Windows Analysis Report
hesaphareketi_1.scr.exe

Overview

General Information

Sample name: hesaphareketi_1.scr.exe
Analysis ID: 1430777
MD5: 39c348d66f448c5dfd2ce92756a2af10
SHA1: 0e236d48df2f56db7c292c402c48e098c5526639
SHA256: 3a9444944c737900563b16dab76e19bcd2c52f1d3b35e258d581b523586ae828
Tags: AgentTeslaexegeoscrTUR
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: hesaphareketi_1.scr.exe Avira: detected
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Avira: detection malicious, Label: HEUR/AGEN.1309721
Found malware configuration
Source: 0.2.hesaphareketi_1.scr.exe.4661450.2.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "business29.web-hosting.com", "Username": "admin@purchase.boats", "Password": "Esupofo234@"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Virustotal: Detection: 38% Perma Link
Multi AV Scanner detection for submitted file
Source: hesaphareketi_1.scr.exe ReversingLabs: Detection: 52%
Source: hesaphareketi_1.scr.exe Virustotal: Detection: 38% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: hesaphareketi_1.scr.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: hesaphareketi_1.scr.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.8:49717 version: TLS 1.2
Source: hesaphareketi_1.scr.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\GT350\source\repos\AtllasRunp\AtllasRunp\obj\Debug\Bienvenida.pdb source: hesaphareketi_1.scr.exe, 00000000.00000002.1400527379.0000000005C20000.00000004.08000000.00040000.00000000.sdmp, hesaphareketi_1.scr.exe, 00000000.00000002.1396824751.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 00000006.00000002.1576509993.0000000003031000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000E.00000002.1661164916.0000000002A23000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb{+Ll0 source: powershell.exe, 0000000F.00000002.1710961806.000000000867F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdbst.resources.dll source: powershell.exe, 00000007.00000002.1584908607.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb/: source: powershell.exe, 0000000F.00000002.1703052636.0000000007789000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1409770708.00000000028E9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1603996918.000000000762C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1672956754.000000000324F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1422525987.000000000807F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1608334741.000000000861A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.1607940683.00000000085D3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.1703052636.00000000077EA000.00000004.00000020.00020000.00000000.sdmp
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.8:49709 -> 198.54.114.199:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.8:49709 -> 198.54.114.199:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: api.ipify.org
Source: hesaphareketi_1.scr.exe, 00000004.00000002.2641024996.00000000031BC000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1662306646.000000000319C000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2639565652.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://business29.web-hosting.com
Source: hesaphareketi_1.scr.exe, 00000004.00000002.2636111594.000000000164E000.00000004.00000020.00020000.00000000.sdmp, hesaphareketi_1.scr.exe, 00000004.00000002.2669457268.0000000006A9B000.00000004.00000020.00020000.00000000.sdmp, hesaphareketi_1.scr.exe, 00000004.00000002.2641024996.00000000031C4000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1662306646.00000000031A4000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1680523743.0000000006700000.00000004.00000020.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1680830301.0000000006756000.00000004.00000020.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2639565652.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2633915220.0000000001234000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: hesaphareketi_1.scr.exe, 00000004.00000002.2636111594.000000000164E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2639002089.0000026D5AA00000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1584908607.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1657051554.0000000001490000.00000004.00000020.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1680830301.0000000006756000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1672956754.000000000324F000.00000004.00000020.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2666704343.000000000683F000.00000004.00000020.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2633915220.0000000001234000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000002.00000002.1419457757.0000000007054000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.mi?
Source: cbsBVT.exe, 0000000B.00000002.1680830301.0000000006756000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microj
Source: svchost.exe, 00000005.00000002.2639002089.0000026D5AA00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: hesaphareketi_1.scr.exe, 00000004.00000002.2636111594.000000000164E000.00000004.00000020.00020000.00000000.sdmp, hesaphareketi_1.scr.exe, 00000004.00000002.2641024996.00000000031C4000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1657051554.0000000001490000.00000004.00000020.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1662306646.00000000031A4000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1680830301.0000000006756000.00000004.00000020.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2639565652.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2633915220.0000000001234000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: qmgr.db.5.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.5.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.5.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.5.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.5.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.5.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.5.dr String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000002.00000002.1411676726.0000000004BAE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1588730202.0000000005214000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1679690872.00000000056B3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://go.micros
Source: powershell.exe, 00000002.00000002.1416322622.00000000054D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1599751140.0000000005B36000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1697267398.0000000005FD7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: hesaphareketi_1.scr.exe, 00000004.00000002.2636111594.000000000164E000.00000004.00000020.00020000.00000000.sdmp, hesaphareketi_1.scr.exe, 00000004.00000002.2669457268.0000000006A9B000.00000004.00000020.00020000.00000000.sdmp, hesaphareketi_1.scr.exe, 00000004.00000002.2641024996.00000000031C4000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1662306646.00000000031A4000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1680523743.0000000006700000.00000004.00000020.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1680830301.0000000006756000.00000004.00000020.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2639565652.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2633915220.0000000001234000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: hesaphareketi_1.scr.exe, 00000004.00000002.2636111594.000000000164E000.00000004.00000020.00020000.00000000.sdmp, hesaphareketi_1.scr.exe, 00000004.00000002.2641024996.00000000031C4000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1657051554.0000000001490000.00000004.00000020.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1662306646.00000000031A4000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1680830301.0000000006756000.00000004.00000020.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2639565652.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2633915220.0000000001234000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0-
Source: powershell.exe, 0000000F.00000002.1679690872.00000000050C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1672956754.000000000324F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1411676726.00000000045C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1588730202.0000000004C22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1679690872.00000000050C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000002.00000002.1411676726.0000000004471000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi_1.scr.exe, 00000004.00000002.2641024996.0000000003141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1588730202.0000000004AD1000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1662306646.000000000312C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1679690872.0000000004F71000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2639565652.0000000002F1C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.1411676726.00000000045C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1588730202.0000000004C22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1679690872.00000000050C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000F.00000002.1679690872.00000000050C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1672956754.000000000324F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: hesaphareketi_1.scr.exe, 00000000.00000002.1396974953.00000000044F9000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1650972746.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: powershell.exe, 00000002.00000002.1411676726.0000000004471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1588730202.0000000004AD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1679690872.0000000004F71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 0000000F.00000002.1679690872.00000000050C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: hesaphareketi_1.scr.exe, 00000000.00000002.1396974953.00000000044F9000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi_1.scr.exe, 00000004.00000002.2641024996.0000000003141000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1650972746.0000000000402000.00000040.00000400.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1662306646.000000000312C000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2639565652.0000000002F1C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: hesaphareketi_1.scr.exe, 00000004.00000002.2641024996.0000000003141000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1662306646.000000000312C000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2639565652.0000000002F1C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: hesaphareketi_1.scr.exe, 00000004.00000002.2641024996.0000000003141000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1662306646.000000000312C000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2639565652.0000000002F1C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/t
Source: powershell.exe, 0000000F.00000002.1697267398.0000000005FD7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000F.00000002.1697267398.0000000005FD7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000F.00000002.1697267398.0000000005FD7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: edb.log.5.dr String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000005.00000003.1397280494.0000026D5AC20000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr String found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
Source: powershell.exe, 0000000F.00000002.1679690872.00000000050C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1672956754.000000000324F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: hesaphareketi_1.scr.exe, 00000000.00000002.1396974953.00000000044F9000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi_1.scr.exe, 00000000.00000002.1400665428.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/sam210723/goesrecv-monitor/releases/latest
Source: powershell.exe, 00000002.00000002.1416322622.00000000054D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1599751140.0000000005B36000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1697267398.0000000005FD7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: hesaphareketi_1.scr.exe, 00000004.00000002.2636111594.000000000164E000.00000004.00000020.00020000.00000000.sdmp, hesaphareketi_1.scr.exe, 00000004.00000002.2641024996.00000000031C4000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1657051554.0000000001490000.00000004.00000020.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1662306646.00000000031A4000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1680830301.0000000006756000.00000004.00000020.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2639565652.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2633915220.0000000001234000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: hesaphareketi_1.scr.exe, 00000000.00000002.1396974953.00000000044F9000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi_1.scr.exe, 00000000.00000002.1400665428.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://vksdr.com/goesrecv-monitor
Source: hesaphareketi_1.scr.exe, 00000000.00000002.1395292629.0000000001623000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://wdcp.mi
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.8:49717 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.hesaphareketi_1.scr.exe.4661450.2.raw.unpack, cPKWk.cs .Net Code: f0r

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 11.2.cbsBVT.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.hesaphareketi_1.scr.exe.4661450.2.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.hesaphareketi_1.scr.exe.4661450.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.hesaphareketi_1.scr.exe.459a1b0.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.hesaphareketi_1.scr.exe.4549b80.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Creates files inside the system directory
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Code function: 0_2_01A2CD3C 0_2_01A2CD3C
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Code function: 0_2_01A2F5B6 0_2_01A2F5B6
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Code function: 0_2_01A2F5B8 0_2_01A2F5B8
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Code function: 0_2_059D7718 0_2_059D7718
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Code function: 0_2_059DCF50 0_2_059DCF50
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Code function: 0_2_059DCF3F 0_2_059DCF3F
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Code function: 4_2_030A4B10 4_2_030A4B10
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Code function: 4_2_030A3EF8 4_2_030A3EF8
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Code function: 4_2_030A4240 4_2_030A4240
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Code function: 4_2_030ACC98 4_2_030ACC98
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Code function: 4_2_030ACCA8 4_2_030ACCA8
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Code function: 4_2_07084078 4_2_07084078
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Code function: 4_2_07094E20 4_2_07094E20
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Code function: 4_2_0709CE58 4_2_0709CE58
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Code function: 4_2_0709A680 4_2_0709A680
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Code function: 4_2_0709B6C8 4_2_0709B6C8
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Code function: 4_2_0709ADD0 4_2_0709ADD0
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Code function: 4_2_07097440 4_2_07097440
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Code function: 4_2_070919E8 4_2_070919E8
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Code function: 4_2_0709C778 4_2_0709C778
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Code function: 4_2_07091A99 4_2_07091A99
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 6_2_0121CD3C 6_2_0121CD3C
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 6_2_0121F5A8 6_2_0121F5A8
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 6_2_0121F5B8 6_2_0121F5B8
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 11_2_013CA588 11_2_013CA588
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 11_2_013C4B10 11_2_013C4B10
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 11_2_013CEB90 11_2_013CEB90
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 11_2_013CAE10 11_2_013CAE10
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 11_2_013C3EF8 11_2_013C3EF8
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 11_2_013C4240 11_2_013C4240
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 11_2_06C5A8D4 11_2_06C5A8D4
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 11_2_06C5A5B4 11_2_06C5A5B4
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 11_2_06C5C058 11_2_06C5C058
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 11_2_06C5DC10 11_2_06C5DC10
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 11_2_06C72760 11_2_06C72760
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 11_2_06C765E0 11_2_06C765E0
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 11_2_06C7C580 11_2_06C7C580
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 11_2_06C75598 11_2_06C75598
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 11_2_06C7B230 11_2_06C7B230
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 11_2_06C77D70 11_2_06C77D70
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 11_2_06C77690 11_2_06C77690
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 11_2_06C7E798 11_2_06C7E798
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 11_2_06C70040 11_2_06C70040
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 11_2_06C75CE8 11_2_06C75CE8
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 11_2_071E3500 11_2_071E3500
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 11_2_06C70007 11_2_06C70007
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 14_2_00FB4560 14_2_00FB4560
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 14_2_00FBCD3C 14_2_00FBCD3C
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 14_2_00FBF5B8 14_2_00FBF5B8
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 14_2_00FBF5A8 14_2_00FBF5A8
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 19_2_02D6EAA9 19_2_02D6EAA9
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 19_2_02D64B10 19_2_02D64B10
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 19_2_02D63EF8 19_2_02D63EF8
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 19_2_02D64240 19_2_02D64240
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 19_2_02D6AD50 19_2_02D6AD50
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 19_2_06D5A8D4 19_2_06D5A8D4
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 19_2_06D5A5B4 19_2_06D5A5B4
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 19_2_06D5DC10 19_2_06D5DC10
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 19_2_06D73460 19_2_06D73460
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 19_2_06D7B21F 19_2_06D7B21F
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 19_2_06D77690 19_2_06D77690
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 19_2_06D7E798 19_2_06D7E798
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 19_2_06D70040 19_2_06D70040
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 19_2_06D70006 19_2_06D70006
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 19_2_07123500 19_2_07123500
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 19_2_06D7003B 19_2_06D7003B
Sample file is different than original file name gathered from version info
Source: hesaphareketi_1.scr.exe, 00000000.00000002.1400527379.0000000005C20000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameBienvenida.exe6 vs hesaphareketi_1.scr.exe
Source: hesaphareketi_1.scr.exe, 00000000.00000002.1396824751.00000000034F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBienvenida.exe6 vs hesaphareketi_1.scr.exe
Source: hesaphareketi_1.scr.exe, 00000000.00000002.1396824751.00000000034F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename2379f9fe-9543-4c0b-b671-f5490ed118f9.exe4 vs hesaphareketi_1.scr.exe
Source: hesaphareketi_1.scr.exe, 00000000.00000002.1395292629.000000000157E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs hesaphareketi_1.scr.exe
Source: hesaphareketi_1.scr.exe, 00000000.00000002.1396974953.00000000044F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamegoesrecv.dllB vs hesaphareketi_1.scr.exe
Source: hesaphareketi_1.scr.exe, 00000000.00000002.1396974953.00000000044F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename2379f9fe-9543-4c0b-b671-f5490ed118f9.exe4 vs hesaphareketi_1.scr.exe
Source: hesaphareketi_1.scr.exe, 00000000.00000000.1378076626.000000000102C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameStorages.exe2 vs hesaphareketi_1.scr.exe
Source: hesaphareketi_1.scr.exe, 00000000.00000002.1400665428.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamegoesrecv.dllB vs hesaphareketi_1.scr.exe
Source: hesaphareketi_1.scr.exe, 00000004.00000002.2633683375.0000000001359000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs hesaphareketi_1.scr.exe
Source: hesaphareketi_1.scr.exe Binary or memory string: OriginalFilenameStorages.exe2 vs hesaphareketi_1.scr.exe
Uses 32bit PE files
Source: hesaphareketi_1.scr.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 11.2.cbsBVT.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.hesaphareketi_1.scr.exe.4661450.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.hesaphareketi_1.scr.exe.4661450.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.hesaphareketi_1.scr.exe.459a1b0.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.hesaphareketi_1.scr.exe.4549b80.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: hesaphareketi_1.scr.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: cbsBVT.exe.4.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.hesaphareketi_1.scr.exe.5db0000.6.raw.unpack, ConstellationPanel.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.hesaphareketi_1.scr.exe.4661450.2.raw.unpack, cPs8D.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.hesaphareketi_1.scr.exe.4661450.2.raw.unpack, 72CF8egH.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.hesaphareketi_1.scr.exe.4661450.2.raw.unpack, G5CXsdn.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.hesaphareketi_1.scr.exe.4661450.2.raw.unpack, 3uPsILA6U.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.hesaphareketi_1.scr.exe.4661450.2.raw.unpack, 6oQOw74dfIt.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.hesaphareketi_1.scr.exe.4661450.2.raw.unpack, aMIWm.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.hesaphareketi_1.scr.exe.4661450.2.raw.unpack, 3QjbQ514BDx.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.hesaphareketi_1.scr.exe.4661450.2.raw.unpack, 3QjbQ514BDx.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.hesaphareketi_1.scr.exe.5db0000.6.raw.unpack, Symbols.cs Base64 encoded string: 'xHpF2m2TxzO3qr4FIuPswPaRZvbKhAgsHoUgVc5c1AMOAI4xiJqOjlkD3YO/6qULkSENmFl3GsolqcGGkZrBbaRXVu7YY+n3wiyv8wS+UHUpwhx/IX6ZerqvTzuOLuRdO08npei7HwfH2wKRuaecB8P/FVecfW9FoWjF1A6O/68O0qK192cnIhUcctWjx/GW8ULXo/Un0WwvyWYxGKqhFtUjf6hQETjLzO/F68/W3GXggNfn4E0tbsHcWJ4Qs9QeauMywyAB+V1+9Uw+hcoLBpcocrYAhSqf6iaaMKaTanR4JlGBlD4IjJQmV1gvQRYmjDXbZawN8IgwRgaI+xcKtFjiFVvuA6CawFF5jzi4mENimIA39OD54y/zMb7idEh4oTy+f+VDOiQ16HbDvRyX1gv6ar2K+vNdRpiEk+FL75Dwi1y2R1DSLLrnXH75cn9Sxxkx16fkjltmZNwZYnnZc0VCbJz5PE8snBKcKUEemoAvDwcgj8rVX1tuhqqeYXrhP1hn6oaUpa8dLV9GkxPvUPm2U2PxYjlaVQk75pkxpaspctI89cBy4lXgWn0XYPaK1+WjxY5j1F5jeSb75FxuowoTWUXfk8j1s2KbANCsBuN3nd5227aIGAKGm+1kHAm/4MePOuLnj7mVqVrGuW9smZZvnluk2n2p0v6RGPmD818=', 'kcUEXaQPPIwtVFtC1PL/HXXkxfIZB03eNHvJetoP4hJTCBXd428OqcdPbPWqvhIczQvj71Ac6LZ7OG/e+yr4Bxet9vqIWevSzbdwqqWPf8nK2cPiNSfXdemqzBs1kBKEGQlnxKecRQs0Fim2Dq/kkqqyy4FT/M/7aleIZqMCZ4mq5jKj7zWHx8js/y7INNJykRnbqqkNJse2whyml6+Dho8xXhyKKjEjHHCQ++yYATPvU+ZwZGQ1aiyg3xM2+Mufv6OdiWo+NL8qVblSY+ML74QQ3+qn2cEZW8xaJcMAsMta6fJiSREwzJ1z86EfJ/jsm5waxGaL/ovb6ftrSW+RglFtTXsgBL0RqWZpQItqPDkF2hues0c5OGEtzNWaUVXn+H8FUCAJ+aqWE9AG5vtPYKXmrSZj5IG/6FHSIYC0nWBx5wHsGRTyzUgkPZMLeX0qotsCm9lMlGpxKlh+Z1oic1vbrF8QbV1eNo4t2Pb5oYAk/LIRoTnuPlLXjaubmL1hSqvzPQ/sVXzd5mXTvaOq58aApZHbOXkjfhfbDwVLc3Bjs25RTwPrIWsIAKwX/3kGBu/AxMY0Wb07NTJmloyghXyX9HTSpFE3N+D/N7l3tVWX/n6tnybXZUsRqFSB6rG1tbIR1a+4GVp+//5BqD3kM0VXcBGmG3xpyDSDCLIVVEXY5GyYN1vEkdGhjGvmeOX02f1RKB3vh5V5M5RcsEYhGsS36zuGpaNhrGf4h+7HDzTIU9/1Xl1nPdFaQmDFTIiidpmn26+9CW+g2SPIPlPDTjgkYnTmXT+O8PHwjD7K5IOwDZUbbAFA1Lrdc9IlU412XoEdl5mDZkue1zwbLWf+qvNJbFX8sXHehpGS3HbJZGQqyBs/WGnME/zTep7mu3SAbJ/9lw9DubLAWm3eZ/MVjBNuE3yDINYwtRQMJcyCjqvOUaWeWaIkvESwPYK4f4DzXPSa187wG+9AlgF8f2wQOygxX1dsc+xQUYb6mjfKphwvQfA49LiS6QNKSqz15qqR0H8SkeLLJ7txSyPf5o/Vb8ElYF2R/Dsozjt09H5PLZg8Mx42byNjie81RXixtgWQpr4xblQ9zxj5IaMqOBw3U6yvkKqUNQd1pRUx/33LazNTVFgHRwpx+LutF/m3Ilc9LDSXQ2sLYadTLNM4H6sg88B3Ku0bJgNkN8dFdIsCjQkk9Mdt0ps7+1BSph400PLXGB8Ouast6dmU+lpkXpEGr/mWHaX4VEifmt6MFtiG9jSUTjA2VqhJ2qS66jKrnf1CuWF5qWbXjRlBXUK1jLibI8Is03eHlVAWQOFZcrfOpPq3o0OxUDbCLddsIsPCScNdGrBY2q9RllmuBZNg/W6T5m+X2KNwjQyVBQxBU34LaUg9GMhx5G6e5/2Gji8UiH7/fu4jgyKbpw9r0egwJJndmdSHGUdUQ49W56s9vPelsDJb08XuAjWQXFOdA1Kmsw9Dh45XsM/m10+4XbpvyJ7XmTYJAvhQMXLFqtS4GpKG69JRuO4n+L6rSLGlFzxmsEhm3QM9iDYz2US4Un+EjCOwvFtl/eeSBED1CLnNZf4IbflrasiyFM6IFES8MG62FqpfoichpMq3Dt3tPmAgGD89QmkCsMCq8pGj+3BeDc98BauK1JlOc3iObuBFb0NChpfWa1lZmLvdMib+Wp2pqytptC5Ad7o8p4gSVACx6up/YNr6I8YhsqGIHpFV7Jvk6nzQ19vdCSYcUt+o2i12lPTyUqO5WujSq7P41U0w2rtJQ26/ZzkoCHMKUckEWvk2ei4A+bBCG2520B3/6O1EclfvsvlFIIf2mfft+6FFGP8enxtpFqG/1EAjM3sSS6IKARWsy3s4D5H+dtzPSaR/PDr2jejgFGRPxSbuLutKf4Kq55+afwF989Ad3WDqFcnmc5BwJhXFPxqlmhbPFSMnMVSksaW8UAhMCwLnt31FSm9CfeXXjCj8+hrMcPtn4+PDQeiLyf5/nD/vwOnFGKuLEm9JR/FzB5RktFNWqSYEqRzg8LgsYcEHc4zWyBiABM1LbR2nzax5QE3aZASIx1za/lqdqTVimq7MZbrwQrWQinziaucgzSHxKw880yNElAHNJZFw5Z4rZRzj/oK/kMoAhV4H1jnZbSuePHvddP24l9YOvlGpCsWrI3fk7BWzD8DJD3X2bGim8xoEt4g/R1aCZC/UMvPk/1IixbWw1P+li3OayxAQlbUqmb7DPHGvkbTD8evGdp3QwQWtGkbPRmu+iUWIEefvCP02tcFiIPdm82jN+Oc7+krSiRmxMiJMVt8h+1THUxoF3qD
Source: 0.2.hesaphareketi_1.scr.exe.4549b80.3.raw.unpack, Symbols.cs Base64 encoded string: 'xHpF2m2TxzO3qr4FIuPswPaRZvbKhAgsHoUgVc5c1AMOAI4xiJqOjlkD3YO/6qULkSENmFl3GsolqcGGkZrBbaRXVu7YY+n3wiyv8wS+UHUpwhx/IX6ZerqvTzuOLuRdO08npei7HwfH2wKRuaecB8P/FVecfW9FoWjF1A6O/68O0qK192cnIhUcctWjx/GW8ULXo/Un0WwvyWYxGKqhFtUjf6hQETjLzO/F68/W3GXggNfn4E0tbsHcWJ4Qs9QeauMywyAB+V1+9Uw+hcoLBpcocrYAhSqf6iaaMKaTanR4JlGBlD4IjJQmV1gvQRYmjDXbZawN8IgwRgaI+xcKtFjiFVvuA6CawFF5jzi4mENimIA39OD54y/zMb7idEh4oTy+f+VDOiQ16HbDvRyX1gv6ar2K+vNdRpiEk+FL75Dwi1y2R1DSLLrnXH75cn9Sxxkx16fkjltmZNwZYnnZc0VCbJz5PE8snBKcKUEemoAvDwcgj8rVX1tuhqqeYXrhP1hn6oaUpa8dLV9GkxPvUPm2U2PxYjlaVQk75pkxpaspctI89cBy4lXgWn0XYPaK1+WjxY5j1F5jeSb75FxuowoTWUXfk8j1s2KbANCsBuN3nd5227aIGAKGm+1kHAm/4MePOuLnj7mVqVrGuW9smZZvnluk2n2p0v6RGPmD818=', 'kcUEXaQPPIwtVFtC1PL/HXXkxfIZB03eNHvJetoP4hJTCBXd428OqcdPbPWqvhIczQvj71Ac6LZ7OG/e+yr4Bxet9vqIWevSzbdwqqWPf8nK2cPiNSfXdemqzBs1kBKEGQlnxKecRQs0Fim2Dq/kkqqyy4FT/M/7aleIZqMCZ4mq5jKj7zWHx8js/y7INNJykRnbqqkNJse2whyml6+Dho8xXhyKKjEjHHCQ++yYATPvU+ZwZGQ1aiyg3xM2+Mufv6OdiWo+NL8qVblSY+ML74QQ3+qn2cEZW8xaJcMAsMta6fJiSREwzJ1z86EfJ/jsm5waxGaL/ovb6ftrSW+RglFtTXsgBL0RqWZpQItqPDkF2hues0c5OGEtzNWaUVXn+H8FUCAJ+aqWE9AG5vtPYKXmrSZj5IG/6FHSIYC0nWBx5wHsGRTyzUgkPZMLeX0qotsCm9lMlGpxKlh+Z1oic1vbrF8QbV1eNo4t2Pb5oYAk/LIRoTnuPlLXjaubmL1hSqvzPQ/sVXzd5mXTvaOq58aApZHbOXkjfhfbDwVLc3Bjs25RTwPrIWsIAKwX/3kGBu/AxMY0Wb07NTJmloyghXyX9HTSpFE3N+D/N7l3tVWX/n6tnybXZUsRqFSB6rG1tbIR1a+4GVp+//5BqD3kM0VXcBGmG3xpyDSDCLIVVEXY5GyYN1vEkdGhjGvmeOX02f1RKB3vh5V5M5RcsEYhGsS36zuGpaNhrGf4h+7HDzTIU9/1Xl1nPdFaQmDFTIiidpmn26+9CW+g2SPIPlPDTjgkYnTmXT+O8PHwjD7K5IOwDZUbbAFA1Lrdc9IlU412XoEdl5mDZkue1zwbLWf+qvNJbFX8sXHehpGS3HbJZGQqyBs/WGnME/zTep7mu3SAbJ/9lw9DubLAWm3eZ/MVjBNuE3yDINYwtRQMJcyCjqvOUaWeWaIkvESwPYK4f4DzXPSa187wG+9AlgF8f2wQOygxX1dsc+xQUYb6mjfKphwvQfA49LiS6QNKSqz15qqR0H8SkeLLJ7txSyPf5o/Vb8ElYF2R/Dsozjt09H5PLZg8Mx42byNjie81RXixtgWQpr4xblQ9zxj5IaMqOBw3U6yvkKqUNQd1pRUx/33LazNTVFgHRwpx+LutF/m3Ilc9LDSXQ2sLYadTLNM4H6sg88B3Ku0bJgNkN8dFdIsCjQkk9Mdt0ps7+1BSph400PLXGB8Ouast6dmU+lpkXpEGr/mWHaX4VEifmt6MFtiG9jSUTjA2VqhJ2qS66jKrnf1CuWF5qWbXjRlBXUK1jLibI8Is03eHlVAWQOFZcrfOpPq3o0OxUDbCLddsIsPCScNdGrBY2q9RllmuBZNg/W6T5m+X2KNwjQyVBQxBU34LaUg9GMhx5G6e5/2Gji8UiH7/fu4jgyKbpw9r0egwJJndmdSHGUdUQ49W56s9vPelsDJb08XuAjWQXFOdA1Kmsw9Dh45XsM/m10+4XbpvyJ7XmTYJAvhQMXLFqtS4GpKG69JRuO4n+L6rSLGlFzxmsEhm3QM9iDYz2US4Un+EjCOwvFtl/eeSBED1CLnNZf4IbflrasiyFM6IFES8MG62FqpfoichpMq3Dt3tPmAgGD89QmkCsMCq8pGj+3BeDc98BauK1JlOc3iObuBFb0NChpfWa1lZmLvdMib+Wp2pqytptC5Ad7o8p4gSVACx6up/YNr6I8YhsqGIHpFV7Jvk6nzQ19vdCSYcUt+o2i12lPTyUqO5WujSq7P41U0w2rtJQ26/ZzkoCHMKUckEWvk2ei4A+bBCG2520B3/6O1EclfvsvlFIIf2mfft+6FFGP8enxtpFqG/1EAjM3sSS6IKARWsy3s4D5H+dtzPSaR/PDr2jejgFGRPxSbuLutKf4Kq55+afwF989Ad3WDqFcnmc5BwJhXFPxqlmhbPFSMnMVSksaW8UAhMCwLnt31FSm9CfeXXjCj8+hrMcPtn4+PDQeiLyf5/nD/vwOnFGKuLEm9JR/FzB5RktFNWqSYEqRzg8LgsYcEHc4zWyBiABM1LbR2nzax5QE3aZASIx1za/lqdqTVimq7MZbrwQrWQinziaucgzSHxKw880yNElAHNJZFw5Z4rZRzj/oK/kMoAhV4H1jnZbSuePHvddP24l9YOvlGpCsWrI3fk7BWzD8DJD3X2bGim8xoEt4g/R1aCZC/UMvPk/1IixbWw1P+li3OayxAQlbUqmb7DPHGvkbTD8evGdp3QwQWtGkbPRmu+iUWIEefvCP02tcFiIPdm82jN+Oc7+krSiRmxMiJMVt8h+1THUxoF3qD
Source: 0.2.hesaphareketi_1.scr.exe.459a1b0.4.raw.unpack, Symbols.cs Base64 encoded string: 'xHpF2m2TxzO3qr4FIuPswPaRZvbKhAgsHoUgVc5c1AMOAI4xiJqOjlkD3YO/6qULkSENmFl3GsolqcGGkZrBbaRXVu7YY+n3wiyv8wS+UHUpwhx/IX6ZerqvTzuOLuRdO08npei7HwfH2wKRuaecB8P/FVecfW9FoWjF1A6O/68O0qK192cnIhUcctWjx/GW8ULXo/Un0WwvyWYxGKqhFtUjf6hQETjLzO/F68/W3GXggNfn4E0tbsHcWJ4Qs9QeauMywyAB+V1+9Uw+hcoLBpcocrYAhSqf6iaaMKaTanR4JlGBlD4IjJQmV1gvQRYmjDXbZawN8IgwRgaI+xcKtFjiFVvuA6CawFF5jzi4mENimIA39OD54y/zMb7idEh4oTy+f+VDOiQ16HbDvRyX1gv6ar2K+vNdRpiEk+FL75Dwi1y2R1DSLLrnXH75cn9Sxxkx16fkjltmZNwZYnnZc0VCbJz5PE8snBKcKUEemoAvDwcgj8rVX1tuhqqeYXrhP1hn6oaUpa8dLV9GkxPvUPm2U2PxYjlaVQk75pkxpaspctI89cBy4lXgWn0XYPaK1+WjxY5j1F5jeSb75FxuowoTWUXfk8j1s2KbANCsBuN3nd5227aIGAKGm+1kHAm/4MePOuLnj7mVqVrGuW9smZZvnluk2n2p0v6RGPmD818=', 'kcUEXaQPPIwtVFtC1PL/HXXkxfIZB03eNHvJetoP4hJTCBXd428OqcdPbPWqvhIczQvj71Ac6LZ7OG/e+yr4Bxet9vqIWevSzbdwqqWPf8nK2cPiNSfXdemqzBs1kBKEGQlnxKecRQs0Fim2Dq/kkqqyy4FT/M/7aleIZqMCZ4mq5jKj7zWHx8js/y7INNJykRnbqqkNJse2whyml6+Dho8xXhyKKjEjHHCQ++yYATPvU+ZwZGQ1aiyg3xM2+Mufv6OdiWo+NL8qVblSY+ML74QQ3+qn2cEZW8xaJcMAsMta6fJiSREwzJ1z86EfJ/jsm5waxGaL/ovb6ftrSW+RglFtTXsgBL0RqWZpQItqPDkF2hues0c5OGEtzNWaUVXn+H8FUCAJ+aqWE9AG5vtPYKXmrSZj5IG/6FHSIYC0nWBx5wHsGRTyzUgkPZMLeX0qotsCm9lMlGpxKlh+Z1oic1vbrF8QbV1eNo4t2Pb5oYAk/LIRoTnuPlLXjaubmL1hSqvzPQ/sVXzd5mXTvaOq58aApZHbOXkjfhfbDwVLc3Bjs25RTwPrIWsIAKwX/3kGBu/AxMY0Wb07NTJmloyghXyX9HTSpFE3N+D/N7l3tVWX/n6tnybXZUsRqFSB6rG1tbIR1a+4GVp+//5BqD3kM0VXcBGmG3xpyDSDCLIVVEXY5GyYN1vEkdGhjGvmeOX02f1RKB3vh5V5M5RcsEYhGsS36zuGpaNhrGf4h+7HDzTIU9/1Xl1nPdFaQmDFTIiidpmn26+9CW+g2SPIPlPDTjgkYnTmXT+O8PHwjD7K5IOwDZUbbAFA1Lrdc9IlU412XoEdl5mDZkue1zwbLWf+qvNJbFX8sXHehpGS3HbJZGQqyBs/WGnME/zTep7mu3SAbJ/9lw9DubLAWm3eZ/MVjBNuE3yDINYwtRQMJcyCjqvOUaWeWaIkvESwPYK4f4DzXPSa187wG+9AlgF8f2wQOygxX1dsc+xQUYb6mjfKphwvQfA49LiS6QNKSqz15qqR0H8SkeLLJ7txSyPf5o/Vb8ElYF2R/Dsozjt09H5PLZg8Mx42byNjie81RXixtgWQpr4xblQ9zxj5IaMqOBw3U6yvkKqUNQd1pRUx/33LazNTVFgHRwpx+LutF/m3Ilc9LDSXQ2sLYadTLNM4H6sg88B3Ku0bJgNkN8dFdIsCjQkk9Mdt0ps7+1BSph400PLXGB8Ouast6dmU+lpkXpEGr/mWHaX4VEifmt6MFtiG9jSUTjA2VqhJ2qS66jKrnf1CuWF5qWbXjRlBXUK1jLibI8Is03eHlVAWQOFZcrfOpPq3o0OxUDbCLddsIsPCScNdGrBY2q9RllmuBZNg/W6T5m+X2KNwjQyVBQxBU34LaUg9GMhx5G6e5/2Gji8UiH7/fu4jgyKbpw9r0egwJJndmdSHGUdUQ49W56s9vPelsDJb08XuAjWQXFOdA1Kmsw9Dh45XsM/m10+4XbpvyJ7XmTYJAvhQMXLFqtS4GpKG69JRuO4n+L6rSLGlFzxmsEhm3QM9iDYz2US4Un+EjCOwvFtl/eeSBED1CLnNZf4IbflrasiyFM6IFES8MG62FqpfoichpMq3Dt3tPmAgGD89QmkCsMCq8pGj+3BeDc98BauK1JlOc3iObuBFb0NChpfWa1lZmLvdMib+Wp2pqytptC5Ad7o8p4gSVACx6up/YNr6I8YhsqGIHpFV7Jvk6nzQ19vdCSYcUt+o2i12lPTyUqO5WujSq7P41U0w2rtJQ26/ZzkoCHMKUckEWvk2ei4A+bBCG2520B3/6O1EclfvsvlFIIf2mfft+6FFGP8enxtpFqG/1EAjM3sSS6IKARWsy3s4D5H+dtzPSaR/PDr2jejgFGRPxSbuLutKf4Kq55+afwF989Ad3WDqFcnmc5BwJhXFPxqlmhbPFSMnMVSksaW8UAhMCwLnt31FSm9CfeXXjCj8+hrMcPtn4+PDQeiLyf5/nD/vwOnFGKuLEm9JR/FzB5RktFNWqSYEqRzg8LgsYcEHc4zWyBiABM1LbR2nzax5QE3aZASIx1za/lqdqTVimq7MZbrwQrWQinziaucgzSHxKw880yNElAHNJZFw5Z4rZRzj/oK/kMoAhV4H1jnZbSuePHvddP24l9YOvlGpCsWrI3fk7BWzD8DJD3X2bGim8xoEt4g/R1aCZC/UMvPk/1IixbWw1P+li3OayxAQlbUqmb7DPHGvkbTD8evGdp3QwQWtGkbPRmu+iUWIEefvCP02tcFiIPdm82jN+Oc7+krSiRmxMiJMVt8h+1THUxoF3qD
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@25/20@2/3
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe File created: C:\Users\user\AppData\Roaming\cbsBVT Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4608:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2672:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2768:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fllulnlq.3yr.ps1 Jump to behavior
Source: hesaphareketi_1.scr.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: hesaphareketi_1.scr.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: hesaphareketi_1.scr.exe ReversingLabs: Detection: 52%
Source: hesaphareketi_1.scr.exe Virustotal: Detection: 38%
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe File read: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\hesaphareketi_1.scr.exe "C:\Users\user\Desktop\hesaphareketi_1.scr.exe"
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\hesaphareketi_1.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process created: C:\Users\user\Desktop\hesaphareketi_1.scr.exe "C:\Users\user\Desktop\hesaphareketi_1.scr.exe"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\hesaphareketi_1.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe' Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process created: C:\Users\user\Desktop\hesaphareketi_1.scr.exe "C:\Users\user\Desktop\hesaphareketi_1.scr.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: dwrite.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: hesaphareketi_1.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: hesaphareketi_1.scr.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\GT350\source\repos\AtllasRunp\AtllasRunp\obj\Debug\Bienvenida.pdb source: hesaphareketi_1.scr.exe, 00000000.00000002.1400527379.0000000005C20000.00000004.08000000.00040000.00000000.sdmp, hesaphareketi_1.scr.exe, 00000000.00000002.1396824751.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 00000006.00000002.1576509993.0000000003031000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000E.00000002.1661164916.0000000002A23000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb{+Ll0 source: powershell.exe, 0000000F.00000002.1710961806.000000000867F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdbst.resources.dll source: powershell.exe, 00000007.00000002.1584908607.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb/: source: powershell.exe, 0000000F.00000002.1703052636.0000000007789000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1409770708.00000000028E9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1603996918.000000000762C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1672956754.000000000324F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1422525987.000000000807F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1608334741.000000000861A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.1607940683.00000000085D3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.1703052636.00000000077EA000.00000004.00000020.00020000.00000000.sdmp
Binary contains a suspicious time stamp
Source: hesaphareketi_1.scr.exe Static PE information: 0xDE088ED3 [Fri Jan 16 14:46:43 2088 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Code function: 0_2_059DE6AF push 5D01A556h; ret 0_2_059DE660
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Code function: 4_2_030A0CB5 push edi; ret 4_2_030A0CC2
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Code function: 4_2_0708244F push es; ret 4_2_07082460
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_04A442B8 push ebx; ret 7_2_04A442DA
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 11_2_013C0CB5 push edi; ret 11_2_013C0CC2
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 19_2_02D60C93 push edi; retf 19_2_02D60C3A
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 19_2_02D60CB5 push edi; ret 19_2_02D60CC2
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 19_2_06D55178 push es; ret 19_2_06D55170
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 19_2_06D55162 push es; ret 19_2_06D55170
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 19_2_06D7805B push ebp; iretd 19_2_06D7805E
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 19_2_06D741F7 push ss; iretd 19_2_06D741FA
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 19_2_06D741FB push ss; iretd 19_2_06D74202
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 19_2_06D79131 push 65A806CFh; iretd 19_2_06D79136
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 19_2_06D72EDF push cs; iretd 19_2_06D73452
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 19_2_06D77D70 push esi; iretd 19_2_06D7805A
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 19_2_06D77D67 push edx; iretd 19_2_06D77D6A
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 19_2_06D77D60 push edx; iretd 19_2_06D77D66
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 19_2_06D78A08 pushad ; iretd 19_2_06D78A0E
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 19_2_06D748E1 push ds; iretd 19_2_06D748E2
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Code function: 19_2_071211B0 push es; ret 19_2_071211C0
Source: hesaphareketi_1.scr.exe Static PE information: section name: .text entropy: 7.933213587645533
Source: cbsBVT.exe.4.dr Static PE information: section name: .text entropy: 7.933213587645533
Drops PE files
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe File created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Jump to dropped file
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cbsBVT Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cbsBVT Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe File opened: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe:Zone.Identifier read attributes | delete Jump to behavior
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Memory allocated: 19E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Memory allocated: 34F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Memory allocated: 3410000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Memory allocated: 30A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Memory allocated: 3140000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Memory allocated: 5140000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Memory allocated: 1210000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Memory allocated: 3030000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Memory allocated: 1580000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Memory allocated: 13C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Memory allocated: 3120000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Memory allocated: 16A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Memory allocated: FB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Memory allocated: 2920000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Memory allocated: 4920000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Memory allocated: 2D60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Memory allocated: 2F10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Memory allocated: 4F10000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6398 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3132 Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Window / User API: threadDelayed 3906 Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Window / User API: threadDelayed 995 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7316 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2099 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Window / User API: threadDelayed 1241
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Window / User API: threadDelayed 3231
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7488
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2056
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Window / User API: threadDelayed 1958
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Window / User API: threadDelayed 2520
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6100 Thread sleep count: 6398 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5084 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5812 Thread sleep count: 3132 > 30 Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840 Thread sleep time: -14757395258967632s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840 Thread sleep time: -99874s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840 Thread sleep time: -99765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840 Thread sleep time: -99656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840 Thread sleep time: -99546s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840 Thread sleep time: -99437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840 Thread sleep time: -99328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840 Thread sleep time: -99217s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840 Thread sleep time: -99104s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840 Thread sleep time: -99000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840 Thread sleep time: -98890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840 Thread sleep time: -98781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840 Thread sleep time: -98671s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840 Thread sleep time: -98562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840 Thread sleep time: -98447s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840 Thread sleep time: -98328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840 Thread sleep time: -98218s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840 Thread sleep time: -98095s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840 Thread sleep time: -97968s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840 Thread sleep time: -97859s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840 Thread sleep time: -97749s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840 Thread sleep time: -97640s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840 Thread sleep time: -97531s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840 Thread sleep time: -97421s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3228 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 4824 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3840 Thread sleep count: 7316 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3764 Thread sleep count: 2099 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4464 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328 Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 1440 Thread sleep count: 1241 > 30
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328 Thread sleep time: -99874s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 1440 Thread sleep count: 3231 > 30
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328 Thread sleep time: -99764s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328 Thread sleep time: -99652s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328 Thread sleep time: -99547s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328 Thread sleep time: -99434s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328 Thread sleep time: -99328s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328 Thread sleep time: -99218s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328 Thread sleep time: -99109s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328 Thread sleep time: -99000s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328 Thread sleep time: -98890s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328 Thread sleep time: -98779s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328 Thread sleep time: -98670s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328 Thread sleep time: -98562s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328 Thread sleep time: -98453s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328 Thread sleep time: -98344s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328 Thread sleep time: -98234s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328 Thread sleep time: -98125s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328 Thread sleep time: -98015s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328 Thread sleep time: -97906s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328 Thread sleep time: -97797s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328 Thread sleep time: -97687s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 5176 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4564 Thread sleep count: 7488 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6588 Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5432 Thread sleep count: 2056 > 30
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736 Thread sleep time: -15679732462653109s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 3828 Thread sleep count: 1958 > 30
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736 Thread sleep time: -99890s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736 Thread sleep time: -99778s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 3828 Thread sleep count: 2520 > 30
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736 Thread sleep time: -99669s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736 Thread sleep time: -99562s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736 Thread sleep time: -99453s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736 Thread sleep time: -99343s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736 Thread sleep time: -99234s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736 Thread sleep time: -99095s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736 Thread sleep time: -98968s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736 Thread sleep time: -98859s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736 Thread sleep time: -98745s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736 Thread sleep time: -98617s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736 Thread sleep time: -98507s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736 Thread sleep time: -98390s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736 Thread sleep time: -98281s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736 Thread sleep time: -98172s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736 Thread sleep time: -98059s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736 Thread sleep time: -97952s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736 Thread sleep time: -97843s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736 Thread sleep time: -97734s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736 Thread sleep time: -97625s >= -30000s
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736 Thread sleep time: -922337203685477s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Thread delayed: delay time: 99874 Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Thread delayed: delay time: 99765 Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Thread delayed: delay time: 99656 Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Thread delayed: delay time: 99546 Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Thread delayed: delay time: 99437 Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Thread delayed: delay time: 99328 Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Thread delayed: delay time: 99217 Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Thread delayed: delay time: 99104 Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Thread delayed: delay time: 99000 Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Thread delayed: delay time: 98890 Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Thread delayed: delay time: 98781 Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Thread delayed: delay time: 98671 Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Thread delayed: delay time: 98562 Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Thread delayed: delay time: 98447 Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Thread delayed: delay time: 98328 Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Thread delayed: delay time: 98218 Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Thread delayed: delay time: 98095 Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Thread delayed: delay time: 97968 Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Thread delayed: delay time: 97859 Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Thread delayed: delay time: 97749 Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Thread delayed: delay time: 97640 Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Thread delayed: delay time: 97531 Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Thread delayed: delay time: 97421 Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 99874
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 99764
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 99652
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 99547
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 99434
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 99328
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 99218
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 99109
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 99000
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 98890
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 98779
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 98670
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 98562
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 98453
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 98344
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 98234
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 98125
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 98015
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 97906
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 97797
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 97687
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 99890
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 99778
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 99669
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 99562
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 99453
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 99343
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 99234
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 99095
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 98968
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 98859
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 98745
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 98617
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 98507
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 98390
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 98281
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 98172
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 98059
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 97952
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 97843
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 97734
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 97625
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Thread delayed: delay time: 922337203685477
Source: powershell.exe, 0000000F.00000002.1679690872.00000000050C2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 0000000F.00000002.1679690872.00000000050C2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Add-NetEventVmNetworkAdapter
Source: svchost.exe, 00000005.00000002.2639144289.0000026D5AA58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2637323659.0000026D5562B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: powershell.exe, 0000000F.00000002.1679690872.00000000050C2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Get-NetEventVmNetworkAdapter
Source: hesaphareketi_1.scr.exe, 00000004.00000002.2636111594.000000000164E000.00000004.00000020.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1657051554.0000000001490000.00000004.00000020.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2633915220.0000000001234000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: 0.2.hesaphareketi_1.scr.exe.35f3aec.0.raw.unpack, QJDLGErGwGLnDsDTGnUfx.cs Reference to suspicious API methods: MyGetProcAddress(hProcess, Name)
Source: 0.2.hesaphareketi_1.scr.exe.35f3aec.0.raw.unpack, QJDLGErGwGLnDsDTGnUfx.cs Reference to suspicious API methods: LoadLibraryA(ref name)
Source: 0.2.hesaphareketi_1.scr.exe.4661450.2.raw.unpack, Ljq6xD21ACX.cs Reference to suspicious API methods: OZkujShDCVG.OpenProcess(aPNZ30.DuplicateHandle, bInheritHandle: true, (uint)snUp2.ProcessID)
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Memory written: C:\Users\user\Desktop\hesaphareketi_1.scr.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\hesaphareketi_1.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe' Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process created: C:\Users\user\Desktop\hesaphareketi_1.scr.exe "C:\Users\user\Desktop\hesaphareketi_1.scr.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" ??????????-??????????e??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????p??????????o??????????l??????????i??????????c??????????y?????????? ??????????b??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????c?????????o?????????p?????????y?????????-?????????i?????????t?????????e?????????m 'c:\users\user\desktop\hesaphareketi_1.scr.exe' 'c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\.exe'
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" ??????????-??????????e??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????p??????????o??????????l??????????i??????????c??????????y?????????? ??????????b??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????c?????????o?????????p?????????y?????????-?????????i?????????t?????????e?????????m 'c:\users\user\appdata\roaming\cbsbvt\cbsbvt.exe' 'c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\.exe'
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" ??????????-??????????e??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????p??????????o??????????l??????????i??????????c??????????y?????????? ??????????b??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????c?????????o?????????p?????????y?????????-?????????i?????????t?????????e?????????m 'c:\users\user\appdata\roaming\cbsbvt\cbsbvt.exe' 'c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\.exe'
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" ??????????-??????????e??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????p??????????o??????????l??????????i??????????c??????????y?????????? ??????????b??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????c?????????o?????????p?????????y?????????-?????????i?????????t?????????e?????????m 'c:\users\user\desktop\hesaphareketi_1.scr.exe' 'c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" ??????????-??????????e??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????p??????????o??????????l??????????i??????????c??????????y?????????? ??????????b??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????c?????????o?????????p?????????y?????????-?????????i?????????t?????????e?????????m 'c:\users\user\appdata\roaming\cbsbvt\cbsbvt.exe' 'c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" ??????????-??????????e??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????p??????????o??????????l??????????i??????????c??????????y?????????? ??????????b??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????c?????????o?????????p?????????y?????????-?????????i?????????t?????????e?????????m 'c:\users\user\appdata\roaming\cbsbvt\cbsbvt.exe' 'c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\.exe'
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Queries volume information: C:\Users\user\Desktop\hesaphareketi_1.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Queries volume information: C:\Users\user\Desktop\hesaphareketi_1.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Queries volume information: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Queries volume information: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Queries volume information: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Queries volume information: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 11.2.cbsBVT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.hesaphareketi_1.scr.exe.4661450.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.hesaphareketi_1.scr.exe.4661450.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.hesaphareketi_1.scr.exe.459a1b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.hesaphareketi_1.scr.exe.4549b80.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.1662306646.000000000319C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2639565652.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1662306646.00000000031A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2639565652.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1662306646.0000000003171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1650972746.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2641024996.00000000031BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2639565652.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2641024996.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2641024996.00000000031C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1396974953.00000000044F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: hesaphareketi_1.scr.exe PID: 4276, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: hesaphareketi_1.scr.exe PID: 1988, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cbsBVT.exe PID: 5296, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cbsBVT.exe PID: 3040, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe File opened: C:\FTP Navigator\Ftplist.txt
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Yara detected Credential Stealer
Source: Yara match File source: 11.2.cbsBVT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.hesaphareketi_1.scr.exe.4661450.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.hesaphareketi_1.scr.exe.4661450.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.hesaphareketi_1.scr.exe.459a1b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.hesaphareketi_1.scr.exe.4549b80.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.1662306646.0000000003171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1650972746.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2639565652.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2641024996.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1396974953.00000000044F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: hesaphareketi_1.scr.exe PID: 4276, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: hesaphareketi_1.scr.exe PID: 1988, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cbsBVT.exe PID: 5296, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cbsBVT.exe PID: 3040, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 11.2.cbsBVT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.hesaphareketi_1.scr.exe.4661450.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.hesaphareketi_1.scr.exe.4661450.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.hesaphareketi_1.scr.exe.459a1b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.hesaphareketi_1.scr.exe.4549b80.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.1662306646.000000000319C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2639565652.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1662306646.00000000031A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2639565652.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1662306646.0000000003171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1650972746.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2641024996.00000000031BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2639565652.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2641024996.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2641024996.00000000031C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1396974953.00000000044F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: hesaphareketi_1.scr.exe PID: 4276, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: hesaphareketi_1.scr.exe PID: 1988, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cbsBVT.exe PID: 5296, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cbsBVT.exe PID: 3040, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430777 Sample: hesaphareketi_1.scr.exe Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 49 business29.web-hosting.com 2->49 51 api.ipify.org 2->51 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Antivirus detection for URL or domain 2->63 65 6 other signatures 2->65 8 hesaphareketi_1.scr.exe 2 2->8         started        11 cbsBVT.exe 3 2->11         started        13 cbsBVT.exe 2->13         started        15 svchost.exe 1 1 2->15         started        signatures3 process4 dnsIp5 79 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->79 81 Injects a PE file into a foreign processes 8->81 18 hesaphareketi_1.scr.exe 16 5 8->18         started        23 powershell.exe 21 8->23         started        83 Antivirus detection for dropped file 11->83 85 Multi AV Scanner detection for dropped file 11->85 87 Machine Learning detection for dropped file 11->87 25 cbsBVT.exe 11->25         started        27 powershell.exe 21 11->27         started        29 cbsBVT.exe 11->29         started        31 cbsBVT.exe 13->31         started        33 powershell.exe 13->33         started        35 cbsBVT.exe 13->35         started        37 cbsBVT.exe 13->37         started        57 127.0.0.1 unknown unknown 15->57 signatures6 process7 dnsIp8 53 business29.web-hosting.com 198.54.114.199, 49709, 49715, 49718 NAMECHEAP-NETUS United States 18->53 55 api.ipify.org 104.26.13.205, 443, 49707, 49713 CLOUDFLARENETUS United States 18->55 45 C:\Users\user\AppData\Roaming\...\cbsBVT.exe, PE32 18->45 dropped 47 C:\Users\user\...\cbsBVT.exe:Zone.Identifier, ASCII 18->47 dropped 67 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->67 69 Tries to steal Mail credentials (via file / registry access) 18->69 71 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->71 39 conhost.exe 23->39         started        73 Loading BitLocker PowerShell Module 27->73 41 conhost.exe 27->41         started        75 Tries to harvest and steal ftp login credentials 31->75 77 Tries to harvest and steal browser information (history, passwords, etc) 31->77 43 conhost.exe 33->43         started        file9 signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
198.54.114.199
 business29.web-hosting.com United States
22612 NAMECHEAP-NETUS false
104.26.13.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
api.ipify.org 104.26.13.205 true
business29.web-hosting.com 198.54.114.199 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
    		high