Hash: d8b0381a158ce329056ac0b8bf4afbfdc310278488aca3648e6942d040424d70
                                          • Instruction Fuzzy Hash: D8C1B374E00218CFDB54DFA9C954BADBBB2BF89300F6081A9D809AB355DB759E81CF50
                                          Function 06750D48 Relevance: .3, Instructions: 268COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 64cb2ab948317481900ec9a7c9ff38699445b2b24e790e7df69d685324127e93
                                          • Instruction ID: 19a063351781bc999b32421990b66855ff95e86bab9fa0f5fb412e5c497a470b
                                          • Opcode Fuzzy Hash: 64cb2ab948317481900ec9a7c9ff38699445b2b24e790e7df69d685324127e93
                                          • Instruction Fuzzy Hash: 31C1C174E00218CFDB54DFA9D984B9DBBB2BF89300F6081A9D809AB354DB759E85CF50
                                          Function 0675C530 Relevance: .3, Instructions: 268COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f260a1158d0d27f8d5144776d55342f0f356e7a6b3e344f4059beea8bf247db7
                                          • Instruction ID: 87f172774a816e53e2afc2513fd55b83a9b94f6d7890db5a28e7ace5994b9772
                                          • Opcode Fuzzy Hash: f260a1158d0d27f8d5144776d55342f0f356e7a6b3e344f4059beea8bf247db7
                                          • Instruction Fuzzy Hash: B2C1B174E00218CFDB54DFA9C994BADBBB2BF89300F5081A9D809AB355DB759E81CF50
                                          Function 0675E928 Relevance: .3, Instructions: 268COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a94677539b0a80130a55a959cfdcda5023dcbce3f106b472f6441b99f190316e
                                          • Instruction ID: 4d7cc26498982aabcdd402b87e4332696bd9ae351a0d80f631eee1eb83aa5446
                                          • Opcode Fuzzy Hash: a94677539b0a80130a55a959cfdcda5023dcbce3f106b472f6441b99f190316e
                                          • Instruction Fuzzy Hash: E7C1C374E00218CFDB54DFA9C994B9DBBB2BF89300F6081A9D809AB355DB759E81CF50
                                          Function 0675CDE0 Relevance: .3, Instructions: 268COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b4f49a0b783d94d1b02cc3959fc2a8ddea367609219a6eecc8a6f05c24255d37
                                          • Instruction ID: 93def2d392befa29f5351124d0015540b3ad91263dfd05a7902bce20ffa33eca
                                          • Opcode Fuzzy Hash: b4f49a0b783d94d1b02cc3959fc2a8ddea367609219a6eecc8a6f05c24255d37
                                          • Instruction Fuzzy Hash: 90C1C374E00218CFDB54DFA9C994B9DBBB2BF89300F5081A9D809AB354DB759E86CF50
                                          Function 0675F1D8 Relevance: .3, Instructions: 268COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 951e181d00c8c6b6e3c6c354f91c20361bf52c18dc2d7e5e0b91f4f5471b5935
                                          • Instruction ID: b3456773389e574af8a4d6da33a61dd677fd460afd65b7195a9433ed792e9658
                                          • Opcode Fuzzy Hash: 951e181d00c8c6b6e3c6c354f91c20361bf52c18dc2d7e5e0b91f4f5471b5935
                                          • Instruction Fuzzy Hash: 7BC1C474E00218CFDB54DFA9C954B9DBBB2BF89300F6081A9D809AB354DB759E85CF50
                                          Function 067511A0 Relevance: .3, Instructions: 268COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 461911741e8bfd668afa2aec1ba15d85c63459151ab5387724316b2b08da667e
                                          • Instruction ID: 1719c9c20087d5be8bb4d6f8fe0d259fd64a35081d55a5da6455051709d0d7cf
                                          • Opcode Fuzzy Hash: 461911741e8bfd668afa2aec1ba15d85c63459151ab5387724316b2b08da667e
                                          • Instruction Fuzzy Hash: F4C1B274E00218CFDB54DFA9C994B9DBBB2BF89300F6081A9D809AB354DB759E85CF50
                                          Function 0675ED80 Relevance: .3, Instructions: 268COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 293d78aaa88b0c81547f7819aa8b317b1518b2197bb41222c11ac77ddb6fa725
                                          • Instruction ID: 00c5cbdf2f271343810d554931d1a45fc1f3bc80fbbf470fad128734d56ea8b5
                                          • Opcode Fuzzy Hash: 293d78aaa88b0c81547f7819aa8b317b1518b2197bb41222c11ac77ddb6fa725
                                          • Instruction Fuzzy Hash: 95C1C374E00218CFDB54DFA9C994B9DBBB2BF89300F6081A9D809AB355DB759E81CF50
                                          Function 0675C988 Relevance: .3, Instructions: 268COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2542838570.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6750000_Gun Ici Cek Statu Listesi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ba97219f70ce569411de44d89f1da1020d004461b7b525f342d343a55d0fd6ac
                                          • Instruction ID: 9ca26b5d9973dd9d7cb726b5451b7bee3572c22a8a8bbd6e767267df46df6248
                                          • Opcode Fuzzy Hash: ba97219f70ce569411de44d89f1da1020d004461b7b525f342d343a55d0fd6ac
                                          • Instruction Fuzzy Hash: 92C1B074E00218CFDB54DFA9C994B9DBBB2BF89300F6081A9D809AB354DB759E81CF50